{ "type": "URL", "indicator": "https://magna.palantirfoundry.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://magna.palantirfoundry.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4103388828, "indicator": "https://magna.palantirfoundry.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "6928b35bf7863bb7ba612032", "name": "Palantir \u2022 Candace Owens", "description": "I was tipped. We are buried in tips. Thank You for your tip Dee Monica R. of US of A.\n\nCandace Owens is definitely NOT Pro Palantir so why ar their at least 324 Palantir links in her domain? I know this is dangerous and how much Peter Theil love silencing everyone to death but wants to live to be 120 years old himself unless there an Apocalypse. Notice how he keeps causing one? Equality dangerous is his BlackTock affiliated Husband Matt Danzeisen. A bloody power couple! \n\nAlex Karp Palantir Foundry CEO is reportedly biracial African American. Elon is an African immigrant, Peter Theil is a German immigrant. This is okay? Kill everyone, take everything for money? Need to stop. It\u2019s wrong greedy people who already have too much.", "modified": "2025-11-27T20:23:55.040000", "created": "2025-11-27T20:23:55.040000", "tags": [ "Candace Owens", "Palantir", "Threat", "Active", "Victory in Jesus" ], "references": [ "Palantir poised against Candace Owens?", "https://www.miaminewtimes.com/uncategorized/report-miami-police-probing-death-of-peter-thiels-partner-as-suicide-16623267/", "Don\u2019t trust my link above, please Google it on your own PC", "Legal? Fear, intimidation, credible threats, cyber stalking, cyber warfare, tracking , harassment, a List?", "Candace Owensnis credible in this instance. . Help her, Help Us!", "Had a target dumped roofied and dumped at a doorstep 2 weeks ago. Guess who\u2019s behind it?", "Had a target with half of face blown off. Too afraid to speak anymore.", "Tsara SMH. There is an Active court case?", "Have a target who had a boss rape her , admit but he has an evil attorney who has Palantir access.", "Charlie Kirk said \u2018Have your guns in case the Gov tries to confiscate them?\u201d Dead 1 month later", "I was confronted by a stranger who tipped to me w/back turned. Military. Credible & afraid.", "This is too much and it needs to stop. It can and it will." ], "public": 1, "adversary": "Palantir", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "All Malware", "display_name": "All Malware", "target": null } ], "attack_ids": [], "industries": [ "Government", "Media", "Healthcare", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "URL": 177, "hostname": 200 }, "indicator_count": 381, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "143 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6928a811eb762bc06b190c7e", "name": "Frosted -> Candace Owens | The Targeted need the help od Honest people. HELP!", "description": "Candace Owens has become more visible to me because of tips , the targeted community, and research by watching to determine the legitimacy of her incredible claims.They sound outrageously familiar. She is a provocateur. She has evidence based on some of the episodes I\u2019ve been encouraged to review..\n\nI\u2019m ringing the bell.\n\nCandace Owens isn\u2019t a deranged conspiracy theorist. She is an intelligent, intuitive, beautiful African American woman that people are turning there back on. The most likely to be attacked, have your back or be dismissed are women, esp., black woman & other women of color. \n\nCandace Owens is openly not a fan of Palantir agenda, J. S. \u2018Vance\u2019 Hamill , The \u2018Gaza Strip Billionaire getaway\u2019, the murde of Palestinians. \n\nShe\u2019s been critical re: of Palantirs expanding government contracts, surveillance viewing them as potentially nefarious or being too embedded within federal power structures. \n\nThey (Palantir)don\u2019t like it.\n#Palantir #NotLikeUs #BillionaireBoysClub #MassMurders", "modified": "2025-11-27T19:35:45.769000", "created": "2025-11-27T19:35:45.769000", "tags": [ "extraction", "sc type", "data upload", "idro anv", "extr data", "active", "malware attacks", "find encrypted", "pom", "win32", "win64", "trojan", "families", "win32clipbanker", "detections et", "susp", "alfper", "ransom", "capture", "singapore", "china", "united", "france", "sweden", "Candace Owens", "Palantir", "The List", "True" ], "references": [ "https://candaceowens.com/", "http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg", "InstallCore ET Malware | Candace Owens \u2022 https://otx.alienvault.com/pulse/6927ed9849e14dfc59441aba", "Tucker Carlson Pulse : https://otx.alienvault.com/pulse/68c73fbd85dfbb4d41006ad1", "https://ebsc-ibm.palantircloud.com", "Crazy Frost \u2018hacker\u2019 https://otx.alienvault.com/pulse/692897a64c0e255409b5a67e", "Typo God not His of the Bible is Bigger. Faith without works irks dead though", "No one is immune from the wrath of Palantir. Race or gender doesn\u2019t matter.", "If Dylan Klebold & Eric Harris lived they might think up a business like Palantir." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Trojan:Win32/Meterpreter.O", "display_name": "Trojan:Win32/Meterpreter.O", "target": "/malware/Trojan:Win32/Meterpreter.O" }, { "id": "Trojan:Win32/Spiliwan.A", "display_name": "Trojan:Win32/Spiliwan.A", "target": "/malware/Trojan:Win32/Spiliwan.A" }, { "id": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "display_name": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "target": null }, { "id": "Trojandropper:Win32/BcryptInject.B!MSR", "display_name": "Trojandropper:Win32/BcryptInject.B!MSR", "target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR" }, { "id": "Win.Trojan.Autoit-6996111-0", "display_name": "Win.Trojan.Autoit-6996111-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Trojandownloader:Win32/Cutwail.BA", "display_name": "Trojandownloader:Win32/Cutwail.BA", "target": "/malware/Trojandownloader:Win32/Cutwail.BA" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Trojan:Win32/Danabot.G", "display_name": "Trojan:Win32/Danabot.G", "target": "/malware/Trojan:Win32/Danabot.G" }, { "id": "ET Malware", "display_name": "ET Malware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Media", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 566, "domain": 16, "hostname": 281, "FileHash-SHA256": 245, "FileHash-MD5": 228, "FileHash-SHA1": 223 }, "indicator_count": 1559, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "143 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a1ef2dd26ec62a3c298c", "name": "Listeners - Malicious Over the top espionage | Cyber Warfare?", "description": "Cyber attacks on targeted devices stored safely, separately, don\u2019t communicate with one another. PalantirFoundry.com shares IP addresses with Fastly. South African IP\u2019s and DGA domains bounce from US Denver , Co based IP and Domain addresses. Registrar Abuse: HTTP/2 404 content type: text/html content length: 2263 date: Wed 22 Oct 2025 22:32:18 GMT server: Envoy\n443 Certificate Subject: US\n443 Certificate Subject: Colorado\n443 Certificate Subject: Denver\n443 Certificate Subject: Palantir Technologies Inc.\n443 Certificate Subject: listeners.usw-19.palantirfoundry.com", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:33:03.315000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a6f4e35193c04401daaf", "name": "Emotet & VirTool Obsfuscator - Registrar abuse tracking civilians", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:54:28.671000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69069167e1e2a222bd7762f2", "name": "Palantir - Spyware", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-11-01T23:01:59.339000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68abf66e97031d0ff0c04fed", "name": "Packed sentient.industries links to a targets business website", "description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.", "modified": "2025-09-24T04:04:05.604000", "created": "2025-08-25T05:36:46.327000", "tags": [ "moved", "body", "x cache", "cloudfront x", "cph50 c2", "certificate", "record value", "title", "h1 center", "server", "redacted for", "servers", "name redacted", "for privacy", "name servers", "org data", "privacy city", "privacy country", "ca creation", "passive dns", "urls", "files", "ip address", "asn as57033", "less whois", "registrar", "tucows domains", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl ecc", "domain secure", "site ca", "validity", "subject public", "extraction", "data upload", "extra data", "include review", "find", "failed", "typ no", "ms windows", "intel", "pe32", "united", "search", "as16509", "from win32bios", "show", "high", "medium", "delphi", "copy", "write", "launcher", "next", "present aug", "present jul", "lowfi", "win32", "a div", "div div", "learn xml", "babylon", "win64", "trojan", "colors", "python", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "et info", "tls handshake", "bad traffic", "failure", "date", "august", "hybrid", "general", "path", "starfield", "click", "strings", "se bethseda", "n bethseda", "n data", "error", "date checked", "url hostname", "server response", "google safe", "results aug", "read c", "tlsv1", "port", "destination", "module load", "execution", "dock", "persistence", "malware", "unknown", "cname", "aaaa", "creation date", "showing", "domain", "dga domains", "palantirfoundry", "foundry", "status", "unknown ns", "g2 tls", "rsa sha256", "italy unknown", "mtb may", "trojandropper", "invalid url", "next associated", "ddos", "body html", "hacktool", "ipv4", "url analysis", "ukraine", "encrypt", "rl add", "http", "hostname", "files domain", "files related", "related tags", "present jun", "entries", "title error", "all ipv4", "reverse dns", "yara detections", "top source", "top destination", "source source", "sha256 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "canada unknown", "content type", "javascript src", "script script", "x powered", "ipv4 add", "pulse submit", "submit url", "analysis", "url add", "related nids", "files location", "canada flag", "canada hostname", "unknown aaaa", "ascii text", "user agent", "powershell", "agent", "czechia unknown", "domain add", "dynamicloader", "hostname add", "pentagon", "defense" ], "references": [ "sentient.industries affects independent artists. Affects several others.", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "https://link.monetizer101.com/widget/code/dailystaruk.js", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "(Can't access file- Malware infection files)", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "constellation.pcfrpegaservice.net (Pegasus related? idk)", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "Remotewd.com devices", "If you find anything interesting please research it." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "nUFS_inno", "display_name": "nUFS_inno", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious", "display_name": "#Lowfi:HSTR:MSIL/Malicious", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Bibado", "display_name": "ALF:JASYP:PUA:Win32/Bibado", "target": null }, { "id": "Trojan:Win32/Toga", "display_name": "Trojan:Win32/Toga", "target": "/malware/Trojan:Win32/Toga" }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Win.Trojan.Jorik-149", "display_name": "Win.Trojan.Jorik-149", "target": null }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.Jorik-130", "display_name": "Win.Trojan.Jorik-130", "target": null }, { "id": "Win.Trojan.Fakecodecs-119", "display_name": "Win.Trojan.Fakecodecs-119", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Bulz-9860169-0", "display_name": "Win.Trojan.Bulz-9860169-0", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Packed.Razy-9785185-0", "display_name": "Win.Packed.Razy-9785185-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "PWS", "display_name": "PWS", "target": null }, { "id": "DDOS:Win32/Stormser.A", "display_name": "DDOS:Win32/Stormser.A", "target": "/malware/DDOS:Win32/Stormser.A" }, { "id": "ALF:HSTR:DotNET", "display_name": "ALF:HSTR:DotNET", "target": null }, { "id": "DotNET", "display_name": "DotNET", "target": null }, { "id": "Script Exploit", "display_name": "Script Exploit", "target": null }, { "id": "HackTool:Win32/AutoKMS", "display_name": "HackTool:Win32/AutoKMS", "target": "/malware/HackTool:Win32/AutoKMS" }, { "id": "Xanfpezes.A", "display_name": "Xanfpezes.A", "target": null }, { "id": "Trojan:Win32/Gandcrab", "display_name": "Trojan:Win32/Gandcrab", "target": "/malware/Trojan:Win32/Gandcrab" }, { "id": "Win.Trojan.Generic-9862772-0", "display_name": "Win.Trojan.Generic-9862772-0", "target": null }, { "id": "Trojan:Win32/Zbot.SIBL!MTB", "display_name": "Trojan:Win32/Zbot.SIBL!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBL!MTB" }, { "id": "Win32/Nemucod", "display_name": "Win32/Nemucod", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "target": null }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Win.Malware.Kolab-9885903-0", "display_name": "Win.Malware.Kolab-9885903-0", "target": null }, { "id": "Win.Malware (30)", "display_name": "Win.Malware (30)", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "target": null }, { "id": "E5", "display_name": "E5", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6232, "URL": 24908, "hostname": 7993, "FileHash-SHA256": 11128, "email": 6, "FileHash-MD5": 1054, "FileHash-SHA1": 932, "SSLCertFingerprint": 14, "CIDR": 3, "CVE": 3 }, "indicator_count": 52273, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ac00ee047dfb2f6ae181d6", "name": "PalantirFoundry.com links found in sentient.industries linked with targets business dom", "description": "Status: https://www.palantir.com/blocked/ |\t\t\nmailto:cirt@palantir.com | \nC=US L=Palo Alto CN=*.palantirfoundry.com O=Palantir Technologies Inc. ST=California\n\nAI Overview-\nImplementing an Operational Data Mesh with Palantir Foundry ...\nPalantir Foundry is a comprehensive software platform that serves as a central, operational layer for data integration, analytics, machine learning, and decision-making within organizations. It provides a unified environment to connect disparate data sources, create a shared data model (an Ontology), and develop custom applications and workflows for complex operational decision-making across diverse sectors like finance, healthcare, and supply chain management.\n \n..far less innocent.\n\nAttacks, targeting, espionage against citizens not necessarily suspected of a crime. If not a spoof is a Top\ntier quasi government contractor with a product to sell. Can deploy highly technical tasks. Targeting isn\u2019t appropriate \u2018investigating\u2019.\n#stealth #relentless #silencing #obnoxious", "modified": "2025-08-25T06:21:34.337000", "created": "2025-08-25T06:21:34.337000", "tags": [ "active related", "pulses hostname", "related pulses", "information", "t1047", "instrumentation", "t1060", "run keys", "startup", "folder", "t1119", "capture", "domain", "germany", "united", "netherlands", "france", "palantirfoundry", "palantir", "active" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 510, "domain": 4, "hostname": 486 }, "indicator_count": 1000, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "237 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688398926252d91f97c75b05", "name": "Registrar Abuse \u2022 Typosquatting \u2022 Masquerading -suspected with PalantirFoundry.com links", "description": "Registrar Abuse \u2022 Typosquatting \u2022 Masquerading - possible? re:PalantirFoundry.com links registered by \u2018Palantir Technologies Inc.\u2019 I\u2019ve included 200 + palantirfoundry.com links.\nThe product is sold, I don\u2019t know if product can be rebranded, private labeled. Finding requires much more research. I have no option but to suspect any link palantirfoundry.com may be registrar abuse and masquerading as seen before. Most of the connections are have changed or moved. The damage these links do is as stated in previous pulses, dangerous, spyware with nothing changed the amount of damage, danger or the maliciousness of threat actor. Everything malicious result found re: recently pulsed palantirfoundry.com are accurate. ||\n(https://edenglobalpartners.palantirfoundry.com/multipass/login/all?redirect-uri=%2Fworkspace)\nredirects to Palantir branded website [https://hybrid-analysis.com/sample/e844b801e1c217720ff8c81b2ba47f6e14796f635d2dc430fd8813354310cf34/688391055d0c6d5b770f18d8]", "modified": "2025-08-24T14:04:57.110000", "created": "2025-07-25T14:45:38.136000", "tags": [ "url https", "url http", "gather victim", "run keys", "startup", "folder", "t1057", "discovery", "t1071", "protocol", "united", "sweden", "germany", "search", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "extr data", "include review", "exclude", "sugges data", "uniy incuue", "mitre att", "present jul", "status", "date", "united kingdom", "unknown a", "moved", "certificate", "ip address", "body", "passive dns", "urls", "creation date", "emails", "files", "domain", "files ip", "address", "location united", "asn as16509", "entries", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "read c", "medium", "flashpix", "show", "showing", "delete", "yara detections", "icmp traffic", "registry", "python", "write", "persistence", "execution", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "development att", "show process", "prefetch8", "show technique", "ck matrix", "localappdata", "process", "pattern match", "general", "hybrid", "path", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 750, "domain": 67, "hostname": 631, "FileHash-MD5": 25, "FileHash-SHA1": 9, "email": 4, "FileHash-SHA256": 219, "SSLCertFingerprint": 2 }, "indicator_count": 1707, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "https://www.miaminewtimes.com/uncategorized/report-miami-police-probing-death-of-peter-thiels-partner-as-suicide-16623267/", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "This is too much and it needs to stop. It can and it will.", "Candace Owensnis credible in this instance. . Help her, Help Us!", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "https://ebsc-ibm.palantircloud.com", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "Crazy Frost \u2018hacker\u2019 https://otx.alienvault.com/pulse/692897a64c0e255409b5a67e", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "I was confronted by a stranger who tipped to me w/back turned. Military. Credible & afraid.", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "Don\u2019t trust my link above, please Google it on your own PC", "If you find anything interesting please research it.", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "(Can't access file- Malware infection files)", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "Remotewd.com devices", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "Legal? Fear, intimidation, credible threats, cyber stalking, cyber warfare, tracking , harassment, a List?", "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy.", "Had a target dumped roofied and dumped at a doorstep 2 weeks ago. Guess who\u2019s behind it?", "InstallCore ET Malware | Candace Owens \u2022 https://otx.alienvault.com/pulse/6927ed9849e14dfc59441aba", "https://link.monetizer101.com/widget/code/dailystaruk.js", "If Dylan Klebold & Eric Harris lived they might think up a business like Palantir.", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg", "Palantir poised against Candace Owens?", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "sentient.industries affects independent artists. Affects several others.", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "No one is immune from the wrath of Palantir. Race or gender doesn\u2019t matter.", "Typo God not His of the Bible is Bigger. Faith without works irks dead though", "Charlie Kirk said \u2018Have your guns in case the Gov tries to confiscate them?\u201d Dead 1 month later", "Have a target who had a boss rape her , admit but he has an evil attorney who has Palantir access.", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "Had a target with half of face blown off. Too afraid to speak anymore.", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "constellation.pcfrpegaservice.net (Pegasus related? idk)", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "Tucker Carlson Pulse : https://otx.alienvault.com/pulse/68c73fbd85dfbb4d41006ad1", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "https://candaceowens.com/", "Tsara SMH. There is an Active court case?" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Palantir", "Quickstart" ], "malware_families": [ "Win.malware (30)", "Trojandropper:win32/muldrop", "Trojandropper:win32/bcryptinject.b!msr", "Alf:heraklezeval:trojan:win32/clipbanker", "Ddos:win32/stormser.a", "Script exploit", "Trojan:win32/danabot.g", "Win.trojan.bulz-9860169-0", "Alf:hstr:dotnet", "Win32:downloader-gjk\\ [trj]", "Xanfpezes.a", "Dotnet", "Trojan:win32/dorv.a", "Pws", "#lowfidetectsvmware", "#lowfi:hstr:msil/malicious.decryption", "Trojan:win32/meterpreter.o", "Trojandownloader:win32/cutwail.ba", "#lowfi:hstr:msil/malicious", "Trojan:win32/zombie.a", "Hacktool:win32/autokms", "Win.trojan.generic-9862772-0", "Nufs_inno", "Alf:heraklezeval:trojandownloader:html/adodb!rfn", "Win.malware.kolab-9885903-0", "All malware", "Alf:jasyp:pua:win32/bibado", "Win.trojan.jorik-130", "Trojandropper:win32/muldrop.v!mtb", "Multiple malware attack", "Win.trojan.jorik-149", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Mydoom", "Win.malware.midie-6847892-0", "#lowfienabledtcontinueafterunpacking", "Win.trojan.autoit-6996111-0", "Alf:heraklezeval:trojan:msil/gravityrat!rfn", "Trojan:win32/glupteba.mt!mtb", "Trojan:win32/zbot.sibl!mtb", "Trojan:win32/blihan.a", "Alf:trojan:win32/cassini_ade36583!ibt", "Trojan:win32/toga", "Ransom", "Custom malware", "Win.trojan.fakecodecs-119", "Trojan:win32/spiliwan.a", "E5", "Trojan:win32/gandcrab", "Win.downloader.109205-1", "Win.packed.razy-9785185-0", "Win32/nemucod", "Et malware" ], "industries": [ "Technology", "Government", "Healthcare", "Media", "Civil society" ], "unique_indicators": 66540 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/palantirfoundry.com", "whois": "http://whois.domaintools.com/palantirfoundry.com", "domain": "palantirfoundry.com", "hostname": "magna.palantirfoundry.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "6928b35bf7863bb7ba612032", "name": "Palantir \u2022 Candace Owens", "description": "I was tipped. We are buried in tips. Thank You for your tip Dee Monica R. of US of A.\n\nCandace Owens is definitely NOT Pro Palantir so why ar their at least 324 Palantir links in her domain? I know this is dangerous and how much Peter Theil love silencing everyone to death but wants to live to be 120 years old himself unless there an Apocalypse. Notice how he keeps causing one? Equality dangerous is his BlackTock affiliated Husband Matt Danzeisen. A bloody power couple! \n\nAlex Karp Palantir Foundry CEO is reportedly biracial African American. Elon is an African immigrant, Peter Theil is a German immigrant. This is okay? Kill everyone, take everything for money? Need to stop. It\u2019s wrong greedy people who already have too much.", "modified": "2025-11-27T20:23:55.040000", "created": "2025-11-27T20:23:55.040000", "tags": [ "Candace Owens", "Palantir", "Threat", "Active", "Victory in Jesus" ], "references": [ "Palantir poised against Candace Owens?", "https://www.miaminewtimes.com/uncategorized/report-miami-police-probing-death-of-peter-thiels-partner-as-suicide-16623267/", "Don\u2019t trust my link above, please Google it on your own PC", "Legal? Fear, intimidation, credible threats, cyber stalking, cyber warfare, tracking , harassment, a List?", "Candace Owensnis credible in this instance. . Help her, Help Us!", "Had a target dumped roofied and dumped at a doorstep 2 weeks ago. Guess who\u2019s behind it?", "Had a target with half of face blown off. Too afraid to speak anymore.", "Tsara SMH. There is an Active court case?", "Have a target who had a boss rape her , admit but he has an evil attorney who has Palantir access.", "Charlie Kirk said \u2018Have your guns in case the Gov tries to confiscate them?\u201d Dead 1 month later", "I was confronted by a stranger who tipped to me w/back turned. Military. Credible & afraid.", "This is too much and it needs to stop. It can and it will." ], "public": 1, "adversary": "Palantir", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "All Malware", "display_name": "All Malware", "target": null } ], "attack_ids": [], "industries": [ "Government", "Media", "Healthcare", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "URL": 177, "hostname": 200 }, "indicator_count": 381, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "143 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6928a811eb762bc06b190c7e", "name": "Frosted -> Candace Owens | The Targeted need the help od Honest people. HELP!", "description": "Candace Owens has become more visible to me because of tips , the targeted community, and research by watching to determine the legitimacy of her incredible claims.They sound outrageously familiar. She is a provocateur. She has evidence based on some of the episodes I\u2019ve been encouraged to review..\n\nI\u2019m ringing the bell.\n\nCandace Owens isn\u2019t a deranged conspiracy theorist. She is an intelligent, intuitive, beautiful African American woman that people are turning there back on. The most likely to be attacked, have your back or be dismissed are women, esp., black woman & other women of color. \n\nCandace Owens is openly not a fan of Palantir agenda, J. S. \u2018Vance\u2019 Hamill , The \u2018Gaza Strip Billionaire getaway\u2019, the murde of Palestinians. \n\nShe\u2019s been critical re: of Palantirs expanding government contracts, surveillance viewing them as potentially nefarious or being too embedded within federal power structures. \n\nThey (Palantir)don\u2019t like it.\n#Palantir #NotLikeUs #BillionaireBoysClub #MassMurders", "modified": "2025-11-27T19:35:45.769000", "created": "2025-11-27T19:35:45.769000", "tags": [ "extraction", "sc type", "data upload", "idro anv", "extr data", "active", "malware attacks", "find encrypted", "pom", "win32", "win64", "trojan", "families", "win32clipbanker", "detections et", "susp", "alfper", "ransom", "capture", "singapore", "china", "united", "france", "sweden", "Candace Owens", "Palantir", "The List", "True" ], "references": [ "https://candaceowens.com/", "http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg", "InstallCore ET Malware | Candace Owens \u2022 https://otx.alienvault.com/pulse/6927ed9849e14dfc59441aba", "Tucker Carlson Pulse : https://otx.alienvault.com/pulse/68c73fbd85dfbb4d41006ad1", "https://ebsc-ibm.palantircloud.com", "Crazy Frost \u2018hacker\u2019 https://otx.alienvault.com/pulse/692897a64c0e255409b5a67e", "Typo God not His of the Bible is Bigger. Faith without works irks dead though", "No one is immune from the wrath of Palantir. Race or gender doesn\u2019t matter.", "If Dylan Klebold & Eric Harris lived they might think up a business like Palantir." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Trojan:Win32/Meterpreter.O", "display_name": "Trojan:Win32/Meterpreter.O", "target": "/malware/Trojan:Win32/Meterpreter.O" }, { "id": "Trojan:Win32/Spiliwan.A", "display_name": "Trojan:Win32/Spiliwan.A", "target": "/malware/Trojan:Win32/Spiliwan.A" }, { "id": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "display_name": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "target": null }, { "id": "Trojandropper:Win32/BcryptInject.B!MSR", "display_name": "Trojandropper:Win32/BcryptInject.B!MSR", "target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR" }, { "id": "Win.Trojan.Autoit-6996111-0", "display_name": "Win.Trojan.Autoit-6996111-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Trojandownloader:Win32/Cutwail.BA", "display_name": "Trojandownloader:Win32/Cutwail.BA", "target": "/malware/Trojandownloader:Win32/Cutwail.BA" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Trojan:Win32/Danabot.G", "display_name": "Trojan:Win32/Danabot.G", "target": "/malware/Trojan:Win32/Danabot.G" }, { "id": "ET Malware", "display_name": "ET Malware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Media", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 566, "domain": 16, "hostname": 281, "FileHash-SHA256": 245, "FileHash-MD5": 228, "FileHash-SHA1": 223 }, "indicator_count": 1559, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "143 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a1ef2dd26ec62a3c298c", "name": "Listeners - Malicious Over the top espionage | Cyber Warfare?", "description": "Cyber attacks on targeted devices stored safely, separately, don\u2019t communicate with one another. PalantirFoundry.com shares IP addresses with Fastly. South African IP\u2019s and DGA domains bounce from US Denver , Co based IP and Domain addresses. Registrar Abuse: HTTP/2 404 content type: text/html content length: 2263 date: Wed 22 Oct 2025 22:32:18 GMT server: Envoy\n443 Certificate Subject: US\n443 Certificate Subject: Colorado\n443 Certificate Subject: Denver\n443 Certificate Subject: Palantir Technologies Inc.\n443 Certificate Subject: listeners.usw-19.palantirfoundry.com", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:33:03.315000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a6f4e35193c04401daaf", "name": "Emotet & VirTool Obsfuscator - Registrar abuse tracking civilians", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:54:28.671000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69069167e1e2a222bd7762f2", "name": "Palantir - Spyware", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-11-01T23:01:59.339000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68abf66e97031d0ff0c04fed", "name": "Packed sentient.industries links to a targets business website", "description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.", "modified": "2025-09-24T04:04:05.604000", "created": "2025-08-25T05:36:46.327000", "tags": [ "moved", "body", "x cache", "cloudfront x", "cph50 c2", "certificate", "record value", "title", "h1 center", "server", "redacted for", "servers", "name redacted", "for privacy", "name servers", "org data", "privacy city", "privacy country", "ca creation", "passive dns", "urls", "files", "ip address", "asn as57033", "less whois", "registrar", "tucows domains", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl ecc", "domain secure", "site ca", "validity", "subject public", "extraction", "data upload", "extra data", "include review", "find", "failed", "typ no", "ms windows", "intel", "pe32", "united", "search", "as16509", "from win32bios", "show", "high", "medium", "delphi", "copy", "write", "launcher", "next", "present aug", "present jul", "lowfi", "win32", "a div", "div div", "learn xml", "babylon", "win64", "trojan", "colors", "python", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "et info", "tls handshake", "bad traffic", "failure", "date", "august", "hybrid", "general", "path", "starfield", "click", "strings", "se bethseda", "n bethseda", "n data", "error", "date checked", "url hostname", "server response", "google safe", "results aug", "read c", "tlsv1", "port", "destination", "module load", "execution", "dock", "persistence", "malware", "unknown", "cname", "aaaa", "creation date", "showing", "domain", "dga domains", "palantirfoundry", "foundry", "status", "unknown ns", "g2 tls", "rsa sha256", "italy unknown", "mtb may", "trojandropper", "invalid url", "next associated", "ddos", "body html", "hacktool", "ipv4", "url analysis", "ukraine", "encrypt", "rl add", "http", "hostname", "files domain", "files related", "related tags", "present jun", "entries", "title error", "all ipv4", "reverse dns", "yara detections", "top source", "top destination", "source source", "sha256 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "canada unknown", "content type", "javascript src", "script script", "x powered", "ipv4 add", "pulse submit", "submit url", "analysis", "url add", "related nids", "files location", "canada flag", "canada hostname", "unknown aaaa", "ascii text", "user agent", "powershell", "agent", "czechia unknown", "domain add", "dynamicloader", "hostname add", "pentagon", "defense" ], "references": [ "sentient.industries affects independent artists. Affects several others.", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "https://link.monetizer101.com/widget/code/dailystaruk.js", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "(Can't access file- Malware infection files)", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "constellation.pcfrpegaservice.net (Pegasus related? idk)", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "Remotewd.com devices", "If you find anything interesting please research it." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "nUFS_inno", "display_name": "nUFS_inno", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious", "display_name": "#Lowfi:HSTR:MSIL/Malicious", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Bibado", "display_name": "ALF:JASYP:PUA:Win32/Bibado", "target": null }, { "id": "Trojan:Win32/Toga", "display_name": "Trojan:Win32/Toga", "target": "/malware/Trojan:Win32/Toga" }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Win.Trojan.Jorik-149", "display_name": "Win.Trojan.Jorik-149", "target": null }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.Jorik-130", "display_name": "Win.Trojan.Jorik-130", "target": null }, { "id": "Win.Trojan.Fakecodecs-119", "display_name": "Win.Trojan.Fakecodecs-119", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Bulz-9860169-0", "display_name": "Win.Trojan.Bulz-9860169-0", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Packed.Razy-9785185-0", "display_name": "Win.Packed.Razy-9785185-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "PWS", "display_name": "PWS", "target": null }, { "id": "DDOS:Win32/Stormser.A", "display_name": "DDOS:Win32/Stormser.A", "target": "/malware/DDOS:Win32/Stormser.A" }, { "id": "ALF:HSTR:DotNET", "display_name": "ALF:HSTR:DotNET", "target": null }, { "id": "DotNET", "display_name": "DotNET", "target": null }, { "id": "Script Exploit", "display_name": "Script Exploit", "target": null }, { "id": "HackTool:Win32/AutoKMS", "display_name": "HackTool:Win32/AutoKMS", "target": "/malware/HackTool:Win32/AutoKMS" }, { "id": "Xanfpezes.A", "display_name": "Xanfpezes.A", "target": null }, { "id": "Trojan:Win32/Gandcrab", "display_name": "Trojan:Win32/Gandcrab", "target": "/malware/Trojan:Win32/Gandcrab" }, { "id": "Win.Trojan.Generic-9862772-0", "display_name": "Win.Trojan.Generic-9862772-0", "target": null }, { "id": "Trojan:Win32/Zbot.SIBL!MTB", "display_name": "Trojan:Win32/Zbot.SIBL!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBL!MTB" }, { "id": "Win32/Nemucod", "display_name": "Win32/Nemucod", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "target": null }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Win.Malware.Kolab-9885903-0", "display_name": "Win.Malware.Kolab-9885903-0", "target": null }, { "id": "Win.Malware (30)", "display_name": "Win.Malware (30)", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "target": null }, { "id": "E5", "display_name": "E5", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6232, "URL": 24908, "hostname": 7993, "FileHash-SHA256": 11128, "email": 6, "FileHash-MD5": 1054, "FileHash-SHA1": 932, "SSLCertFingerprint": 14, "CIDR": 3, "CVE": 3 }, "indicator_count": 52273, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ac00ee047dfb2f6ae181d6", "name": "PalantirFoundry.com links found in sentient.industries linked with targets business dom", "description": "Status: https://www.palantir.com/blocked/ |\t\t\nmailto:cirt@palantir.com | \nC=US L=Palo Alto CN=*.palantirfoundry.com O=Palantir Technologies Inc. ST=California\n\nAI Overview-\nImplementing an Operational Data Mesh with Palantir Foundry ...\nPalantir Foundry is a comprehensive software platform that serves as a central, operational layer for data integration, analytics, machine learning, and decision-making within organizations. It provides a unified environment to connect disparate data sources, create a shared data model (an Ontology), and develop custom applications and workflows for complex operational decision-making across diverse sectors like finance, healthcare, and supply chain management.\n \n..far less innocent.\n\nAttacks, targeting, espionage against citizens not necessarily suspected of a crime. If not a spoof is a Top\ntier quasi government contractor with a product to sell. Can deploy highly technical tasks. Targeting isn\u2019t appropriate \u2018investigating\u2019.\n#stealth #relentless #silencing #obnoxious", "modified": "2025-08-25T06:21:34.337000", "created": "2025-08-25T06:21:34.337000", "tags": [ "active related", "pulses hostname", "related pulses", "information", "t1047", "instrumentation", "t1060", "run keys", "startup", "folder", "t1119", "capture", "domain", "germany", "united", "netherlands", "france", "palantirfoundry", "palantir", "active" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 510, "domain": 4, "hostname": 486 }, "indicator_count": 1000, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "237 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688398926252d91f97c75b05", "name": "Registrar Abuse \u2022 Typosquatting \u2022 Masquerading -suspected with PalantirFoundry.com links", "description": "Registrar Abuse \u2022 Typosquatting \u2022 Masquerading - possible? re:PalantirFoundry.com links registered by \u2018Palantir Technologies Inc.\u2019 I\u2019ve included 200 + palantirfoundry.com links.\nThe product is sold, I don\u2019t know if product can be rebranded, private labeled. Finding requires much more research. I have no option but to suspect any link palantirfoundry.com may be registrar abuse and masquerading as seen before. Most of the connections are have changed or moved. The damage these links do is as stated in previous pulses, dangerous, spyware with nothing changed the amount of damage, danger or the maliciousness of threat actor. Everything malicious result found re: recently pulsed palantirfoundry.com are accurate. ||\n(https://edenglobalpartners.palantirfoundry.com/multipass/login/all?redirect-uri=%2Fworkspace)\nredirects to Palantir branded website [https://hybrid-analysis.com/sample/e844b801e1c217720ff8c81b2ba47f6e14796f635d2dc430fd8813354310cf34/688391055d0c6d5b770f18d8]", "modified": "2025-08-24T14:04:57.110000", "created": "2025-07-25T14:45:38.136000", "tags": [ "url https", "url http", "gather victim", "run keys", "startup", "folder", "t1057", "discovery", "t1071", "protocol", "united", "sweden", "germany", "search", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "extr data", "include review", "exclude", "sugges data", "uniy incuue", "mitre att", "present jul", "status", "date", "united kingdom", "unknown a", "moved", "certificate", "ip address", "body", "passive dns", "urls", "creation date", "emails", "files", "domain", "files ip", "address", "location united", "asn as16509", "entries", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "read c", "medium", "flashpix", "show", "showing", "delete", "yara detections", "icmp traffic", "registry", "python", "write", "persistence", "execution", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "development att", "show process", "prefetch8", "show technique", "ck matrix", "localappdata", "process", "pattern match", "general", "hybrid", "path", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 750, "domain": 67, "hostname": 631, "FileHash-MD5": 25, "FileHash-SHA1": 9, "email": 4, "FileHash-SHA256": 219, "SSLCertFingerprint": 2 }, "indicator_count": 1707, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://magna.palantirfoundry.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://magna.palantirfoundry.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776649801.654035 }