{ "type": "URL", "indicator": "https://map.bing.com.cn", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://map.bing.com.cn", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3743643879, "indicator": "https://map.bing.com.cn", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69aa0a62f94a92b5168405c2", "name": "fedpaypal clone Q vashti", "description": "", "modified": "2026-03-06T06:39:27.872000", "created": "2026-03-05T22:57:38.559000", "tags": [ "present sep", "virtool", "cryp", "win32", "ip address", "trojan", "ransom", "asn as54113", "passive dns", "msil", "united states", "dynamicloader", "qaeaav12", "high", "qbeipbdii", "write", "paypal", "medium", "search", "vmware", "floodfix", "malware", "united", "mtb apr", "hostname add", "write c", "read c", "yara detections", "upxoepplace", "next", "markus", "april", "ping", "meta http", "content", "gmt server", "th th", "443 ma2592000", "ipv4 add", "url analysis", "urls", "body", "title", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "status", "name servers", "set cookie", "script urls", "present feb", "cookie", "template", "present oct", "present jul", "present dec", "present jun", "next associated", "urls show", "date checked", "present apr", "url hostname", "united kingdom", "unknown ns", "servers", "great britain", "msr aug", "msr apr", "msr nov", "ite o", "server response", "script script", "files show", "date hash", "avast avg", "creation date", "lcid1033", "sminnotek", "spnvirtualbox", "bvvirtualbox", "present mar", "present nov", "exploit", "error", "server response", "google safe", "results sep", "backdoor", "certificate", "mtb sep", "next http", "scans show", "present may", "results jun", "results jan", "worm", "echo request", "sweep", "payload hello", "world", "ids detections", "cape", "viking", "philis", "et", "torop", "des moines", "contacted hosts", "content reputation", "sabey type", "tulach type", "rexx type", "foundry type", "fred scherr", "twitter", "apple", "monitored target", "financial theft", "psalms 27: 1 - 14" ], "references": [ "fed.paypal.com [redirect for monitored target \u2022 1st documented 2020- still active]", "nr-data.net \u2022 init.ess.apple.com\t\u2022 apple-id-ifind.com \u2022 https://apple-id-ifind.com/\t\u2022 apple-lostandfound.com", "https://www.speakup.it/magazines/places/new-york-city-on-a-budget-big-apple-little-money_2368", "https://login.apple-mac.banugoker.com/cgi-sys/defaultwebpage.cgi \u2022 lsupport-apple.com", "login.apple-mac.banugoker.com \u2022 www.apple-mac.banugoker.com \u2022 http://apple-mac.banugoker.com/", "https://apple-mac.banugoker.com/ \u2022 https://login.apple-mac.banugoker.com/", "http://45.159.189.105/bot/regex \u2022 https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com \u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.\u2022 com/ \u2022 https://www.csrc.gov.cn.lxcvc.com/", "https://lk-prod-webcol.laika.com.co/category/bog/cat/farmacia/collares-isabelinos/todos/todo-para-mascota/1", "https://twitter.com/PORNO_SEXYBABES \u2022 https://megapornfreehd.com/2025/04/360", "https://57d5.zhanyu66.com/com.slamyugllp.strangerrun.xc.apk/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "Win.Trojan.Fraudpack", "display_name": "Win.Trojan.Fraudpack", "target": null }, { "id": "Fakeav", "display_name": "Fakeav", "target": null }, { "id": "Ransom:MSIL/Genasom.I", "display_name": "Ransom:MSIL/Genasom.I", "target": "/malware/Ransom:MSIL/Genasom.I" }, { "id": "Virtool:Win32/Obfuscator.KI", "display_name": "Virtool:Win32/Obfuscator.KI", "target": "/malware/Virtool:Win32/Obfuscator.KI" }, { "id": "Toga!rfn", "display_name": "Toga!rfn", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Remoteadmin-7056666-0", "display_name": "Win.Malware.Remoteadmin-7056666-0", "target": null }, { "id": "Floxif", "display_name": "Floxif", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Dropper.Unruy-9994363-0", "display_name": "Win.Dropper.Unruy-9994363-0", "target": null }, { "id": "Win.Trojan.Cycler-47", "display_name": "Win.Trojan.Cycler-47", "target": null }, { "id": "Win.Trojan.Clicker-3506", "display_name": "Win.Trojan.Clicker-3506", "target": null }, { "id": "Win.Downloader.Unruy-10026469-0", "display_name": "Win.Downloader.Unruy-10026469-0", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Urelas", "display_name": "Win.Malware.Urelas", "target": null }, { "id": "Win.Malware.Zusy", "display_name": "Win.Malware.Zusy", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "target": null }, { "id": "Win.Malware.Eclz-9953021-0", "display_name": "Win.Malware.Eclz-9953021-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "display_name": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "target": null }, { "id": "Win.Dropper.Tiggre-9845940-0", "display_name": "Win.Dropper.Tiggre-9845940-0", "target": null }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Win.Malware.Sfwx-9853337-0", "display_name": "Win.Malware.Sfwx-9853337-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Trojan:Win32/Kaicorn!rf", "display_name": "Trojan:Win32/Kaicorn!rf", "target": "/malware/Trojan:Win32/Kaicorn!rf" }, { "id": "Win32:Banker", "display_name": "Win32:Banker", "target": null }, { "id": "Worm:Win32/Cambot!rfn", "display_name": "Worm:Win32/Cambot!rfn", "target": "/malware/Worm:Win32/Cambot!rfn" }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "68c5743593a4bcc81dd94b0b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1323, "URL": 4360, "FileHash-MD5": 759, "FileHash-SHA1": 748, "FileHash-SHA256": 5148, "domain": 1076, "email": 7 }, "indicator_count": 13421, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a1ef2dd26ec62a3c298c", "name": "Listeners - Malicious Over the top espionage | Cyber Warfare?", "description": "Cyber attacks on targeted devices stored safely, separately, don\u2019t communicate with one another. PalantirFoundry.com shares IP addresses with Fastly. South African IP\u2019s and DGA domains bounce from US Denver , Co based IP and Domain addresses. Registrar Abuse: HTTP/2 404 content type: text/html content length: 2263 date: Wed 22 Oct 2025 22:32:18 GMT server: Envoy\n443 Certificate Subject: US\n443 Certificate Subject: Colorado\n443 Certificate Subject: Denver\n443 Certificate Subject: Palantir Technologies Inc.\n443 Certificate Subject: listeners.usw-19.palantirfoundry.com", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:33:03.315000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a6f4e35193c04401daaf", "name": "Emotet & VirTool Obsfuscator - Registrar abuse tracking civilians", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:54:28.671000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69069167e1e2a222bd7762f2", "name": "Palantir - Spyware", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-11-01T23:01:59.339000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9372439f9a3973097393f", "name": "South African actors are criminally insane Palantir product abusers or employees", "description": "Attempting to wip disks and delete files. Threat actors nearby. \u2018Endgame\u2019 project typically found alongside Project Hilo , Project Helix , Palantir and Foundry. I\u2019m just researching to solve what I thought would be far less complex issues. Stop doing this. Target rarely left house after contact with \u2018watcher\u2019 \u2018MVA by a young 22 year old male also left victim in fear til the end. \nI\u2019m going to call out on anyone pretending to be some else \u2018stop making contact with targets family and associates.\u2019 No one has been pursued or paid for crimes against target. This needs to end.\n\nSouth African actors are criminally insane Palantir product users or employees \n\n#phishing + malware , dns , file deletion attacks. \n\n[OTX auto populated The following is the full text of Entrust, Inc. - for the use of the terms \"entrust\" and \"sassa.gov.za\" - in terms of terms and conditions. ]\n\nIt makes sense. I\u2019m in town. 5 blocks away heading towards SoBo. Hi! Stop", "modified": "2025-11-21T19:01:20.179000", "created": "2025-10-22T19:57:24.562000", "tags": [ "passive dns", "urls", "related nids", "files location", "south africa", "flag south", "africa hostname", "files domain", "files", "entrust", "mulweli", "create c", "read c", "delete", "write", "search", "show", "create", "medium", "showing", "unicode", "next", "dock", "execution", "copy", "t1199", "relationship", "t1561", "wipe", "t1053", "taskjob", "t1055", "injection", "t1056", "capture", "url https", "url http", "malware attacks", "find encrypted", "indicator role", "title added", "active related", "pulses url", "city", "county", "otx auto", "title", "net security", "tags" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 597, "domain": 78, "hostname": 270, "FileHash-SHA256": 183, "FileHash-MD5": 19, "FileHash-SHA1": 5 }, "indicator_count": 1152, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9288e0d98f3b44c2cb90c", "name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety", "description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T18:55:10.527000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f93b1cebf80f48450bd517", "name": "Yuner - File deletion and Disk Wiping / Cyberstalking ", "description": "", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T20:14:20.632000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": "68f9288e0d98f3b44c2cb90c", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f7ced2cf17d264b49628bc", "name": "NIDS - Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information", "description": "Multiple malware\u2019s targeting Dropbox & Ebay accounts. Referenced in earlier pukses. Further investigation shows link found in apps on multiple Apple devices. Afraid. Org still running & wreaking havoc globally. Currently targets a Music studio in Clear Creek County Co. The signal bounces from Fire station directly to studio gaining full access to everything.\n\nI am very disappointed with the abuses in f the Palantir , Gotham , Foundry products being abused by law firms and Private Investigators.\nIt is very destructive, causing loss, these firms are literally stealing and making money with other people\u2019s intellectual property and tough luck on the actual inventor, artist, writer because they even steal , cancel your insurance or back accounts leaving you unable to make a claim. \n\nGreat discretion should be used to qualify for these tools used to track, terrorize and access private information as well as tarnish the names of civilians , family ,businesses, stalking tracking known location.", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T18:20:02.120000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80c6bcd3fff3a4f126a68", "name": "Sventore \u2022 Agent Tesla Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information ", "description": "", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T22:42:51.657000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "68f7ced2cf17d264b49628bc", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6533120ed78adc8baa57b9d0", "name": "quick look at 79.12.165.51", "description": "", "modified": "2025-10-25T02:11:11.653000", "created": "2023-10-20T23:49:34.890000", "tags": [], "references": [ "https://www.virustotal.com/graph/g03fce3ad62f74ad59bbcda71bfdde96da39417641c9a470f99adfa9b14a7724c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 1650, "URL": 1744, "domain": 339, "email": 1, "hostname": 834, "CVE": 1 }, "indicator_count": 4587, "is_author": false, "is_subscribing": null, "subscriber_count": 179, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c5743593a4bcc81dd94b0b", "name": "Fed.PayPal.com - Ransom | Attacks via redirect", "description": "A monitored target, active on various payment platforms for business documented a malicious redirect event 1st seen in 2020. Follows pattern of multiple, critical and ongoing attacks beginning in 2013. In this instance target lost access to PayPal payments. If this is legal, it\u2019s been a grotesque grift. Target was financially and otherwise robbed.\n\n\n#trulymissed #paypal #advesaries #apple #twitter #backdoor #ransom #botnet #reptutationattack", "modified": "2025-10-13T13:27:11.277000", "created": "2025-09-13T13:40:05.671000", "tags": [ "present sep", "virtool", "cryp", "win32", "ip address", "trojan", "ransom", "asn as54113", "passive dns", "msil", "united states", "dynamicloader", "qaeaav12", "high", "qbeipbdii", "write", "paypal", "medium", "search", "vmware", "floodfix", "malware", "united", "mtb apr", "hostname add", "write c", "read c", "yara detections", "upxoepplace", "next", "markus", "april", "ping", "meta http", "content", "gmt server", "th th", "443 ma2592000", "ipv4 add", "url analysis", "urls", "body", "title", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "status", "name servers", "set cookie", "script urls", "present feb", "cookie", "template", "present oct", "present jul", "present dec", "present jun", "next associated", "urls show", "date checked", "present apr", "url hostname", "united kingdom", "unknown ns", "servers", "great britain", "msr aug", "msr apr", "msr nov", "ite o", "server response", "script script", "files show", "date hash", "avast avg", "creation date", "lcid1033", "sminnotek", "spnvirtualbox", "bvvirtualbox", "present mar", "present nov", "exploit", "error", "server response", "google safe", "results sep", "backdoor", "certificate", "mtb sep", "next http", "scans show", "present may", "results jun", "results jan", "worm", "echo request", "sweep", "payload hello", "world", "ids detections", "cape", "viking", "philis", "et", "torop", "des moines", "contacted hosts", "content reputation", "sabey type", "tulach type", "rexx type", "foundry type", "fred scherr", "twitter", "apple", "monitored target", "financial theft", "psalms 27: 1 - 14" ], "references": [ "fed.paypal.com [redirect for monitored target \u2022 1st documented 2020- still active]", "nr-data.net \u2022 init.ess.apple.com\t\u2022 apple-id-ifind.com \u2022 https://apple-id-ifind.com/\t\u2022 apple-lostandfound.com", "https://www.speakup.it/magazines/places/new-york-city-on-a-budget-big-apple-little-money_2368", "https://login.apple-mac.banugoker.com/cgi-sys/defaultwebpage.cgi \u2022 lsupport-apple.com", "login.apple-mac.banugoker.com \u2022 www.apple-mac.banugoker.com \u2022 http://apple-mac.banugoker.com/", "https://apple-mac.banugoker.com/ \u2022 https://login.apple-mac.banugoker.com/", "http://45.159.189.105/bot/regex \u2022 https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com \u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.\u2022 com/ \u2022 https://www.csrc.gov.cn.lxcvc.com/", "https://lk-prod-webcol.laika.com.co/category/bog/cat/farmacia/collares-isabelinos/todos/todo-para-mascota/1", "https://twitter.com/PORNO_SEXYBABES \u2022 https://megapornfreehd.com/2025/04/360", "https://57d5.zhanyu66.com/com.slamyugllp.strangerrun.xc.apk/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "Win.Trojan.Fraudpack", "display_name": "Win.Trojan.Fraudpack", "target": null }, { "id": "Fakeav", "display_name": "Fakeav", "target": null }, { "id": "Ransom:MSIL/Genasom.I", "display_name": "Ransom:MSIL/Genasom.I", "target": "/malware/Ransom:MSIL/Genasom.I" }, { "id": "Virtool:Win32/Obfuscator.KI", "display_name": "Virtool:Win32/Obfuscator.KI", "target": "/malware/Virtool:Win32/Obfuscator.KI" }, { "id": "Toga!rfn", "display_name": "Toga!rfn", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Remoteadmin-7056666-0", "display_name": "Win.Malware.Remoteadmin-7056666-0", "target": null }, { "id": "Floxif", "display_name": "Floxif", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Dropper.Unruy-9994363-0", "display_name": "Win.Dropper.Unruy-9994363-0", "target": null }, { "id": "Win.Trojan.Cycler-47", "display_name": "Win.Trojan.Cycler-47", "target": null }, { "id": "Win.Trojan.Clicker-3506", "display_name": "Win.Trojan.Clicker-3506", "target": null }, { "id": "Win.Downloader.Unruy-10026469-0", "display_name": "Win.Downloader.Unruy-10026469-0", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Urelas", "display_name": "Win.Malware.Urelas", "target": null }, { "id": "Win.Malware.Zusy", "display_name": "Win.Malware.Zusy", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "target": null }, { "id": "Win.Malware.Eclz-9953021-0", "display_name": "Win.Malware.Eclz-9953021-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "display_name": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "target": null }, { "id": "Win.Dropper.Tiggre-9845940-0", "display_name": "Win.Dropper.Tiggre-9845940-0", "target": null }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Win.Malware.Sfwx-9853337-0", "display_name": "Win.Malware.Sfwx-9853337-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Trojan:Win32/Kaicorn!rf", "display_name": "Trojan:Win32/Kaicorn!rf", "target": "/malware/Trojan:Win32/Kaicorn!rf" }, { "id": "Win32:Banker", "display_name": "Win32:Banker", "target": null }, { "id": "Worm:Win32/Cambot!rfn", "display_name": "Worm:Win32/Cambot!rfn", "target": "/malware/Worm:Win32/Cambot!rfn" }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1321, "URL": 4356, "FileHash-MD5": 759, "FileHash-SHA1": 748, "FileHash-SHA256": 5148, "domain": 1076, "email": 7 }, "indicator_count": 13415, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bbdb22e3d606ae8fb5cda8", "name": "HCPF | Department of Health Care Policy and Financing", "description": "Project Nemesis - Affects Department of Health Care Policy and Financing | Family representative repeatedly told past bills aren\u2019t being paid by United Healthcare. Argus Insurance (unknown entity) was Policy on record target never had. FR was given information regarding HCPF which was being viewed by past vendor seen in (https://otx.alienvault.com/pulse/68bbb31f6d91989d7fcd9592) | Issues with HCPF have been an issue for some time in isolated scenarios. It\u2019s unclear how at least one person keeps getting their name, bills and life pulled into this. Target PURCHASED a Healthcare policy via agent before major social engineering attacks. Same entity literally robs targets. Gift cards, phone services, cloud storage, account, insurance policies, bank account access, tax refunds, paid claims reversed & taken from target\u2019s account.\nMore research needed. Flaws in new system could jeopardize many. \n#trulymissed #rip #techbrohell #palantir", "modified": "2025-10-06T05:01:18.794000", "created": "2025-09-06T06:56:34.649000", "tags": [ "federal changes", "health first", "colorado", "child health", "plan plus", "newimpact", "medicaidour", "impact", "medicaid page", "medicaid", "beware", "text/html", "trackers", "iframes", "external-resources", "new relic", "g1gv3h3sxc0", "utc gcw970gh4gg", "android", "known exploited", "google", "salesloft drift", "sap s4hana", "cve202542957", "cisa", "sitecore", "linux", "france", "meta", "rokrat", "lizar", "project nemesis", "carbanak", "cobalt strike", "domino", "no expiration", "url https", "type indicator", "role title", "related pulses", "hostname https", "m4e5930", "hostname", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "ascii text", "search", "ogoogle trust", "cngts ca", "execution", "next", "dock", "write", "capture", "persistence", "malware", "roboto", "present feb", "united", "a domains", "present dec", "passive dns", "moved", "script domains", "script urls", "urls", "title", "date", "resolved ips", "http traffic", "http get", "match info", "downloads", "info", "https http", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "endgame systems" ], "references": [ "Researched: https://hcpf.colorado.gov/", "www.onyx-ware.com \u2022 https://www.endgamesystems.com/", "millet-usgc-1.palantirfedstart.com", "https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html", "https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms", "https://passwords.google/?utm_medium=hpp&utm", "https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html", "Researched publicly available information provided by representative of a target\u2019s estate", "System has placed affected on multiple policies cancelling private policy without notice.", "Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)", "Provided documented evidence of appealed state issued plan and disclosed financials.", "Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes", "I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.", "State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.", "Target also owned an online brokerage & lead company, was agent & insurance marketer for years.", "September began with false information, defaulted claims , denials from authorized services rendered years prior.", "If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lizar", "display_name": "Lizar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Hospitality", "Financial", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1395, "URL": 4304, "CVE": 1, "domain": 694, "FileHash-SHA256": 1790, "FileHash-MD5": 183, "FileHash-SHA1": 103, "SSLCertFingerprint": 5 }, "indicator_count": 8475, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bbb31f6d91989d7fcd9592", "name": "Who is Argus Health Systems in relation to United Healthcare", "description": "Strange. Person/s handling a monitored targeted past accounts was contacted to have old bills paid. Told individual had Argus Health Insurance that wouldn\u2019t pay.\n\nIssues: \u2022 Individual wasn\u2019t a client of vendor in 2024\n\u2022 Was never an Argus client.\n\u2022 Social engineering type call. Angry employee demanding copy of front and back of Health Care Insurance card for UH payments for items purchased after approved prior authorization for in past purchases. \n\u2022 Gave an incredible amount of PHI over phone w/o appropriate new (or former) HIPPA standard verification. \u2022 Angrily refused to provide billing # or requesters name.\n*United Health Care has paid ZERO bills. \n* \n(Auto populated - Anel arauchealth cam) | https://www.argushealth.com. Argus Health Systems is a healthcare technology company based in Kansas City, MO. Specializing in pharmacy benefit management ...", "modified": "2025-10-06T03:04:31.707000", "created": "2025-09-06T04:05:50.955000", "tags": [ "server", "date", "registrar abuse", "csc corporate", "domains", "algorithm", "key identifier", "x509v3 subject", "country", "postal code", "code", "united", "showing", "entries", "ip address", "search", "name servers", "unknown aaaa", "domain add", "pulse submit", "passive dns", "content type", "type content", "all ipv4", "url analysis", "urls", "files", "title", "meta", "certificate", "creation date", "record value", "hostname add", "domain", "unknown ns", "china unknown", "body", "please", "x msedge", "pulse pulses", "present aug", "hong kong", "extraction", "data upload", "levelbluelabs", "search otx", "pcap", "stix", "url or", "texdr", "failedto", "drop", "aaaa", "record type", "ttl value", "historical ssl", "certificates", "thumbprint", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "present jun", "moved", "gmt content", "a domains", "next http", "scans show", "error", "present sep", "present may", "present jul", "present mar", "present apr" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2091, "domain": 817, "URL": 7939, "email": 5, "FileHash-SHA256": 2960, "FileHash-SHA1": 240, "FileHash-MD5": 227 }, "indicator_count": 14279, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b798c0a419c49eeb4e2a13", "name": "Archive.ph - Mirai", "description": "Outdated archiving domain of questionable origin can expose or has exposed monitored target/s to\nUnix.Dropper.Mirai-7135858-0.\n\nThe domain seems to want to appear as if it originates from Russia. There is a DoD & Endgame systems relationship. Multiple archived pages have been injected and deleted.\n(Little Endian) is a name seen often related to an innocent known to be targeted by a pro male entity who utilizes Pegasus, Palantir, Gotham, Foundry , Tulach, for silencing.\n#trulymissed #mirai #malicious", "modified": "2025-10-03T00:01:12.616000", "created": "2025-09-03T01:24:16.418000", "tags": [ "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "javascript", "spawns", "united", "present aug", "div div", "meta", "fffae1", "xml title", "drag", "div form", "form div", "a li", "encrypt", "russia", "passive dns", "urls", "aaaa", "netherlands", "your ip", "panama", "russia unknown", "present mar", "present jun", "moved", "present jul", "present sep", "ip address", "present jan", "body", "title", "domain", "files", "content type", "body doctype", "as16509", "intel mac", "os x", "ipv4 add", "port", "destination", "read c", "medium", "entries", "et info", "execution", "next", "dock", "write", "persistence", "malware", "url analysis", "files ip", "name server", "domain address", "algorithm", "key identifier", "v3 serial", "number", "cus olet", "encrypt cne6", "validity", "subject public", "key info", "us as15169", "us as396982", "mitre att", "pattern match", "form", "onload", "general", "local", "path", "click", "strings", "verify", "asnone", "china as4134", "resolverror", "high", "dns query", "as7018 att", "japan as4713", "south korea", "little \u2018endian\u2019", "mirai", "dod", "endgame systems", "government overreach", "sabey type", "foundry type", "apple", "cve" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135858-0", "display_name": "Unix.Dropper.Mirai-7135858-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2069, "domain": 406, "FileHash-SHA256": 1498, "hostname": 811, "FileHash-MD5": 150, "FileHash-SHA1": 138, "SSLCertFingerprint": 8, "CIDR": 1, "CVE": 1 }, "indicator_count": 5082, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c54659742e10df0e2dd0ec", "name": "Archive.ph - Mirai", "description": "", "modified": "2025-10-03T00:01:12.616000", "created": "2025-09-13T10:24:25.814000", "tags": [ "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "javascript", "spawns", "united", "present aug", "div div", "meta", "fffae1", "xml title", "drag", "div form", "form div", "a li", "encrypt", "russia", "passive dns", "urls", "aaaa", "netherlands", "your ip", "panama", "russia unknown", "present mar", "present jun", "moved", "present jul", "present sep", "ip address", "present jan", "body", "title", "domain", "files", "content type", "body doctype", "as16509", "intel mac", "os x", "ipv4 add", "port", "destination", "read c", "medium", "entries", "et info", "execution", "next", "dock", "write", "persistence", "malware", "url analysis", "files ip", "name server", "domain address", "algorithm", "key identifier", "v3 serial", "number", "cus olet", "encrypt cne6", "validity", "subject public", "key info", "us as15169", "us as396982", "mitre att", "pattern match", "form", "onload", "general", "local", "path", "click", "strings", "verify", "asnone", "china as4134", "resolverror", "high", "dns query", "as7018 att", "japan as4713", "south korea", "little \u2018endian\u2019", "mirai", "dod", "endgame systems", "government overreach", "sabey type", "foundry type", "apple", "cve" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135858-0", "display_name": "Unix.Dropper.Mirai-7135858-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": "68b798c0a419c49eeb4e2a13", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2069, "domain": 406, "FileHash-SHA256": 1498, "hostname": 811, "FileHash-MD5": 150, "FileHash-SHA1": 138, "SSLCertFingerprint": 8, "CIDR": 1, "CVE": 1 }, "indicator_count": 5082, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ae5b9ef87646927a236b61", "name": "Privacy - Google Videos Search - Web Applications Stack Exchange = WannaCry", "description": "Description: dfir.blog - A blog about Digital Forensics & Incident Response\ndfir.blog\nDigital forensics, web browsers, visualizations, & open source tools.\n#monitoring #dod(?) #chinacache #crypt #ransom#infectedsystems", "modified": "2025-09-26T00:01:12.214000", "created": "2025-08-27T01:13:02.780000", "tags": [ "google", "mullvad browser", "value", "incognito mode", "mine", "unix time", "friday", "january", "does", "tor browser", "search", "show", "langchinese", "packing t1045", "t1045", "medium", "pe resource", "module load", "t1129", "service", "trojan", "copy", "dock", "write", "malware", "clock", "united", "passive dns", "urls", "next associated", "gmt cache", "ipv4 add", "pulse pulses", "files", "reverse dns", "win32", "title", "location united", "america flag", "america asn", "as15169 google", "dns resolutions", "domains top", "level", "unique tlds", "present aug", "china unknown", "creation date", "date", "domain", "ip address", "domain name", "expiration date", "status ok", "nanjing", "accept", "body", "div td", "td tr", "div div", "span span", "a li", "span p", "p div", "moved", "a domains", "open", "span", "uuupupu", "t1055", "process32nextw", "high", "windows", "high defense", "evasion", "delphi", "google gmail", "images sign", "advanced search", "solutions", "privacy", "store gmail", "delete delete", "report", "how search", "applying ai", "settings search", "advanced", "search search", "search help", "domainabuse", "showing", "hostname add", "url add", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "read c", "tlsv1", "whitelisted", "port", "destination", "ascii text", "next", "encrypt", "script urls", "msie", "chrome", "bad gateway", "script domains", "present feb", "link", "meta", "digital", "language", "body doctype", "ghost", "present jun", "aaaa", "present jul", "present oct", "record value", "yara detections", "dock zone", "top source", "top destination", "source source", "filehash", "code", "error", "windows nt", "wow64", "slcc2", "media center", "execution", "persistence", "tulach", "brian sabey", "dod network", "orgtechref", "address range", "cidr", "network name", "allocation type", "whois server", "entity dnic", "handle", "whois lookup", "dod", "et trojan", "server header", "suspicious", "et info", "unknown", "virustotal", "specified", "download", "et", "please", "type size", "first seen", "loading", "python wheel", "dynamicloader", "intel", "ms windows", "pe32", "entries", "user agent", "powershell", "agent", "yara rule", "checks", "levelblue", "open threat", "observed dns", "query", "dns lookup", "msdos", "wannacry dns", "lookup", "wannacry", "worm", "explorer", "msil", "darkcomet", "ping", "tools", "capture", "hallrender", "dga domains", "unfurl sites", "honey net", "bot", "nxdomain", "potential-c2" ], "references": [ "Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems", "DoD Network Information Center (DNIC)", "DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}", "Python Wheel package", "https://www.google.com/search", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Magania.DSK!MTB", "display_name": "Trojan:Win32/Magania.DSK!MTB", "target": "/malware/Trojan:Win32/Magania.DSK!MTB" }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "a variant of Win32/Kryptik.DEOA", "display_name": "a variant of Win32/Kryptik.DEOA", "target": null }, { "id": "ALF:Exploit:Win32/gSharedInfoRef.A", "display_name": "ALF:Exploit:Win32/gSharedInfoRef.A", "target": null }, { "id": "Wannacry", "display_name": "Wannacry", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Telecommunications", "Technology", "Civilian" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8221, "domain": 1216, "FileHash-SHA256": 2434, "FileHash-MD5": 296, "FileHash-SHA1": 155, "hostname": 2939, "email": 7, "SSLCertFingerprint": 8, "CIDR": 2 }, "indicator_count": 15278, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68accab3048f960c2012d8f3", "name": "Unruy Infected System | Safari browser Google Search = www2.megawebfind.com", "description": "Unruy affecting safari browser of a currently infected iOS system.\nDescription: The sca_esv parameter is a piece of data in the URL that's likely internal to Google's system for tracking. | \n(https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | ( First time user, I can\u2019t vouch for the safety of website above.)", "modified": "2025-09-24T19:02:24.695000", "created": "2025-08-25T20:42:27.811000", "tags": [ "google search", "please click", "process32nextw", "read c", "united", "show", "entries", "shellexecuteexw", "medium", "module load", "t1129", "dock", "write", "suspicious", "malware", "unknown", "contacted", "ids detections", "forbidden yara", "detections", "domains", "unruy", "safari", "apple", "ios" ], "references": [ "https://www.google.com/search?client=safari&sca_esv= www2.megawebfind.com webfind. com \u2022 www6.mega www.google.com", "IDS Detections: Win32/Unruy.C Activity", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction network_http", "Alerts: antisandbox_sleep creates_exe dropper stealth_window injection_process_search protection_rx", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com ocsp.pki.goog", "Domains Contacted: www.download.windowsupdate.com ifdnzact.com d38psrni17bvxu.cloudfront.net", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com d38psrni17bvxu.cloudfront.net www2.megawebfind.com www.google.com www6.megawebfind.com", "Domains Contacted: www2.megawebfind.com www.google.com www6.megawebfind.com", "The sca_esv parameter is a piece of data in the URL that's likely internal to Google's system for tracking, sorting, or customizing search results.", "A clients infected now former iOS device.", "https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking", "I can\u2019t vouch for the safety of website above. First time user.", "https://otx.alienvault.com/indicator/file/f3a939131ffaf473f8b1ffa0cd11d8cbce46f50dcc7e9fd2ff8404201ab5bc8e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Unruy-6912804-0", "display_name": "Win.Malware.Unruy-6912804-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Technology", "Telecommunications", "Civilian" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 489, "FileHash-MD5": 105, "FileHash-SHA1": 101, "hostname": 297, "URL": 942, "SSLCertFingerprint": 1, "domain": 182 }, "indicator_count": 2117, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68abf66e97031d0ff0c04fed", "name": "Packed sentient.industries links to a targets business website", "description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.", "modified": "2025-09-24T04:04:05.604000", "created": "2025-08-25T05:36:46.327000", "tags": [ "moved", "body", "x cache", "cloudfront x", "cph50 c2", "certificate", "record value", "title", "h1 center", "server", "redacted for", "servers", "name redacted", "for privacy", "name servers", "org data", "privacy city", "privacy country", "ca creation", "passive dns", "urls", "files", "ip address", "asn as57033", "less whois", "registrar", "tucows domains", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl ecc", "domain secure", "site ca", "validity", "subject public", "extraction", "data upload", "extra data", "include review", "find", "failed", "typ no", "ms windows", "intel", "pe32", "united", "search", "as16509", "from win32bios", "show", "high", "medium", "delphi", "copy", "write", "launcher", "next", "present aug", "present jul", "lowfi", "win32", "a div", "div div", "learn xml", "babylon", "win64", "trojan", "colors", "python", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "et info", "tls handshake", "bad traffic", "failure", "date", "august", "hybrid", "general", "path", "starfield", "click", "strings", "se bethseda", "n bethseda", "n data", "error", "date checked", "url hostname", "server response", "google safe", "results aug", "read c", "tlsv1", "port", "destination", "module load", "execution", "dock", "persistence", "malware", "unknown", "cname", "aaaa", "creation date", "showing", "domain", "dga domains", "palantirfoundry", "foundry", "status", "unknown ns", "g2 tls", "rsa sha256", "italy unknown", "mtb may", "trojandropper", "invalid url", "next associated", "ddos", "body html", "hacktool", "ipv4", "url analysis", "ukraine", "encrypt", "rl add", "http", "hostname", "files domain", "files related", "related tags", "present jun", "entries", "title error", "all ipv4", "reverse dns", "yara detections", "top source", "top destination", "source source", "sha256 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "canada unknown", "content type", "javascript src", "script script", "x powered", "ipv4 add", "pulse submit", "submit url", "analysis", "url add", "related nids", "files location", "canada flag", "canada hostname", "unknown aaaa", "ascii text", "user agent", "powershell", "agent", "czechia unknown", "domain add", "dynamicloader", "hostname add", "pentagon", "defense" ], "references": [ "sentient.industries affects independent artists. Affects several others.", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "https://link.monetizer101.com/widget/code/dailystaruk.js", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "(Can't access file- Malware infection files)", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "constellation.pcfrpegaservice.net (Pegasus related? idk)", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "Remotewd.com devices", "If you find anything interesting please research it." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "nUFS_inno", "display_name": "nUFS_inno", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious", "display_name": "#Lowfi:HSTR:MSIL/Malicious", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Bibado", "display_name": "ALF:JASYP:PUA:Win32/Bibado", "target": null }, { "id": "Trojan:Win32/Toga", "display_name": "Trojan:Win32/Toga", "target": "/malware/Trojan:Win32/Toga" }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Win.Trojan.Jorik-149", "display_name": "Win.Trojan.Jorik-149", "target": null }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.Jorik-130", "display_name": "Win.Trojan.Jorik-130", "target": null }, { "id": "Win.Trojan.Fakecodecs-119", "display_name": "Win.Trojan.Fakecodecs-119", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Bulz-9860169-0", "display_name": "Win.Trojan.Bulz-9860169-0", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Packed.Razy-9785185-0", "display_name": "Win.Packed.Razy-9785185-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "PWS", "display_name": "PWS", "target": null }, { "id": "DDOS:Win32/Stormser.A", "display_name": "DDOS:Win32/Stormser.A", "target": "/malware/DDOS:Win32/Stormser.A" }, { "id": "ALF:HSTR:DotNET", "display_name": "ALF:HSTR:DotNET", "target": null }, { "id": "DotNET", "display_name": "DotNET", "target": null }, { "id": "Script Exploit", "display_name": "Script Exploit", "target": null }, { "id": "HackTool:Win32/AutoKMS", "display_name": "HackTool:Win32/AutoKMS", "target": "/malware/HackTool:Win32/AutoKMS" }, { "id": "Xanfpezes.A", "display_name": "Xanfpezes.A", "target": null }, { "id": "Trojan:Win32/Gandcrab", "display_name": "Trojan:Win32/Gandcrab", "target": "/malware/Trojan:Win32/Gandcrab" }, { "id": "Win.Trojan.Generic-9862772-0", "display_name": "Win.Trojan.Generic-9862772-0", "target": null }, { "id": "Trojan:Win32/Zbot.SIBL!MTB", "display_name": "Trojan:Win32/Zbot.SIBL!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBL!MTB" }, { "id": "Win32/Nemucod", "display_name": "Win32/Nemucod", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "target": null }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Win.Malware.Kolab-9885903-0", "display_name": "Win.Malware.Kolab-9885903-0", "target": null }, { "id": "Win.Malware (30)", "display_name": "Win.Malware (30)", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "target": null }, { "id": "E5", "display_name": "E5", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6232, "URL": 24908, "hostname": 7993, "FileHash-SHA256": 11128, "email": 6, "FileHash-MD5": 1054, "FileHash-SHA1": 932, "SSLCertFingerprint": 14, "CIDR": 3, "CVE": 3 }, "indicator_count": 52273, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a0cb6a89a10d13623a0018", "name": "Medicaid Mirai Botnet | United Healthcare Mirai Botnet", "description": "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll. Medicaid Botnet work managed by Lumen Technologies as part of a massive silencing campaign. |\n\nPhone calls routed since forces and investigated disclosures of several attack resulting in great bodily harm and life threatening, ending injuries.\nThis campaign date has one start date 11/13/2013.\n#missed assaults internal investigated 10/08/2013 -11/31/ 2013.\nI\u2019m sure other targets are impacted . This stems from targets personal , documented experiences. \nFormerly k/a Century Link was confronted by associate of targets when a plain clothed male entered targets yard in 11/ 2013, told their box controlled entire neighborhood. Continuously accessed properties. \n\n\n\n#rip #lumen #botnet #fencing #malware #silencing #civil_liberties # monitored_target #remote #corruption #privacy_abuse #centurylink", "modified": "2025-09-15T16:04:47.043000", "created": "2025-08-16T18:18:18.657000", "tags": [ "url https", "search", "type indicator", "role title", "added active", "related pulses", "entries", "httponly", "samesitelax", "read c", "medium", "rgba", "unicode", "port", "memcommit", "delete", "next", "dock", "write", "execution", "present aug", "united", "ip address", "name servers", "unknown ns", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "pattern match", "show technique", "ck matrix", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "href", "size", "t1480 execution", "file defense", "ascii text", "trojan", "passive dns", "trojandropper", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "ipv4 add", "urls", "files", "location united", "ipv4", "url analysis", "america flag", "america asn", "backdoor", "win32", "malware", "date", "domain", "segoe ui", "a domains", "security tls", "san jose", "asn8075", "reverse dns", "software", "resource hash", "general full", "status", "emails", "expiration date", "asp", "microsoft oem", "found", "running webserver", "netherlands", "creation date", "aaaa", "certificate", "protocol h2", "name value", "hash", "present jun", "present apr", "moved", "control att", "t1573 encrypted", "channel command", "decrypted ssl", "runtime process", "appdata", "windows nt", "svg scalable", "patch", "internal", "core", "high", "tcp syn", "icmp traffic", "dns query", "av detections", "ashburn", "ai device id", "telnet", "windows script", "microsoft", "host", "yara detections", "pdb path", "pe resource", "script host", "test", "hostname add", "files ip", "domains", "hashes", "ireland", "mtb jun", "mtb may", "device local", "remotewd", "nemtih", "url add", "http", "hostname", "files domain", "files related", "pulses otx", "present jul", "domain add", "colorado", "quasi", "contracts", "botnet", "remote access", "virginia", "c++", "hacking", "monitored target", "silencing campaign", "audio recording", "cameras", "full service", "tactics" ], "references": [ "Handled by Lumen Technologies | What kind of darkness is this?", "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider", "dev.myhpnmedicaid.com", "ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113", "https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f", "https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851", "https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5", "Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet", "Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/", "https://dotnet.microsoft.com/en-us/apps/aspnet", "ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .", "ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.", "ASP.net Open source. A framework for building web apps and services with .NET and C#", "Registrant Org: Japan Computer Emergency Response Team Coordination Center", "Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com", "Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/", "Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx", "Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com", "http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Trojan:Win32/Daws", "display_name": "Trojan:Win32/Daws", "target": "/malware/Trojan:Win32/Daws" }, { "id": "ELF:Mirai-ATI", "display_name": "ELF:Mirai-ATI", "target": null }, { "id": "Trojan:Win32/IRCbot", "display_name": "Trojan:Win32/IRCbot", "target": "/malware/Trojan:Win32/IRCbot" }, { "id": "alf:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "alf:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Trojandropper:Win32/Muldrop.V!MTB", "display_name": "Trojandropper:Win32/Muldrop.V!MTB", "target": "/malware/Trojandropper:Win32/Muldrop.V!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1092", "name": "Communication Through Removable Media", "display_name": "T1092 - Communication Through Removable Media" }, { "id": "T1433", "name": "Access Call Log", "display_name": "T1433 - Access Call Log" } ], "industries": [ "Technology", "Telecommunications", "Contracts", "Government", "Finance", "Insurance", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4880, "domain": 575, "hostname": 1419, "FileHash-SHA256": 1745, "FileHash-MD5": 284, "FileHash-SHA1": 263, "email": 5, "CVE": 1 }, "indicator_count": 9172, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "216 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892a73593f73dfc969779b0", "name": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns", "description": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns\n*[ddddd.msg]\n[http://tracking.eu1.glintinc.com]\n[stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd]\n[stackstorm.ops.dev.az.glintinc.com]\n\u2022 http://stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd.onion/peter-thiel-running-database-to-root-out-those-disloyal-to-the-leader/\\n \u2022\n[http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/360]\n[http://pixelrz.com/lists/keywords/tsara-brashears-dead/360]", "modified": "2025-09-05T00:03:23.223000", "created": "2025-08-06T00:52:05.051000", "tags": [ "url http", "small", "indicator role", "title added", "active related", "pulses hostname", "tellyoun", "n aug", "entries", "data upload", "extraction", "windows error", "june", "fwd urgent", "justice czech", "copy sha256", "rejectedfailed", "timestamp input", "message status", "actions august", "file", "actions june", "actions may", "cta4 https", "context related", "associated urls", "campaigncodedsc", "language", "uid http", "community", "sha256", "size42b type", "submitted", "august", "april", "internal error", "previous1", "iframe", "community score", "scan analysis", "malicious", "intelligence", "learn", "falcon sandbox", "submissions", "status", "adversaries", "ck id", "name tactics", "suspicious", "informative", "defense evasion", "windows folder", "found", "dlls", "impact", "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9062, "domain": 707, "hostname": 2318, "FileHash-MD5": 86, "FileHash-SHA1": 26, "FileHash-SHA256": 2096, "email": 5, "FilePath": 2, "URI": 1 }, "indicator_count": 14303, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6523344e4adc85389899504c", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2024-10-13T03:00:28.081000", "created": "2023-10-08T22:59:26.040000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b48d699080b4bfd334c5", "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7761, "CVE": 6, "FileHash-MD5": 285, "FileHash-SHA1": 165, "FileHash-SHA256": 5059, "domain": 987, "hostname": 2399 }, "indicator_count": 16662, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656aafd0e93efa420f74123c", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2024-10-12T01:00:47.836000", "created": "2023-12-02T04:17:20.189000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 107, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3895, "URL": 11195, "domain": 2959, "hostname": 3575, "CVE": 16, "SSLCertFingerprint": 1, "email": 1 }, "indicator_count": 24465, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652a901fe2dbea9024b3d614", "name": "Black Tech", "description": "Found in a malicious Apple iTunes link. Lists several independent artists. Music \"producer\" is potentially highly dependent on use of AI generated instrumentation and conception. Hacking seems to target a single target and associates.", "modified": "2024-09-24T00:01:38.502000", "created": "2023-10-14T12:57:03.183000", "tags": [ "referrer", "historical ssl", "ssl certificate", "whois record", "whois ssl", "whois", "historical", "siblings parent", "network", "number", "label shanghai", "blue cloud", "ltd regional", "apnic country", "cn continent", "algorithm", "data", "v3 serial", "cus cndigicert", "basic rsa", "cn ca", "g2 odigicert", "inc validity", "oshanghai blue", "road", "beijing country", "beijing", "please", "apnic person", "cn phone", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "cnnic", "whois lookups", "updated date", "apnic netname", "beijing abusec", "abuse cnniccn", "liu registrant", "country", "dns replication", "date", "domain", "first", "blacklist https", "heur", "html", "malware", "alexa top", "site", "filerepmetagen", "suspected", "adware", "cisco umbrella", "malware site", "win64", "opencandy", "cleaner", "artemis", "iframe", "agent", "unsafe", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "genkryptik", "exploit", "presenoker", "filetour", "conduit", "wacatac", "softcnapp", "xtrat", "cve201711882", "memscan", "phishing", "maltiverse", "zbot", "webtoolbar", "trojanspy", "million", "united", "phishing site", "malicious site", "proxy", "firehol", "detection list", "ip address", "blacklist", "safe site", "team", "fusioncore", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "alexa", "adposhel", "installpack", "xrat", "azorult", "service", "runescape", "facebook", "download", "gamehack", "verdict", "falcon sandbox", "pattern match", "show", "file", "indicator", "ascii text", "appdata", "mitre att", "et tor", "known tor", "severity", "hybrid", "general", "misc attack", "beginstring", "script", "relayrouter", "exit", "node traffic", "null", "error", "unknown", "span", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "click", "strings", "meta", "anonymizer", "team proxy", "host", "control server", "meterpreter", "dnspionage", "filerepmalware", "fakealert", "pony", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "patcher", "adload", "webcompanion", "seraph", "downloader", "generic", "dapato", "redline stealer", "beach research", "blacklist http", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "bundled", "dropped", "contacted", "most malicious", "server", "parent parent" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2449, "FileHash-SHA1": 217, "FileHash-SHA256": 3441, "URL": 2044, "domain": 258, "hostname": 1100, "CIDR": 1, "email": 4, "CVE": 37 }, "indicator_count": 9551, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "668cebf4b3498d2f9b9e9596", "name": "Trojan:Win32/Predator - walmartmobile.cn", "description": "Monitoring, invalid URLs, malicious redirects, cams,cyber crime, red team contract. Collects targets, calls, photos, network, dns, disables proxy, movies services,, messages, shopping habits, contacts. Intrusive as always.", "modified": "2024-08-08T07:05:50.946000", "created": "2024-07-09T07:51:16.371000", "tags": [ "popularity", "ingestion time", "utc cisco", "umbrella", "utc statvoo", "record type", "server", "dnssec", "email", "dns replication", "android", "files", "china unknown", "as4837 china", "aaaa", "search", "moved", "net technology", "for privacy", "name servers", "redacted for", "encrypt", "body", "next", "passive dns", "urls", "scan endpoints", "all scoreblue", "url http", "http", "ip address", "related nids", "files location", "ipv4", "url analysis", "location china", "script script", "td tr", "please", "please enter", "za z0", "server ca", "meta", "a li", "a domains", "ul div", "443 ma2592000", "gmt content", "servers", "https", "self", "hostname", "window", "icloud_apple_id", "apple", "apple ios", "apple id", "apple message", "msie", "chrome", "title", "head body", "center hr", "united", "unknown", "as32934", "as13414 twitter", "as19679 dropbox", "as20940", "kos", "walmart", "calls", "checking", "latest version", "invoked methods", "highlighted", "shell commands", "written", "files deleted", "files copied", "file", "process", "post http", "request", "get http", "dns resolutions", "ip traffic", "process32nextw", "shellexecuteexw", "get na", "entries", "medium", "show", "china as4837", "yara detections", "regsetvalueexw", "dock", "write", "win32", "persistence", "execution", "copy", "cname", "asnone united", "registrar", "as2914 ntt", "hichina", "certificate", "showing", "as142403 yisu", "china asn", "suspicious", "open", "write c", "create c", "read c", "windows nt", "wow64", "slcc2", "media center", "default", "discovery", "xebrbxeax1ezxf0", "sxe0x0cx1cxf8", "invalid url", "status", "reflection", "telephony", "yuming", "domain", "expiration date", "div div", "a div", "span a", "script urls", "p span", "pragma", "trident", "form", "applei_imessage_ios", "as4134 chinanet", "as3356 level", "asnone china", "date", "tsara brashears", "rwi dtools", "pyinstaller", "password", "cybercrime", "valid from", "number", "thumbprint", "ipwnderv1", "hacktool", "phishing", "facebook", "all search", "otx scoreblue", "pulse submit", "injection", "mobile", "tmobile" ], "references": [ "walmartmobile.cn", "malware_hosting IP's:42.177.83.115 | IPv4 42.177.83.134 malware_hosting", "Apple Spy: iphone-say.com apple-prompt-iphone.com http://www.apple-prompt-iphone.com/", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydstaging2zsendlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "Apple Spy: cmlinki-img-3radio-iphone-web-cmlinki3-iphone-web-cmlinkiradio.redirectme.netoppofentryd.0-iphone-web-cmlinkiradio-iphone-web-cm", "Apple Spy: redirectme.netiphonepofentrydstaging2znetoppofindlabstryd.netoppofindhypernova.ali.zomans.com", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydiotging2znetoppofindlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "Trojan:Win32/Predator!: FileHash-SHA256 1cf6574bb7edda08a539fdb2885a959071b60d9c9bfb44ee1b9912b3864ff758", "Trojan:Win32/Predator!: FileHash-SHA256 493323dd39ebb91b861e63c7341d037877886bc3a6cf4deaef08ef76bb9db15e", "Trojan:Win32/Predator!: FileHash-SHA256 f7da3472e0f81fa37ea05cc91338b6a693a1fcd4d30025fdfbfc7f2f0119fa20", "traceability-qa.walmartmobile.cn", "http://img01.mifile.cn/m/apk/mishop_3.0.20141212_1.1.1.apk", "http://tshop.doido.com", "Antivirus Detections Win32:Malware-gen: Yara Detections: stack_string", "Alerts: dead_host network_icmp antivm_generic_services creates_largekey disables_proxy dumped_buffer network_cnc_http", "Alerts: network_http allocates_rwx stealth_window injection_process_search process_interest", "Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Asacky!rfn , ALF:HeraklezEval:Trojan:Win32/Predator!rfn , Win.Trojan.Generic-9789164-0", "IDS Detections: : Suspicious User-Agent (HTTP Downloader) Suspicious User-Agent containing Loader Observed", "Unique antivirus detections for files communicating with IP address", "hpcc-page.cnc.ccgslb.com.cn 121.30.192.9 58.20.206.154 139.209.89.125 124.67.23.253 61.180.227.172 61.162.172.185 IP Traffic", "TCP 123.125.159.119:80 (gad.page.cnc.ccgslb.com.cn) TCP 121.30.192.9:80 (hpcc-page.cnc.ccgslb.com.cn) TCP 121.30.193.30: Technique ID: T1140 Technique Name: Deobfuscate/Decode Files or Information Medium { \"families\": [], \"description\": \"One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.\", Technique ID: T1055 Technique Name: Process Injection A common use for this is when applications run in the system tray, but don't also want to sh" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Brazil", "Ireland", "Germany", "Chile", "China", "Switzerland" ], "malware_families": [ { "id": "RiskTool.AndroidOS.beto", "display_name": "RiskTool.AndroidOS.beto", "target": null }, { "id": "Trojan.TrojanBanker.Android", "display_name": "Trojan.TrojanBanker.Android", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Predator!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Predator!rfn", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1737, "hostname": 4754, "URL": 11496, "FileHash-MD5": 96, "FileHash-SHA1": 79, "FileHash-SHA256": 2457, "email": 11, "SSLCertFingerprint": 2 }, "indicator_count": 20632, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "619 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab5eb4d0a233bf6f32edb", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:20:59.154000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab601f0d674294b603758", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:21.869000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab60667f8205c19d6b67b", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:26.244000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab616bb5869335d184ae7", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:42.183000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a7e576b3cbdf2f86a32acc", "name": "Skynet | prd.connectforhealthco.com | Identity theft |", "description": "Remote interception of health insurance applicants call. Social engineering - threat actor will walk target through process beginning with; verification of phone model, browser used, phone number, email, ssn# entered in staged health insurance enrollment application. Auto forwards ssn# to Experian, locking consumer from of all accounts, credit information is stolen, consumer identity theft. New accounts cannot be created, a password reset is required for scam, all emails requested, bad actor will ask for entire households email accounts, device use, etc. Sends malicious forms to devices. Takes consumer through a lengthy phone transfer scheme +++", "modified": "2024-02-16T13:04:46.804000", "created": "2024-01-17T14:34:30.204000", "tags": [ "whois record", "historical ssl", "ssl certificate", "april", "referrer", "threat roundup", "communicating", "whois", "rwi dtools", "jekyll", "metro", "skynet", "identity theft", "parking crew", "whois whois", "resolutions", "october", "august", "march", "june", "attack", "goldfinder", "sibot", "hacktool", "remote attack", "social engineering", "read c", "get autoit", "search", "regsetvalueexa", "show", "entries", "regdword", "intel", "ms windows", "showing", "autoit", "write", "worm", "copy", "unknown", "win32", "persistence", "execution", "malware", "autorun", "redacted for", "for privacy", "name servers", "date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "encrypt", "next", "sabey", "no expiration", "filehashsha256", "filehashsha1", "filehashmd5", "iocs", "create new", "pulse use", "pdf report", "pcap", "malware beacon", "useragent", "http request", "hostile", "autoit windows", "automation tool", "forbidden", "algorithm", "full name", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "info", "first", "detections type", "name", "javascript", "pdf community", "office open", "xml spreadsheet", "text", "siblings", "process32nextw", "fjlsedauv", "writeconsolea", "medium", "discovery", "high", "module load", "t1129", "united", "as63949 linode", "mtb jan", "passive dns", "backdoor", "mtb dec", "open", "body", "artro", "creation date", "servers", "urls", "record value", "expiration date", "vt graph", "parent referrer", "apple private", "data collection", "hidden privacy", "malicious", "verified", "utc submissions", "submitters", "summary iocs", "graph community", "tucows", "amazonaes", "china telecom", "group", "cloudflarenet", "akamaias", "pty ltd", "argon data", "communication", "limited", "digitaloceanasn", "twitter", "dropbox", "domainsite", "alibaba cloud", "computing", "beijing", "service", "ip address", "latest", "virustotal", "unclejohn", "us autonomous", "system46606", "unified layer", "urls latest", "contacted", "historical", "subdomains", "gootloader", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "binary", "sameorigin", "scammer", "spammer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "Sibot - S0589", "display_name": "Sibot - S0589", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Verified", "display_name": "Verified", "target": null }, { "id": "Downloader.Cerber/JS!1.A59C (CLASSIC)", "display_name": "Downloader.Cerber/JS!1.A59C (CLASSIC)", "target": null }, { "id": "W32/Expiro.fam", "display_name": "W32/Expiro.fam", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" } ], "industries": [ "Healthcare", "Insurance", "Finance", "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 515, "FileHash-SHA1": 504, "FileHash-SHA256": 3557, "URL": 5450, "domain": 1842, "hostname": 2221, "CVE": 2, "email": 6 }, "indicator_count": 14097, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659fa1fad840744f75eb2d14", "name": "Worm:Win32/Benjamin IoC's", "description": "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples | \nFiles Matching Antivirus Detection - 296,250 \nNetwork Icmp\nPersistence Autorun\nNetwork Http\nDynamic Function Loading\nProcmem Yara\nInjection Rwx\nPowershell Request\nDead Connect\nSuricata Alert\nPe Features\nPacker Entropy\nAntivm Memory Available\nAllocates Rwx\nCreates Exe\nPacker Polymorphic\nNids Alert\nDead Host\nNolookup Communication", "modified": "2024-02-10T07:03:55.140000", "created": "2024-01-11T08:08:26.689000", "tags": [ "worm", "win32", "benjamin", "passive dns", "as47846", "germany unknown", "urls", "next", "scan endpoints", "all octoseek", "unknown", "threat roundup", "ssl certificate", "whois record", "august", "april", "execution", "october", "july", "march", "contacted", "june", "emotet", "quasar", "core", "hacktool", "goldfinder", "sibot", "ryuk", "drxk0gdg2s06f8p", "cfom2jtlf", "k60zzli http", "whois whois", "historical ssl", "resolutions", "referrer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 145, "FileHash-SHA256": 2888, "hostname": 1075, "domain": 1007, "URL": 4964, "CVE": 1 }, "indicator_count": 10224, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "799 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658481716d9034bb0d52212d", "name": "Apple Attack | Floxif Spyware | Threat Network | Virus Network", "description": "Threat Network affecting and/or originating from Apple server. Malware attacks apple airpods, tv, apple store\napple trade, apple tv\napple watch, apple card, apple og?, apple server.\nSystemUpdate.dll issue. Device may partially attempt, device will show latest update, com[promised devices may have throttled update on attempt.\n\nFloxif:\nShort bio\nTrojan.Floxif is Malwarebytes\u2019 detection name for a file-changing Trojanthat targets Windows systems.\n\nSymptoms\nTrojan.Floxif can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine.\n\nStaged data. Floxif primarily target Windows, Apple is less vulnerable to buy can be experience a Floxif attack.", "modified": "2024-01-20T14:03:29.247000", "created": "2023-12-21T18:18:25.746000", "tags": [ "bitrep", "learn", "apple card", "apple", "apple store", "apple tv", "watch vision", "airpods tv", "apple watch", "buy apple", "apple trade", "footer", "media", "find", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious site", "hostname", "hostnames", "detection list", "blacklist", "malware", "alexa", "ip address", "whois record", "ssl certificate", "iocs", "whois whois", "historical ssl", "communicating", "threat network", "ioc search", "new ioc", "teams api", "contact", "attack", "probe", "search", "threat", "paste", "contacted", "april", "threat roundup", "pe resource", "lcid1033", "smlen", "spn647", "bv6fet56ww", "february", "core", "name verdict", "falcon sandbox", "threat analyzer", "samples", "generic malware", "tag count", "malware generic", "tue dec", "threat report", "summary", "first", "http response", "final url", "status code", "body length", "kb body", "sha256", "self", "server apple", "connection", "html info", "title apple", "meta tags", "indextab og", "apple og", "spyware", "plugins", "cab", "fraud urls", "data collection", "staged data", "privilege escalation", "defense evasion", "evasive", "stealthy", "serial number", "symantec time", "stamping", "algorithm", "thumbprint", "from", "symantec sha256", "sha256 code", "signing ca", "class", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "vs2008", "rticon english", "vs2005", "chi2", "contained", "info compiler", "products", "header target", "machine intel", "utc entry", "floxif", "serving ip", "address", "headers nel", "dynamic expires", "gmt server", "file sharing", "personal data" ], "references": [ "https://www.apple.com/qtactivex/qtplugin.cab", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "http://www.screensaver.com/ruxitbeacon", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "http://dns1.whitelist.camect.com [interesting]", "https://www.jbits.courts.state.co [interesting]", "http://www.sos.state.co/ [interesting]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "Crowdsourced YARA Rulesets", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "20.190.160.2 Microsoft [exploit_source]", "20.190.160.67 Microsoft [exploit_source]", "20.190.160.73 Microsoft [exploit_source]", "watson.events.data.microsoft.com [traffic manager]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "watson.telemetry.microsoft.us [Data traffic manager]", "www.anyxxxtube.net [tracking]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Apple", "display_name": "Apple", "target": null } ], "attack_ids": [ { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 609, "FileHash-SHA1": 361, "FileHash-SHA256": 1977, "domain": 460, "hostname": 992, "URL": 3115 }, "indicator_count": 7514, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658303b7e2b4417d9e24a7cc", "name": "Reddit Honeypot | Cyber Defense Firm Attack", "description": "", "modified": "2024-01-19T12:02:13.495000", "created": "2023-12-20T15:09:43.783000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha1", "sha256", "runtime process", "date", "unknown", "error", "path", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "accept", "url http", "filehashmd5", "url https", "search otx", "octoseek report", "spam author", "reddit", "tulach c2", "created", "minutes ago", "added active", "related pulses", "am", "no expiration", "indicator role", "pulses url", "showing", "entries", "dded active", "copyright", "reserved", "cve cve20170199", "win32 exe", "android", "http response", "final url", "ip address", "status code", "body length", "kb body", "headers", "manager", "files", "detections type", "name", "lord krishna", "right", "tjprojmain", "windows", "secure", "headers nel", "ssl certificate", "whois whois", "historical ssl", "referrer", "logistics", "cyber defense", "firm collection", "ioc honeypot", "list for", "malware", "open", "attack", "contacted", "dropped", "bundled", "problems", "whois record", "domains", "execution", "agent tesla", "azorult", "project", "startpage", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "magic pe32", "installer", "compiler", "nsis", "serial number", "g4 code", "signing rsa4096", "sha384", "root g4", "valid from", "algorithm", "thumbprint", "fast corporate", "from", "pe resource", "collection", "vt graph", "paulsmith", "apple tv", "apple music", "$RTD4NQU.exe", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "summary", "nisis", "executable", "ms windows", "trid win64", "generic", "sections", "sha256 file", "type type", "chi2", "dkey english", "xml rtmanifest", "english us", "overlay", "learn", "botnet", "honeypot", "ejkaej saBey k7-^Oa" ], "references": [ "https://www.reddit.com/user/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Gowi Live Bot.exe", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://tulach.cc/ [phishing attacks]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "3.163.189.120 [Tracking]", "86.140.232.148 [scanning_host]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "checkip.dyndns.org [command_and_control]", "104.86.182.8 [command_and_control]", "103.224.182.253 [command_and_control]", "103.224.182.246 [command_and_control]", "www.supernetforme.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "ddos.dnsnb8.net [command_and_control]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AM", "display_name": "AM", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "adware.pcappstore/veryfast", "display_name": "adware.pcappstore/veryfast", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "HoneyPot", "display_name": "HoneyPot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 374, "FileHash-SHA256": 5560, "URL": 7433, "domain": 1461, "hostname": 2463, "CVE": 3, "email": 1 }, "indicator_count": 17687, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6580ac87e5b0ece0bc772695", "name": "Emotet", "description": "Attack against artist accounts. Found in qbittorrent.exe. Yara: Indicator suspicious execution_NoneWindowsUA\nvirus.ramnit/nimnul, emotet.", "modified": "2024-01-17T19:00:11.988000", "created": "2023-12-18T20:33:11.974000", "tags": [ "dropped", "contacted", "unauthorized", "softonic", "highly targeted", "cyber attack", "spotify artist", "cyber defense", "firm partru", "route tool", "emotet", "attack", "tsara brashears", "apple", "youtube artist", "projecthilo", "hallrender", "files", "detections file", "name", "win32 exe", "file size", "dropped files", "browser emulation", "worm", "phishing", "malware", "execution", "botnet", "c++" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1522, "URL": 2213, "FileHash-MD5": 63, "FileHash-SHA1": 62, "hostname": 505, "domain": 514 }, "indicator_count": 4879, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "822 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6581d7c75142e51d9321dc01", "name": "Emotet [Pulse created by Octoseek]", "description": "", "modified": "2024-01-17T19:00:11.988000", "created": "2023-12-19T17:49:59.506000", "tags": [ "dropped", "contacted", "unauthorized", "softonic", "highly targeted", "cyber attack", "spotify artist", "cyber defense", "firm partru", "route tool", "emotet", "attack", "tsara brashears", "apple", "youtube artist", "projecthilo", "hallrender", "files", "detections file", "name", "win32 exe", "file size", "dropped files", "browser emulation", "worm", "phishing", "malware", "execution", "botnet", "c++" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6580ac87e5b0ece0bc772695", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1522, "URL": 2213, "FileHash-MD5": 63, "FileHash-SHA1": 62, "hostname": 505, "domain": 514 }, "indicator_count": 4879, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "822 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65715ad29ac565164664960b", "name": "InstallMate", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-07T05:40:34.888000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 210, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65715b49b95c13605856d6d0", "name": "Lazarus Group _ 192.229.211.108", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-07T05:42:33.281000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": "65715ad29ac565164664960b", "export_count": 210, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6572622bba87d8d105a7259f", "name": "Lazarus Group _ 192.229.211.108", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-08T00:24:11.801000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": "65715b49b95c13605856d6d0", "export_count": 234, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65650c76816b5b0c924d2291", "name": "Defense Evasion, Privilege Escalation", "description": "VBS - ASCII text,\nsuspicious_write_exe,\nnetwork_icmp,\nprocess_martian,\ninjection_resumethread,\ndumped_buffer,\njs_eval,\nnetwork_http,\nallocates_rwx,\nsuspicious_process,\nstealth_window,\nuses_windows_utilities,", "modified": "2023-12-27T21:05:29.668000", "created": "2023-11-27T21:39:02.489000", "tags": [ "read c", "search", "show", "medium", "entries", "united", "whitelisted", "memcommit", "delete", "msie", "dock", "write", "xrat", "execution", "next", "copy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 2, "FileHash-SHA256": 254, "SSLCertFingerprint": 1, "URL": 332, "domain": 70, "hostname": 128 }, "indicator_count": 793, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "843 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6564fa9a3d90d1cd14928b16", "name": "Lumma \u2022 University of Alberta \"No Problems\" | T1036 - Masquerading", "description": "I was contacted on this forum re: University of Alberta issue. Based on research www.ualberta.ca redirects. There hasn't been a research effort for redirect. I researched a spoofed website. After viewing senders request, my devices operating system changed, isn't recognized by any accounts, keyloggers.\nFound: Anonymizers, Redirector, Masquerading, Network RAT, Serious Social Engineering, Botnetwork Army, Stealers, Lumma and weirdly targeted 'Tsara Brashears' as a malicious link on a spoofed University in Canada, UCHealth Colorado links.", "modified": "2023-12-27T19:03:02.665000", "created": "2023-11-27T20:22:50.050000", "tags": [ "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json url", "urls", "detection list", "cisco umbrella", "site", "heur", "safe site", "alexa top", "million", "malware", "malicious site", "phishing site", "malicious url", "phishing", "riskware", "presenoker", "artemis", "agent", "unsafe", "opencandy", "ursnif", "wacatac", "team", "facebook", "runescape", "service", "downldr", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "installcore", "fareit", "secrisk", "exploit", "mimikatz", "sorano", "emotet", "genkryptik", "fuery", "dbatloader", "qakbot", "alexa", "malicious", "union", "lumma stealer", "fusioncore", "cleaner", "azorult", "bank", "blacknet rat", "stealer", "iframe", "trojanspy", "analysis", "united", "firehol", "proxy", "mail spammer", "downloader", "malware site", "meterpreter", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "generic", "dnspionage", "expirestue", "path", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "alberta", "university", "edmonton", "html info", "alberta meta", "tags", "trackers google", "tag manager", "gtmkr32", "blacklist", "low risk", "apache", "domain", "malware found", "unknown", "minimal low", "security risk", "medium high", "critical", "protect", "college", "mtis", "faculties", "research", "health", "a about", "news", "events", "sport", "life", "find", "story", "tools", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "pattern match", "file", "date", "factory", "hybrid", "general", "cookie", "click", "strings", "djin", "no data", "tag count", "sample", "samples", "netsky", "cobalt strike", "xrat", "fakealert", "raccoon", "redline stealer", "metastealer", "icedid", "quasar rat", "acint", "anonymizer", "blockchain", "social engineering", "read c", "search", "show", "medium", "entries", "whitelisted", "memcommit", "delete", "yara detections", "next", "dock", "write", "execution", "copy", "south carolina", "federal credit", "team proxy", "static engine", "covid19", "redirector", "suspic", "tue mar", "zbot", "size68b type", "count blacklist", "tag tag", "rejected sample", "icon", "analyzed", "hwp support", "falcon sandbox", "multi scan", "update", "view details", "upgrade", "blacklist https", "keyloggers" ], "references": [ "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (iPhone unlocker)", "uchealth.com", "http://michaela.young@uchealth.com", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://api2018.uchealth.com/apihc/tass/webportal/apihealthcare_live/default.aspx", "https://www.uchealth.com/wp-content/uploads/2017/12/UCHealthInsuranceIndex_120417.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Network RAT", "display_name": "Network RAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Brontok", "display_name": "Brontok", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1126", "name": "Network Share Connection Removal", "display_name": "T1126 - Network Share Connection Removal" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1134.004", "name": "Parent PID Spoofing", "display_name": "T1134.004 - Parent PID Spoofing" } ], "industries": [ "Education", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 320, "FileHash-SHA1": 172, "FileHash-SHA256": 4302, "URL": 8243, "CIDR": 1, "domain": 1742, "hostname": 2270, "CVE": 18, "SSLCertFingerprint": 3, "email": 4 }, "indicator_count": 17075, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "843 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6562908e28e6cdc237fbf8db", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2023-12-26T00:03:03.925000", "created": "2023-11-26T00:25:50.529000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3751, "URL": 10878, "domain": 2914, "hostname": 3520, "CVE": 16 }, "indicator_count": 23902, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "845 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656aafce24b001cba328dcbc", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2023-12-26T00:03:03.925000", "created": "2023-12-02T04:17:18.188000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 78, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3751, "URL": 10878, "domain": 2914, "hostname": 3520, "CVE": 16 }, "indicator_count": 23902, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "845 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d7ac217661e4bc37f4d", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:22.356000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d89b33758a190399f39", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:37.838000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6edffd3910161c2ad1a2", "name": "D26A | DNSpionage| Qbot | Tulach Malaware | https://theanimallawfirm.com/ | FakeAlert", "description": "", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:25:19.843000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655f6d89b33758a190399f39", "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655e5c72277117d3b0e00fbd", "name": "Command and Scripting Interpreter", "description": "https:/www.usaopps.com/government_contractors/contractor-5388777-SIERRA-PIPELINE-INC-.htm", "modified": "2023-12-22T19:00:52.050000", "created": "2023-11-22T19:54:26.925000", "tags": [ "whois record", "contacted", "execution", "ssl certificate", "historical ssl", "resolutions", "problems", "red team", "whois whois", "referrer", "startpage", "generic malware", "cobaltstrike", "malware generic", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist https", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware", "malicious site", "malware site", "malicious url", "phishing site", "alexa", "phishing", "redline stealer", "bank", "team", "iframe", "downldr", "presenoker", "artemis", "live", "zbot", "united", "cyber threat", "covid19", "mail spammer", "malicious host", "anonymizer", "engineering", "purplewave", "malicious", "keybase", "union", "asyncrat", "cobalt strike", "dnspionage", "ransomware", "maltiverse", "malicious link", "detection list", "blacklist", "pattern match", "file", "ascii text", "windows nt", "appdata", "mitre att", "null", "date", "ck id", "show technique", "unknown", "accept", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "fast", "blacklist http", "heur", "adware", "unsafe", "riskware", "agent", "swrort", "exploit", "crack", "opencandy", "tiggre", "cleaner", "conduit", "wacatac", "nircmd", "filetour", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "acint", "systweak", "behav", "genkryptik", "xtrat", "softcnapp", "fusioncore", "installpack", "xrat", "jquery", "content scraper", "malware hosting", "bid site", "https:/www.usaopps.com/government_contractors/contractor-5388777", "CVE-2017-11882", "CVE-2017-0147", "CVE-2017-8570", "CVE-2005-1790", "CVE-2009-3672", "CVE-2010-3962", "CVE-2012-3993", "CVE-2014-3153", "CVE-2014-6332", "CVE-2016-0189", "CVE-2017-0199", "CVE-2018-4893", "CVE-2020-0601", "CVE-2020-0674", "CVE-2021-27065", "CVE-2021-40444" ], "references": [ "https://www.hybrid-analysis.com/sample/bc437a855075805df699bd915cd27814a799969bb38db45f09f5f16a54ccc5b6/655e548bc2555fc8280ba976", "https:/www.usaopps.com/government_contractors/contractor-5388777-SIERRA-PIPELINE-INC-.htm" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Business", "Economy", "Government", "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 312, "FileHash-SHA256": 1086, "URL": 2843, "domain": 341, "hostname": 1091, "CVE": 16 }, "indicator_count": 6297, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655bb326c4023eb59c1f73b9", "name": "WebToolbar", "description": "\"Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi\"\nDomain stated ' SEIZED' by Department of Homeland Security is a 'HOAX' \nLink leads to a new domain with same behavior: http://server3.elgenero.com/iprc_seized_banner.png", "modified": "2023-12-20T19:02:04.107000", "created": "2023-11-20T19:27:34.827000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "spammer", "firehol", "united", "anonymizer", "team proxy", "cyber threat", "team http", "attacker", "maltiverse http", "phishing site", "malware", "team", "phishing", "malicious", "facebook", "service", "bank", "panama", "suppobox", "asyncrat", "cobalt strike", "cve201711882", "cisco umbrella", "heur", "site", "alexa top", "million", "safe site", "alexa", "malicious site", "malware site", "riskware", "exploit", "artemis", "iframe", "unsafe", "agent", "win64", "zbot", "fakealert", "conduit", "crack", "back", "download", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "unruy", "filetour", "installcore", "floxif", "cleaner", "patcher", "opencandy", "adload", "presenoker", "wacatac", "swrort", "fusioncore", "pony", "applicunwnt", "union", "webtoolbar", "trojanspy", "maltiverse", "blacklist http", "ssl certificate", "execution", "whois record", "contacted", "whois whois", "historical ssl", "communicating", "referrer", "pe resource", "resolutions", "hacktool", "emotet", "agent tesla", "love", "mirai", "satacom", "probe", "critical", "copy", "dark power", "core", "chaos", "ransomexx", "quasar", "malvertizing", "spyware", "cnc", "trojan", "phishing", "botnetwork", "fraud services", "defacement", "department of homeland security hoax banner", "tulach", "sabey", "targeting", "cyber threat", "tsara brashears", ".gov", "dhs", "fbi", "interpol", "doj", "nypd", "dpd", "irs", "nsa", "cia", "soc", "hacker" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 573, "FileHash-SHA1": 327, "FileHash-SHA256": 1474, "CVE": 20, "domain": 546, "hostname": 1215, "URL": 3249 }, "indicator_count": 7404, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "850 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655ad83180deb1186bb4f466", "name": "Carrotbat Malware | Stalker Suite | gogglemaps.com", "description": "carrotbat malware, SHAREit services.exe, typosquatting, fraud services, privilege, location tracking, cyber stalking, masquerading, malvertizing, malicious website, C2, control, apple, android, services, CNC, hack tools, botnetwork \nMaps are real tools. \nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing & botnetwork)\nhttp://45.159.189.105/bot/regex (Botnetwork)\nhttps://www.sweetheartvideo.com/tsara-brashears/\nwww.sweetheartvideo.com\t(Tsara Brashears Botnetwork created by attacker)\nhttp://182.22.25.124:7878/182.22.25.124:443\nhttps://pin.it/ (aka malicious Pinterest)\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (100% straight female target - defamation, libel)\ndis.io\npin.it (changed targets Pinterest to this)", "modified": "2023-12-20T02:02:59.943000", "created": "2023-11-20T03:53:21.699000", "tags": [ "log id", "gmtn", "passive dns", "urls", "tls web", "encrypt", "ca issuers", "f9970e", "bd6en timestamp", "a487132c3b", "false", "ssl certificate", "tsara brashears", "contacted", "referrer", "copy", "historical ssl", "collections", "password", "networks", "botnet campaign", "skynet", "fall", "hacktool", "malware", "critical", "relic", "monitoring", "attack", "hiddentear", "metro", "test", "detection list", "pattern match", "root ca", "authority", "class", "script", "mitre att", "temp", "ck id", "show technique", "ck matrix", "date", "unknown", "meta", "span", "error", "refresh", "body", "generator", "look", "verify", "restart", "hybrid", "accept", "click", "strings", "tools", "whois record", "msgid10053", "msgid10051", "communicating", "anid", "execution", "null", "core", "installer", "threat roundup", "apple ios", "august", "highly targeted", "apple", "sqli dumper", "april", "february", "awful", "radar ineractive", "october", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cisco umbrella", "site", "wormx", "malicious site", "safe site", "malware site", "alexa top", "million", "phishing site", "alexa", "phishing", "agent", "bank", "inmortal", "united", "cyber threat", "pony", "cnc zeus", "tracker", "cnc server", "covid19", "engineering", "http spammer", "host", "azorult", "asyncrat", "cobalt strike", "team", "hsbc", "noname057", "generic malware", "blacklist http", "malicious url" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 815, "FileHash-SHA256": 3404, "SSLCertFingerprint": 2, "URL": 8938, "domain": 1195, "hostname": 2705, "FileHash-SHA1": 457, "CIDR": 7, "CVE": 3 }, "indicator_count": 17526, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655ad8e83914549cd4658f8e", "name": "Radar Ineractive \u2022 Inmortal \u2022 HSBC.com", "description": "carrotbat malware, SHAREit services.exe, typosquatting, fraud services, privilege, location tracking, cyber stalking, masquerading, malvertizing, malicious website, C2, control, apple, android, services, CNC, hack tools,\nMaps are real tools. \nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing & botnetwork)\nhttp://45.159.189.105/bot/regex (Botnetwork)\nhttps://www.sweetheartvideo.com/tsara-brashears/\nwww.sweetheartvideo.com\t(Tsara Brashears Botnetwork created by attacker)\nhttp://182.22.25.124:7878/182.22.25.124:443\nhttps://pin.it/ (aka malicious Pinterest)\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (100% straight female target - defamation, libel)\ndis.io\npin.it (changed targets Pinterest to this)\nRadar Ineractive \u2022 Inmortal \u2022 HSBC.com", "modified": "2023-12-20T02:02:59.943000", "created": "2023-11-20T03:56:24.105000", "tags": [ "log id", "gmtn", "passive dns", "urls", "tls web", "encrypt", "ca issuers", "f9970e", "bd6en timestamp", "a487132c3b", "false", "ssl certificate", "tsara brashears", "contacted", "referrer", "copy", "historical ssl", "collections", "password", "networks", "botnet campaign", "skynet", "fall", "hacktool", "malware", "critical", "relic", "monitoring", "attack", "hiddentear", "metro", "test", "detection list", "pattern match", "root ca", "authority", "class", "script", "mitre att", "temp", "ck id", "show technique", "ck matrix", "date", "unknown", "meta", "span", "error", "refresh", "body", "generator", "look", "verify", "restart", "hybrid", "accept", "click", "strings", "tools", "whois record", "msgid10053", "msgid10051", "communicating", "anid", "execution", "null", "core", "installer", "threat roundup", "apple ios", "august", "highly targeted", "apple", "sqli dumper", "april", "february", "awful", "radar ineractive", "october", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cisco umbrella", "site", "wormx", "malicious site", "safe site", "malware site", "alexa top", "million", "phishing site", "alexa", "phishing", "agent", "bank", "inmortal", "united", "cyber threat", "pony", "cnc zeus", "tracker", "cnc server", "covid19", "engineering", "http spammer", "host", "azorult", "asyncrat", "cobalt strike", "team", "hsbc" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 815, "FileHash-SHA256": 3404, "SSLCertFingerprint": 2, "URL": 8938, "domain": 1194, "hostname": 2705, "FileHash-SHA1": 457, "CIDR": 7, "CVE": 3 }, "indicator_count": 17525, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655a98cc8cb36e3ed3a67530", "name": "http://apple.huzii.cn/", "description": "", "modified": "2023-12-19T23:04:48.178000", "created": "2023-11-19T23:22:52.263000", "tags": [ "urls", "passive dns", "http", "unique", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "ip address", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "server", "connection", "html info", "title", "meta tags", "communicating", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "spyware", "injector", "blacklist http", "malicious url", "team", "simda", "bambernek", "cisco umbrella", "site", "bambernek gen", "safe site", "malware site", "malicious site", "alexa top", "installcore", "malware", "infy", "quasar rat", "inmortal", "cyber threat", "united", "team phishing", "maltiverse", "engineering", "mail spammer", "attacker", "hostname", "phishing", "redline stealer", "mirai", "pony", "nanocore", "bradesco", "emotet", "cobalt strike", "agent", "service", "malicious", "bank", "pykspa", "vawtrak", "suppobox", "name verdict", "falcon sandbox", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "mitre att", "temp", "ck id", "show technique", "unknown", "date", "span", "error", "refresh", "generator", "critical", "body", "look", "verify", "hybrid", "accept", "general", "local", "click", "strings", "tools", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Inmortal", "display_name": "Inmortal", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9403, "FileHash-MD5": 496, "FileHash-SHA256": 3115, "domain": 1429, "hostname": 1888, "FileHash-SHA1": 271, "CVE": 2 }, "indicator_count": 16604, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://57d5.zhanyu66.com/com.slamyugllp.strangerrun.xc.apk/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "gitea.neconsside.com \u2022 http://f7194.vip/login", "Unique antivirus detections for files communicating with IP address", "State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.", "Researched: https://hcpf.colorado.gov/", "Registrant Org: Japan Computer Emergency Response Team Coordination Center", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "http://www.screensaver.com/ruxitbeacon", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "remote.telegrafix.com (remote hacking)", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "20.190.160.67 Microsoft [exploit_source]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "Apple Spy: redirectme.netiphonepofentrydstaging2znetoppofindlabstryd.netoppofindhypernova.ali.zomans.com", "https://tulach.cc/ [phishing attacks]", "traceability-qa.walmartmobile.cn", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "Apple Spy: iphone-say.com apple-prompt-iphone.com http://www.apple-prompt-iphone.com/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "www.supernetforme.com [command_and_control]", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.uchealth.com/wp-content/uploads/2017/12/UCHealthInsuranceIndex_120417.pdf", "System has placed affected on multiple policies cancelling private policy without notice.", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://www.google.com/search?client=safari&sca_esv= www2.megawebfind.com webfind. com \u2022 www6.mega www.google.com", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "104.86.182.8 [command_and_control]", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators", "watson.events.data.microsoft.com [traffic manager]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "Trojan:Win32/Predator!: FileHash-SHA256 f7da3472e0f81fa37ea05cc91338b6a693a1fcd4d30025fdfbfc7f2f0119fa20", "https://otx.alienvault.com/indicator/file/f3a939131ffaf473f8b1ffa0cd11d8cbce46f50dcc7e9fd2ff8404201ab5bc8e", "watson.telemetry.microsoft.us [Data traffic manager]", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "Researched publicly available information provided by representative of a target\u2019s estate", "nr-data.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "millet-usgc-1.palantirfedstart.com", "Provided documented evidence of appealed state issued plan and disclosed financials.", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "ASP.net Open source. A framework for building web apps and services with .NET and C#", "IDS Detections: Win32/Unruy.C Activity", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydiotging2znetoppofindlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.\u2022 com/ \u2022 https://www.csrc.gov.cn.lxcvc.com/", "https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "45.159.189.105 (Command and Control)", "https://www.jbits.courts.state.co [interesting]", "https://www.reddit.com/user/", "apple.com. (malicious version/header)", "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "20.190.160.73 Microsoft [exploit_source]", "www.anyxxxtube.net [tracking]", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "http://45.159.189.105/bot/regex (Bot Command)", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "Alerts: dead_host network_icmp antivm_generic_services creates_largekey disables_proxy dumped_buffer network_cnc_http", "September began with false information, defaulted claims , denials from authorized services rendered years prior.", "DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "https://applepaydayloans.com/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction network_http", "https://support.Apple.com/de", "http://img01.mifile.cn/m/apk/mishop_3.0.20141212_1.1.1.apk", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "remote.haverhillcc.com (remote hacking)", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "rp.downloadastrocdn.com [command_and_control]", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydstaging2zsendlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "https://www.hybrid-analysis.com/sample/bc437a855075805df699bd915cd27814a799969bb38db45f09f5f16a54ccc5b6/655e548bc2555fc8280ba976", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com ocsp.pki.goog", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "Alerts: network_http allocates_rwx stealth_window injection_process_search process_interest", "tulach.cc [AM | phishing]", "I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "Trojan:Win32/Predator!: FileHash-SHA256 1cf6574bb7edda08a539fdb2885a959071b60d9c9bfb44ee1b9912b3864ff758", "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "photos.theleders.family", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "Trojan:Win32/Predator!: FileHash-SHA256 493323dd39ebb91b861e63c7341d037877886bc3a6cf4deaef08ef76bb9db15e", "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider", "If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI", "https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851", "103.233.208.9 (CNC IP)", "https://passwords.google/?utm_medium=hpp&utm", "142.250.180.4 (init.ess)", "103.224.182.246 [command_and_control]", "https://login.apple-mac.banugoker.com/cgi-sys/defaultwebpage.cgi \u2022 lsupport-apple.com", "firebaseremoteconfig.googleapis.com (remote hacking)", "Target also owned an online brokerage & lead company, was agent & insurance marketer for years.", "www.onyx-ware.com \u2022 https://www.endgamesystems.com/", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "Remotewd.com devices", "aohhpesayw.lawsonengineers.co.", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "fed.paypal.com [redirect for monitored target \u2022 1st documented 2020- still active]", "apple-dns.net", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "IDS Detections: : Suspicious User-Agent (HTTP Downloader) Suspicious User-Agent containing Loader Observed", "*otc.greatcall.com [Botnetwork]", "Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx", "Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet", "https://urlscan.io/domain/maxwam.tk", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "afraid.org | evergreen.afraid.org", "http://mobtrack.trkclk.net", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "ddos.dnsnb8.net [command_and_control]", "https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html", "Behavior Pattern Match Analysis", "api.useragentswitch.com", "https://www.google.com/search", "Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "Apple Spy: cmlinki-img-3radio-iphone-web-cmlinki3-iphone-web-cmlinkiradio.redirectme.netoppofentryd.0-iphone-web-cmlinkiradio-iphone-web-cm", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (iPhone unlocker)", "http://45.159.189.105/bot/regex \u2022 https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms", "malware_hosting IP's:42.177.83.115 | IPv4 42.177.83.134 malware_hosting", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "Gowi Live Bot.exe", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "86.140.232.148 [scanning_host]", "https://tulach.cc/ [phishing]", "https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "Antivirus Detections Win32:Malware-gen: Yara Detections: stack_string", "20.190.160.2 Microsoft [exploit_source]", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/", "Domains Contacted: www2.megawebfind.com www.google.com www6.megawebfind.com", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com", "Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Asacky!rfn , ALF:HeraklezEval:Trojan:Win32/Predator!rfn , Win.Trojan.Generic-9789164-0", "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "nr-data.net \u2022 init.ess.apple.com\t\u2022 apple-id-ifind.com \u2022 https://apple-id-ifind.com/\t\u2022 apple-lostandfound.com", "(Can't access file- Malware infection files)", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "https://link.monetizer101.com/widget/code/dailystaruk.js", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .", "Domains Contacted: www.download.windowsupdate.com ifdnzact.com d38psrni17bvxu.cloudfront.net", "http://www.Apple.com/quicktime/download/standalone.html", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "hpcc-page.cnc.ccgslb.com.cn 121.30.192.9 58.20.206.154 139.209.89.125 124.67.23.253 61.180.227.172 61.162.172.185 IP Traffic", "http://michaela.young@uchealth.com", "https://api2018.uchealth.com/apihc/tass/webportal/apihealthcare_live/default.aspx", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "apex.jquery.com (scammer | works for who?)", "ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "https://www.apple.com/qtactivex/qtplugin.cab", "I can\u2019t vouch for the safety of website above. First time user.", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)", "ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113", "walmartmobile.cn", "The sca_esv parameter is a piece of data in the URL that's likely internal to Google's system for tracking, sorting, or customizing search results.", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "emails.redvue.com (apple DNS w/amvima)", "Crowdsourced YARA Rulesets", "Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "Alerts: antisandbox_sleep creates_exe dropper stealth_window injection_process_search protection_rx", "http://www.sos.state.co/ [interesting]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "uchealth.com", "https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html", "https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5", "Roksit.net", "TCP 123.125.159.119:80 (gad.page.cnc.ccgslb.com.cn) TCP 121.30.192.9:80 (hpcc-page.cnc.ccgslb.com.cn) TCP 121.30.193.30: Technique ID: T1140 Technique Name: Deobfuscate/Decode Files or Information Medium { \"families\": [], \"description\": \"One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.\", Technique ID: T1055 Technique Name: Process Injection A common use for this is when applications run in the system tray, but don't also want to sh", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https:/www.usaopps.com/government_contractors/contractor-5388777-SIERRA-PIPELINE-INC-.htm", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "https://apple-mac.banugoker.com/ \u2022 https://login.apple-mac.banugoker.com/", "stagelight.pl (malicious/ pattern match)", "Data Analytics", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "https://www.apple.com/sitemap/", "dns.google (DNS client services - Doug Cole)", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "tulach.cc. [Malevolent | Modified description]", "http://www.Apple.com/quicktime/download", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "dev.myhpnmedicaid.com", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "If you find anything interesting please research it.", "constellation.pcfrpegaservice.net (Pegasus related? idk)", "3.163.189.120 [Tracking]", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://api.strem.io/api/addonCollectionGet%", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com d38psrni17bvxu.cloudfront.net www2.megawebfind.com www.google.com www6.megawebfind.com", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "Handled by Lumen Technologies | What kind of darkness is this?", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "login.apple-mac.banugoker.com \u2022 www.apple-mac.banugoker.com \u2022 http://apple-mac.banugoker.com/", "https://twitter.com/PORNO_SEXYBABES \u2022 https://megapornfreehd.com/2025/04/360", "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy.", "freeimdatingsites.thomasdobo.eu", "init.ess.apple.com (remote hacking)", "2012647\tDropbox.com Offsite File Backup in Use", "DoD Network Information Center (DNIC)", "A clients infected now former iOS device.", "https://dotnet.microsoft.com/en-us/apps/aspnet", "https://www.roseoubleu.fr/panier (phishing)", "http://ww1.tsx.org/_fd", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "http://tshop.doido.com", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "https://www.speakup.it/magazines/places/new-york-city-on-a-budget-big-apple-little-money_2368", "wallpapers-nature.com \u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "checkip.dyndns.org [command_and_control]", "Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "www.jamesbgriffinlaw.com (malicious host)", "applepaydayloans.com", "http://tracks.theleders.family", "Python Wheel package", "103.224.182.253 [command_and_control]", "sentient.industries affects independent artists. Affects several others.", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "http://dns1.whitelist.camect.com [interesting]", "https://lk-prod-webcol.laika.com.co/category/bog/cat/farmacia/collares-isabelinos/todos/todo-para-mascota/1", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/", "https://www.virustotal.com/graph/g03fce3ad62f74ad59bbcda71bfdde96da39417641c9a470f99adfa9b14a7724c", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Quickstart", "Qbot" ], "malware_families": [ "Kentuchy", "Trojan:win32/cryptinject.sd!mtb", "Win.trojan.jorik-149", "Win.malware.unruy-6912804-0", "Network rat", "Win.trojan.fraudpack", "Win.malware (30)", "Trojandropper:win32/muldrop.v!mtb", "Goldfinder", "Win.trojan.jorik-130", "Redline stealer", "Toga!rfn", "Maltiverse", "Floxif", "Win.trojan.fakecodecs-119", "Blacknet rat", "Win.malware.remoteadmin-7056666-0", "Sodin ransomware", "Downloader.cerber/js!1.a59c (classic)", "Script exploit", "Radar ineractive", "Cobalt strike - s0154", "Malicious.22a4c0", "W32/expiro.fam", "Xanfpezes.a", "Tulach malware", "Behav", "#lowfi:siga:trojanspy:msil/keylogger", "Opencandy", "Win.packed.razy-9785185-0", "Win.trojan.cycler-47", "Nufs_inno", "Static ai - malicious pe", "Roblox", "Inmortal", "Zegost", "Trojan.trojanbanker.android", "Win.malware.urelas", "Dropper.binder", "Trojan:win32/zbot.sibl!mtb", "Mimikatz", "Worm:win32/cambot!rfn", "Pws", "Wannacry", "Trojan:win32/blihan.a", "Gamehack.dr", "Alf:heraklezeval:pws:win32/qqpass!rfn", "Verified", "Alf:hstr:trojandownloader:win32/purityscan.a!bit", "#lowfidetectsvmware", "Elf:mirai-ati", "Emotet", "#lowfi:hstr:msil/malicious", "Win.packed.generic-9967832-0", "Adwaresig [adw] ml.generic", "Trojan:win32/toga", "#lowfi:hstr:msil/malicious.decryption", "Hacktool", "Laplasclipper", "Win.trojan.generic-9862772-0", "Win32:banker", "Other dangerous malware", "Risktool.androidos.beto", "Qvm20.1.8d80.malware", "Trojan.html.agent", "Hacktool:win32/autokms", "Fakeav", "Ransom", "Trojan.ransom.generickd", "Lumma stealer", "Undefined 1\tms 1\txyz 1\tgl 1\tnet tld aggregation com ms xyz gl net 20% 20% 20% 20% 20% tld\tcount com\t1 undefined\tnan ms\t1 xyz\t1 gl\t1 net\t1 combined blacklist timeline hybrid-analysis maltiverse resea", "Other malware", "Skynet", "Et", "Kimsuky", "Sdbot.caoc", "Win32:malob-bx\\ [cryp]", "Lockbit", "Relic", "Worm:win32/autorun.b", "Project nemesis", "Win.malware.sfwx-9853337-0", "Am", "Win.trojan.clicker-3506", "Win.dropper.tiggre-9845940-0", "Trojan:win32/pariham.a", "Malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tunsafe.ai_score_98% 1\tmobigame 1\tbanker,evasive,retefe 1\tprogram.unwanted 1\tmalicious.high.ml 1\tkryptik.dawvk 1\tunsafe.ai_score_91% 1\tadwar", "Beach research", "Ransom:msil/genasom.i", "Alf:exploit:win32/gsharedinforef.a", "Trojan:win32/zusy", "W32.hack.generic", "Trojan.generic", "Trojan.ole2.vbs", "#lowfienabledtcontinueafterunpacking", "Ml.generic", "Proxy", "Apple", "Unix.dropper.mirai-7135858-0", "Trojanspy", "Pws:msil/steam", "Tel:trojan:win32/emotet", "Gen:variant.bulz", "Tulach", "Nsis", "Unruy", "#hstr:hacktool:win32/mimikatz", "Adware.dropware", "Domino", "Tel:delphi/obfuscator", "Slfper:installcore", "Ramnit", "Malware", "Dotnet", "Sibot - s0589", "Worm:win32/autorun.xxy!bit", "Trojan:win32/gandcrab", "Win.malware.midie-6847892-0", "Trojandropper:win32/muldrop", "Nids", "Generic.asmalws malicious_confidence_70% 1\til:trojan.msilzilla 1\tfilerepmalware 1\transom.sabsik 1\tbehaveslike.dropper 1\tmicrosoft phishing 1\tbackdoor.mokes 1\tphishing bank of america corporat", "Trojan:win32/floxif.e", "Adware.pcappstore/veryfast", "Generic.malware", "Meterpreter", "Webtoolbar", "Malwarex-gen", "Backdoor:win32/tofsee.t", "Alf:hstr:dotnet", "Tofsee", "Trojan:win32/kaicorn!rf", "Trojan:win32/magania.dsk!mtb", "Artemis", "Worm:win32/autorun", "Agent tesla", "Phish.ab", "Honeypot", "Mbt", "Ddos:win32/stormser.a", "Gamehack", "Hsbc", "Win.malware.zusy", "Gen:variant.razy", "A variant of win32/kryptik.deoa", "States", "Raccoon", "Quasar rat", "Win32/nemucod", "Virtool:win32/obfuscator.ki", "Backdoor:win32/fynloski.a", "Zbot", "Neshta", "Pws:win32/qqpass.b!mtb", "Win.downloader.unruy-10026469-0", "Trojanx", "E5", "Lizar", "Brontok", "Artro", "Trojan:win32/zombie.a", "Mydoom", "Keyloggers", "Qakbot", "Multiple malware attack", "Custom malware", "Alf:heraklezeval:trojan:win32/predator!rfn", "Trojan:win32/daws", "Anonymizer", "Alf:heraklezeval:trojandownloader:html/adodb!rfn", "Win.malware.eclz-9953021-0", "Win.trojan.bulz-9860169-0", "Win32:malware", "Win.dropper.unruy-9994363-0", "Malware.generic", "Cobalt strike", "Win32:trojan-gen", "Carbanak", "Gen:variant.zusy", "Win.downloader.109205-1", "Alf:jasyp:pua:win32/bibado", "Win32:downloader-gjk\\ [trj]", "Worm:win32/netsky", "Emotet b", "Backdoor.mokes", "Generic", "Trojan:win32/glupteba.mt!mtb", "#lowfi:suspicioussectionname", "Trojan:win32/ircbot", "Alf:jasyp:trojan:win32/ircbot!atmn", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Alf:heraklezeval:pua:win32/ultradownloads", "Win.malware.fileinfector-9834127-0", "Win.malware.kolab-9885903-0", "Alf:program:opencandy:remnant", "Generic.31fcc75f" ], "industries": [ "Government", "Contracts", "Technology", "Civil society", "Civilian", "Healthcare", "Business", "Telecommunications", "Oil", "Financial", "Finance", "Insurance", "Economy", "Legal", "Hospitality", "Education" ], "unique_indicators": 353061 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/bing.com.cn", "whois": "http://whois.domaintools.com/bing.com.cn", "domain": "bing.com.cn", "hostname": "map.bing.com.cn" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69aa0a62f94a92b5168405c2", "name": "fedpaypal clone Q vashti", "description": "", "modified": "2026-03-06T06:39:27.872000", "created": "2026-03-05T22:57:38.559000", "tags": [ "present sep", "virtool", "cryp", "win32", "ip address", "trojan", "ransom", "asn as54113", "passive dns", "msil", "united states", "dynamicloader", "qaeaav12", "high", "qbeipbdii", "write", "paypal", "medium", "search", "vmware", "floodfix", "malware", "united", "mtb apr", "hostname add", "write c", "read c", "yara detections", "upxoepplace", "next", "markus", "april", "ping", "meta http", "content", "gmt server", "th th", "443 ma2592000", "ipv4 add", "url analysis", "urls", "body", "title", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "status", "name servers", "set cookie", "script urls", "present feb", "cookie", "template", "present oct", "present jul", "present dec", "present jun", "next associated", "urls show", "date checked", "present apr", "url hostname", "united kingdom", "unknown ns", "servers", "great britain", "msr aug", "msr apr", "msr nov", "ite o", "server response", "script script", "files show", "date hash", "avast avg", "creation date", "lcid1033", "sminnotek", "spnvirtualbox", "bvvirtualbox", "present mar", "present nov", "exploit", "error", "server response", "google safe", "results sep", "backdoor", "certificate", "mtb sep", "next http", "scans show", "present may", "results jun", "results jan", "worm", "echo request", "sweep", "payload hello", "world", "ids detections", "cape", "viking", "philis", "et", "torop", "des moines", "contacted hosts", "content reputation", "sabey type", "tulach type", "rexx type", "foundry type", "fred scherr", "twitter", "apple", "monitored target", "financial theft", "psalms 27: 1 - 14" ], "references": [ "fed.paypal.com [redirect for monitored target \u2022 1st documented 2020- still active]", "nr-data.net \u2022 init.ess.apple.com\t\u2022 apple-id-ifind.com \u2022 https://apple-id-ifind.com/\t\u2022 apple-lostandfound.com", "https://www.speakup.it/magazines/places/new-york-city-on-a-budget-big-apple-little-money_2368", "https://login.apple-mac.banugoker.com/cgi-sys/defaultwebpage.cgi \u2022 lsupport-apple.com", "login.apple-mac.banugoker.com \u2022 www.apple-mac.banugoker.com \u2022 http://apple-mac.banugoker.com/", "https://apple-mac.banugoker.com/ \u2022 https://login.apple-mac.banugoker.com/", "http://45.159.189.105/bot/regex \u2022 https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com \u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.\u2022 com/ \u2022 https://www.csrc.gov.cn.lxcvc.com/", "https://lk-prod-webcol.laika.com.co/category/bog/cat/farmacia/collares-isabelinos/todos/todo-para-mascota/1", "https://twitter.com/PORNO_SEXYBABES \u2022 https://megapornfreehd.com/2025/04/360", "https://57d5.zhanyu66.com/com.slamyugllp.strangerrun.xc.apk/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "Win.Trojan.Fraudpack", "display_name": "Win.Trojan.Fraudpack", "target": null }, { "id": "Fakeav", "display_name": "Fakeav", "target": null }, { "id": "Ransom:MSIL/Genasom.I", "display_name": "Ransom:MSIL/Genasom.I", "target": "/malware/Ransom:MSIL/Genasom.I" }, { "id": "Virtool:Win32/Obfuscator.KI", "display_name": "Virtool:Win32/Obfuscator.KI", "target": "/malware/Virtool:Win32/Obfuscator.KI" }, { "id": "Toga!rfn", "display_name": "Toga!rfn", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Remoteadmin-7056666-0", "display_name": "Win.Malware.Remoteadmin-7056666-0", "target": null }, { "id": "Floxif", "display_name": "Floxif", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Dropper.Unruy-9994363-0", "display_name": "Win.Dropper.Unruy-9994363-0", "target": null }, { "id": "Win.Trojan.Cycler-47", "display_name": "Win.Trojan.Cycler-47", "target": null }, { "id": "Win.Trojan.Clicker-3506", "display_name": "Win.Trojan.Clicker-3506", "target": null }, { "id": "Win.Downloader.Unruy-10026469-0", "display_name": "Win.Downloader.Unruy-10026469-0", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Urelas", "display_name": "Win.Malware.Urelas", "target": null }, { "id": "Win.Malware.Zusy", "display_name": "Win.Malware.Zusy", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "target": null }, { "id": "Win.Malware.Eclz-9953021-0", "display_name": "Win.Malware.Eclz-9953021-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "display_name": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "target": null }, { "id": "Win.Dropper.Tiggre-9845940-0", "display_name": "Win.Dropper.Tiggre-9845940-0", "target": null }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Win.Malware.Sfwx-9853337-0", "display_name": "Win.Malware.Sfwx-9853337-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Trojan:Win32/Kaicorn!rf", "display_name": "Trojan:Win32/Kaicorn!rf", "target": "/malware/Trojan:Win32/Kaicorn!rf" }, { "id": "Win32:Banker", "display_name": "Win32:Banker", "target": null }, { "id": "Worm:Win32/Cambot!rfn", "display_name": "Worm:Win32/Cambot!rfn", "target": "/malware/Worm:Win32/Cambot!rfn" }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "68c5743593a4bcc81dd94b0b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1323, "URL": 4360, "FileHash-MD5": 759, "FileHash-SHA1": 748, "FileHash-SHA256": 5148, "domain": 1076, "email": 7 }, "indicator_count": 13421, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a1ef2dd26ec62a3c298c", "name": "Listeners - Malicious Over the top espionage | Cyber Warfare?", "description": "Cyber attacks on targeted devices stored safely, separately, don\u2019t communicate with one another. PalantirFoundry.com shares IP addresses with Fastly. South African IP\u2019s and DGA domains bounce from US Denver , Co based IP and Domain addresses. Registrar Abuse: HTTP/2 404 content type: text/html content length: 2263 date: Wed 22 Oct 2025 22:32:18 GMT server: Envoy\n443 Certificate Subject: US\n443 Certificate Subject: Colorado\n443 Certificate Subject: Denver\n443 Certificate Subject: Palantir Technologies Inc.\n443 Certificate Subject: listeners.usw-19.palantirfoundry.com", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:33:03.315000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a6f4e35193c04401daaf", "name": "Emotet & VirTool Obsfuscator - Registrar abuse tracking civilians", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:54:28.671000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69069167e1e2a222bd7762f2", "name": "Palantir - Spyware", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-11-01T23:01:59.339000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9372439f9a3973097393f", "name": "South African actors are criminally insane Palantir product abusers or employees", "description": "Attempting to wip disks and delete files. Threat actors nearby. \u2018Endgame\u2019 project typically found alongside Project Hilo , Project Helix , Palantir and Foundry. I\u2019m just researching to solve what I thought would be far less complex issues. Stop doing this. Target rarely left house after contact with \u2018watcher\u2019 \u2018MVA by a young 22 year old male also left victim in fear til the end. \nI\u2019m going to call out on anyone pretending to be some else \u2018stop making contact with targets family and associates.\u2019 No one has been pursued or paid for crimes against target. This needs to end.\n\nSouth African actors are criminally insane Palantir product users or employees \n\n#phishing + malware , dns , file deletion attacks. \n\n[OTX auto populated The following is the full text of Entrust, Inc. - for the use of the terms \"entrust\" and \"sassa.gov.za\" - in terms of terms and conditions. ]\n\nIt makes sense. I\u2019m in town. 5 blocks away heading towards SoBo. Hi! Stop", "modified": "2025-11-21T19:01:20.179000", "created": "2025-10-22T19:57:24.562000", "tags": [ "passive dns", "urls", "related nids", "files location", "south africa", "flag south", "africa hostname", "files domain", "files", "entrust", "mulweli", "create c", "read c", "delete", "write", "search", "show", "create", "medium", "showing", "unicode", "next", "dock", "execution", "copy", "t1199", "relationship", "t1561", "wipe", "t1053", "taskjob", "t1055", "injection", "t1056", "capture", "url https", "url http", "malware attacks", "find encrypted", "indicator role", "title added", "active related", "pulses url", "city", "county", "otx auto", "title", "net security", "tags" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 597, "domain": 78, "hostname": 270, "FileHash-SHA256": 183, "FileHash-MD5": 19, "FileHash-SHA1": 5 }, "indicator_count": 1152, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9288e0d98f3b44c2cb90c", "name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety", "description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T18:55:10.527000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f93b1cebf80f48450bd517", "name": "Yuner - File deletion and Disk Wiping / Cyberstalking ", "description": "", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T20:14:20.632000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": "68f9288e0d98f3b44c2cb90c", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f7ced2cf17d264b49628bc", "name": "NIDS - Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information", "description": "Multiple malware\u2019s targeting Dropbox & Ebay accounts. Referenced in earlier pukses. Further investigation shows link found in apps on multiple Apple devices. Afraid. Org still running & wreaking havoc globally. Currently targets a Music studio in Clear Creek County Co. The signal bounces from Fire station directly to studio gaining full access to everything.\n\nI am very disappointed with the abuses in f the Palantir , Gotham , Foundry products being abused by law firms and Private Investigators.\nIt is very destructive, causing loss, these firms are literally stealing and making money with other people\u2019s intellectual property and tough luck on the actual inventor, artist, writer because they even steal , cancel your insurance or back accounts leaving you unable to make a claim. \n\nGreat discretion should be used to qualify for these tools used to track, terrorize and access private information as well as tarnish the names of civilians , family ,businesses, stalking tracking known location.", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T18:20:02.120000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80c6bcd3fff3a4f126a68", "name": "Sventore \u2022 Agent Tesla Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information ", "description": "", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T22:42:51.657000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "68f7ced2cf17d264b49628bc", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6533120ed78adc8baa57b9d0", "name": "quick look at 79.12.165.51", "description": "", "modified": "2025-10-25T02:11:11.653000", "created": "2023-10-20T23:49:34.890000", "tags": [], "references": [ "https://www.virustotal.com/graph/g03fce3ad62f74ad59bbcda71bfdde96da39417641c9a470f99adfa9b14a7724c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 1650, "URL": 1744, "domain": 339, "email": 1, "hostname": 834, "CVE": 1 }, "indicator_count": 4587, "is_author": false, "is_subscribing": null, "subscriber_count": 179, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://map.bing.com.cn", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://map.bing.com.cn", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776620169.6346347 }