{ "type": "URL", "indicator": "https://masonry.desandro.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://masonry.desandro.com", "type": "url", "type_title": "URL", "validation": [ { "source": "majestic", "message": "Whitelisted domain desandro.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2949366153, "indicator": "https://masonry.desandro.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "690e47a694d9bc5c12d83bc0", "name": "LimeRAT | Dark Room Dennis | SpyGlassPrism HealthCare", "description": "Invasive, dark , illegal. Malicious. Will sift through malware Spyware systems. Perpetual remote connections. Employed by Tam Legals Christopher P. Ahmann (Colorado government) to spy on, tamper with , annoy, terrorize, out of financial awards. \n\n spyglass-w_1_.png\n\nSize\n362B (362 bytes)\nMD5\n3c0e6546a44bd9a0f2768df07db5c1c9 Copy MD5 to clipboard\nSHA1\neddf26d1da4a140f2f963b8564c4e99cd6f1a677 Copy SHA1 to clipboard\nSHA256\n83eec393865a35363695d6f2416792d0117f551bb3e41d13b141d70e6b35e02c Copy SHA256 to clipboard", "modified": "2025-12-07T18:01:48.980000", "created": "2025-11-07T19:25:26.827000", "tags": [ "germany asn", "as24940 hetzner", "status connect", "associated", "present nov", "germany", "moved", "present oct", "accept", "germany unknown", "web trebuchet", "ms lucida", "grande lucida", "sans unicode", "lucida sans", "tahoma", "passive dns", "title", "error", "gmbh ccp", "germany germany", "asn as197540", "response ip", "address google", "safe browsing", "present jun", "present may", "present mar", "present jan", "urls", "aaaa", "gmt content", "type", "tags", "tag groups", "countries", "add country", "malware att", "ck it1140", "information", "cisco", "umbrella rank", "automatic", "webgl", "please", "november", "typeof function", "topropertykey", "masonry object", "prism function", "cookies", "source level", "reverse dns", "protocol h2", "security tls", "asn24940", "online gmbh", "general full", "url https", "falkenstein", "community forum", "it url", "youtube videos", "twitch kanal", "discord channel", "spenden", "shop url", "google", "hetzneras", "http", "april", "de summary", "ehingen", "march", "google safe", "browsing", "learn", "issues tab", "value", "masonry", "domainpath name", "cgjerrieegagfw", "label", "input", "suchen nach", "suche", "form", "hash", "name value", "main", "flag", "contacted hosts", "ip address", "process details", "windir", "openurl c", "prefetch2", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "a domains", "ascio", "china unknown", "record value", "apache", "encrypt", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "related tags", "certificate", "hostname add", "url analysis", "files", "domain", "files ip", "address", "asn as24940", "less", "raspberry pi", "ubiquiti", "remote", "hostname", "pulse submit", "status", "entries", "x xss", "sameorigin x", "unicode text", "utf8 text", "click", "strings", "mitre att", "ck matrix", "pattern match", "ascii text", "href", "show process", "network traffic", "general", "hybrid", "local", "path", "monitored target", "spyglass", "spyware.", "pegasus systems", "prism", "colorado leg", "christopher p.ahmann", "ahmann", "christopher", "P", "tam legal", "treece", "alfrey", "muscat", "criminal", "jeffrey reimer", "theft", "remote connect", "schroeder dennis" ], "references": [ "Domain Name: schroederdennis.de | Status: connect", "remote.tecbuddy.de | remote.schneider-hv.de | remotedesktop.thedipling", "root-dns.netcup", "device-*******-*****-****-****-*********.remotewd.com", "ai-sandboxes.com", "Why Is this always a problem? Just curious. - http://wyblog.us/blog/rants/strikers-get-unemployment-benefits", "$ is funneled back to government, (quasi) , bonused \u2018doctors\u2019 State \u2018experts\u2019 who\u2026", "\u2026lie about the severity of injuries and do crap like this.", "This money belongs to people who paid insurance to cover on job injuries that happen in the job.", "Premise liability covers premises, employees and premises visitors. Weaponizing is not covered.", "Those attacked are the severely injured, survivors of dead workers, victims of providers.", "These people aren\u2019t in the dark. They are clear of the need to pay benefits.", "There are absolute losers in the dole illegally benefiting from the suffering others.", "https://hybrid-analysis.com/sample/00f5292bbe68d9edc68f9a22a750eafb58e4f8474e15a48e3cc217fbbd0cdef9/690e24bb39c801e6d80a824e", "\u2022 http://demo.ideaboxthemes.com/prism", "https://photoprism.thedipling.dns64.de/ \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "photoprism.thedipling.dns64.de \u2022 https://schroederdennis.de/wp-content/plugins/highlighting-code-block/assets/js/prism.js?ver=2.0.1", "\"OC47TWOY.txt\" has type \"ASCII text\"- [targetUID: N/A] \"spyglass-w_1_.png\" has type \"Unknown\"- [targetUID: N/A]", "\"spyglass-w_1_.png\" has type \"Unknown\" and extension \"png\" \"clock-g_1_.png\" has type \"Unknown\" and extension \"png\"", "Domain healthcareshapers.com \u2022 https://www.healthcareshapers.com/", "www.ventoxhealthcare.in \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "https://cullenbehavioralhealth.theraplatform.com/ \u2022 amghealthnetwork.com", "3ddruck-celle.de", "wwwwww.publicpublicwww.portal.apple-apple-number3.ipv64.net", "sonarr.app.pineapplegod.co.nz", "http://svc.ghlink.com/svc/Authenticate/Applications", "https://sap.dswd.gov.ph.index.ph \u2022 login.prod.siecm.gov.mg \u2022 nre-362.dev.nre.gss.gov.uk", "sdp-dev-ingest.ci.lineageandprovenance.gss.gov.uk", "http://www.xonitec.com/pornosu/yuotubesex.html", "rowanandbenporn.ssssssssssssshadow.home64.de", "https://pagead2.googlesyndication.com/pagead/ads?ltd_cs=1&client=ca-pub-6165363645315831&output=html&adk=1812271804&adf=3025194257&lmt=1713778114&plat=3%3A16%2C4%3A16%2C8%3A4194304%2C9%3A134250504%2C16%3A8388608%2C17%3A32%2C24%3A32%2C25%3A32%2C30%3A1081344%2C32%3A32%2C41%3A32%2C42%3A32&format=0x0&url=https%3A%2F%2Fschroederdennis.de%2Fubiquiti%2Fubiquiti-unifi-u6-plus-vs-u6-lite-vergleich-access-point-wifi%2F&pra=5&wgl=1&easpi=0&asro=0&uach=WyJXaW4zMiIsIjEwLjAuMCIsIng4NiIsIiIsIjEyNC4wLjYzNjcuNjAiLG51bGwsMCx", "https://urlscan.io/result/019a5fbd-e7c6-743a-b9a7-a20e8b2943cd/", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Packed.Rrat-9798963-0", "display_name": "Win.Packed.Rrat-9798963-0", "target": null }, { "id": "Win.Dropper.LimeRAT-9776087-0", "display_name": "Win.Dropper.LimeRAT-9776087-0", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Healthcare", "Legal", "Government", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1258, "hostname": 2018, "URL": 3033, "FileHash-SHA256": 651, "email": 4, "FileHash-MD5": 62, "FileHash-SHA1": 69, "SSLCertFingerprint": 5 }, "indicator_count": 7100, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "132 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fbc84609098d17c316f23c", "name": "NSO - Multiple crimes", "description": "Multiple crimes including illegal gambling, loan sharking, cybercrimes , content reputation , instructions. Starfield seen again. Team 8 has seen Starfield in more than 300 pulses. Now it\u2019s gone. Check your devices for innocent looking searches you\u2019ve never searched. Browser extensions found on 3 targeted devices with an adversary with full CnC armed with a deletion and disk wipe service. Local - Denver. \n\nAlso, very concerning is specific Airline to be attacked revealed. It cant be researched without bringing down a flight or messing up air command & control. DJT has already made travel a risky feat by being influenced to fire the (NOAA) & (DOT). Its manipulation. PP Mafia bros. \n\nDoes anyone have any power? Contact someone. We did have a mystery plane incident in Denver after I first reported. Just space junk , ya know the usual. I am serious about preventing crime. I need some help!", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-24T18:41:10.936000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fc18514965ccd3b55c216d", "name": "Dorv \u2022 Obfuscator - Affecting DropBox", "description": "", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-25T00:22:41.686000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "68fbc84609098d17c316f23c", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "These people aren\u2019t in the dark. They are clear of the need to pay benefits.", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://hybrid-analysis.com/sample/00f5292bbe68d9edc68f9a22a750eafb58e4f8474e15a48e3cc217fbbd0cdef9/690e24bb39c801e6d80a824e", "sdp-dev-ingest.ci.lineageandprovenance.gss.gov.uk", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b", "\"spyglass-w_1_.png\" has type \"Unknown\" and extension \"png\" \"clock-g_1_.png\" has type \"Unknown\" and extension \"png\"", "https://photoprism.thedipling.dns64.de/ \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "root-dns.netcup", "\u2026lie about the severity of injuries and do crap like this.", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "http://129.2.4.2/32 Lencr", "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "https://pagead2.googlesyndication.com/pagead/ads?ltd_cs=1&client=ca-pub-6165363645315831&output=html&adk=1812271804&adf=3025194257&lmt=1713778114&plat=3%3A16%2C4%3A16%2C8%3A4194304%2C9%3A134250504%2C16%3A8388608%2C17%3A32%2C24%3A32%2C25%3A32%2C30%3A1081344%2C32%3A32%2C41%3A32%2C42%3A32&format=0x0&url=https%3A%2F%2Fschroederdennis.de%2Fubiquiti%2Fubiquiti-unifi-u6-plus-vs-u6-lite-vergleich-access-point-wifi%2F&pra=5&wgl=1&easpi=0&asro=0&uach=WyJXaW4zMiIsIjEwLjAuMCIsIng4NiIsIiIsIjEyNC4wLjYzNjcuNjAiLG51bGwsMCx", "ExternalHosts: US", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "There are absolute losers in the dole illegally benefiting from the suffering others.", "sonarr.app.pineapplegod.co.nz", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "https://urlscan.io/result/019a5fbd-e7c6-743a-b9a7-a20e8b2943cd/", "Starfield again - HoneyPot / Dod- DoW", "This money belongs to people who paid insurance to cover on job injuries that happen in the job.", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "Those attacked are the severely injured, survivors of dead workers, victims of providers.", "https://sap.dswd.gov.ph.index.ph \u2022 login.prod.siecm.gov.mg \u2022 nre-362.dev.nre.gss.gov.uk", "wwwwww.publicpublicwww.portal.apple-apple-number3.ipv64.net", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "The Scottish Government www.gov.scot The NHS Scotland support", "$ is funneled back to government, (quasi) , bonused \u2018doctors\u2019 State \u2018experts\u2019 who\u2026", "ai-sandboxes.com", "photoprism.thedipling.dns64.de \u2022 https://schroederdennis.de/wp-content/plugins/highlighting-code-block/assets/js/prism.js?ver=2.0.1", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "remote.tecbuddy.de | remote.schneider-hv.de | remotedesktop.thedipling", "fazendabetb.live \u2022 bowiesports.com Check first???", "\u2022 http://demo.ideaboxthemes.com/prism", "device-*******-*****-****-****-*********.remotewd.com", "rowanandbenporn.ssssssssssssshadow.home64.de", "http://www.xonitec.com/pornosu/yuotubesex.html", "www.ventoxhealthcare.in \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "\"OC47TWOY.txt\" has type \"ASCII text\"- [targetUID: N/A] \"spyglass-w_1_.png\" has type \"Unknown\"- [targetUID: N/A]", "Premise liability covers premises, employees and premises visitors. Weaponizing is not covered.", "qlw020.managed-sprint.dynalabs.io (Check)", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "Domain healthcareshapers.com \u2022 https://www.healthcareshapers.com/", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "http://svc.ghlink.com/svc/Authenticate/Applications", "Domain Name: schroederdennis.de | Status: connect", "Why Is this always a problem? Just curious. - http://wyblog.us/blog/rants/strikers-get-unemployment-benefits", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "3ddruck-celle.de", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "https://cullenbehavioralhealth.theraplatform.com/ \u2022 amghealthnetwork.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO" ], "malware_families": [ "Autoit", "#lowfi:sigattr:downloadandexecute", "Win.dropper.vbclone", "Win.packed.rrat-9798963-0", "Malware packed", "Upatre", "Backdoor:win32/tofsee.", "Ransom:win32/crowti", "Win.dropper.limerat-9776087-0", "Win.packer" ], "industries": [ "Government", "Healthcare", "Legal", "Technology" ], "unique_indicators": 19806 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/desandro.com", "whois": "http://whois.domaintools.com/desandro.com", "domain": "desandro.com", "hostname": "masonry.desandro.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "690e47a694d9bc5c12d83bc0", "name": "LimeRAT | Dark Room Dennis | SpyGlassPrism HealthCare", "description": "Invasive, dark , illegal. Malicious. Will sift through malware Spyware systems. Perpetual remote connections. Employed by Tam Legals Christopher P. Ahmann (Colorado government) to spy on, tamper with , annoy, terrorize, out of financial awards. \n\n spyglass-w_1_.png\n\nSize\n362B (362 bytes)\nMD5\n3c0e6546a44bd9a0f2768df07db5c1c9 Copy MD5 to clipboard\nSHA1\neddf26d1da4a140f2f963b8564c4e99cd6f1a677 Copy SHA1 to clipboard\nSHA256\n83eec393865a35363695d6f2416792d0117f551bb3e41d13b141d70e6b35e02c Copy SHA256 to clipboard", "modified": "2025-12-07T18:01:48.980000", "created": "2025-11-07T19:25:26.827000", "tags": [ "germany asn", "as24940 hetzner", "status connect", "associated", "present nov", "germany", "moved", "present oct", "accept", "germany unknown", "web trebuchet", "ms lucida", "grande lucida", "sans unicode", "lucida sans", "tahoma", "passive dns", "title", "error", "gmbh ccp", "germany germany", "asn as197540", "response ip", "address google", "safe browsing", "present jun", "present may", "present mar", "present jan", "urls", "aaaa", "gmt content", "type", "tags", "tag groups", "countries", "add country", "malware att", "ck it1140", "information", "cisco", "umbrella rank", "automatic", "webgl", "please", "november", "typeof function", "topropertykey", "masonry object", "prism function", "cookies", "source level", "reverse dns", "protocol h2", "security tls", "asn24940", "online gmbh", "general full", "url https", "falkenstein", "community forum", "it url", "youtube videos", "twitch kanal", "discord channel", "spenden", "shop url", "google", "hetzneras", "http", "april", "de summary", "ehingen", "march", "google safe", "browsing", "learn", "issues tab", "value", "masonry", "domainpath name", "cgjerrieegagfw", "label", "input", "suchen nach", "suche", "form", "hash", "name value", "main", "flag", "contacted hosts", "ip address", "process details", "windir", "openurl c", "prefetch2", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "a domains", "ascio", "china unknown", "record value", "apache", "encrypt", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "related tags", "certificate", "hostname add", "url analysis", "files", "domain", "files ip", "address", "asn as24940", "less", "raspberry pi", "ubiquiti", "remote", "hostname", "pulse submit", "status", "entries", "x xss", "sameorigin x", "unicode text", "utf8 text", "click", "strings", "mitre att", "ck matrix", "pattern match", "ascii text", "href", "show process", "network traffic", "general", "hybrid", "local", "path", "monitored target", "spyglass", "spyware.", "pegasus systems", "prism", "colorado leg", "christopher p.ahmann", "ahmann", "christopher", "P", "tam legal", "treece", "alfrey", "muscat", "criminal", "jeffrey reimer", "theft", "remote connect", "schroeder dennis" ], "references": [ "Domain Name: schroederdennis.de | Status: connect", "remote.tecbuddy.de | remote.schneider-hv.de | remotedesktop.thedipling", "root-dns.netcup", "device-*******-*****-****-****-*********.remotewd.com", "ai-sandboxes.com", "Why Is this always a problem? Just curious. - http://wyblog.us/blog/rants/strikers-get-unemployment-benefits", "$ is funneled back to government, (quasi) , bonused \u2018doctors\u2019 State \u2018experts\u2019 who\u2026", "\u2026lie about the severity of injuries and do crap like this.", "This money belongs to people who paid insurance to cover on job injuries that happen in the job.", "Premise liability covers premises, employees and premises visitors. Weaponizing is not covered.", "Those attacked are the severely injured, survivors of dead workers, victims of providers.", "These people aren\u2019t in the dark. They are clear of the need to pay benefits.", "There are absolute losers in the dole illegally benefiting from the suffering others.", "https://hybrid-analysis.com/sample/00f5292bbe68d9edc68f9a22a750eafb58e4f8474e15a48e3cc217fbbd0cdef9/690e24bb39c801e6d80a824e", "\u2022 http://demo.ideaboxthemes.com/prism", "https://photoprism.thedipling.dns64.de/ \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "photoprism.thedipling.dns64.de \u2022 https://schroederdennis.de/wp-content/plugins/highlighting-code-block/assets/js/prism.js?ver=2.0.1", "\"OC47TWOY.txt\" has type \"ASCII text\"- [targetUID: N/A] \"spyglass-w_1_.png\" has type \"Unknown\"- [targetUID: N/A]", "\"spyglass-w_1_.png\" has type \"Unknown\" and extension \"png\" \"clock-g_1_.png\" has type \"Unknown\" and extension \"png\"", "Domain healthcareshapers.com \u2022 https://www.healthcareshapers.com/", "www.ventoxhealthcare.in \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "https://cullenbehavioralhealth.theraplatform.com/ \u2022 amghealthnetwork.com", "3ddruck-celle.de", "wwwwww.publicpublicwww.portal.apple-apple-number3.ipv64.net", "sonarr.app.pineapplegod.co.nz", "http://svc.ghlink.com/svc/Authenticate/Applications", "https://sap.dswd.gov.ph.index.ph \u2022 login.prod.siecm.gov.mg \u2022 nre-362.dev.nre.gss.gov.uk", "sdp-dev-ingest.ci.lineageandprovenance.gss.gov.uk", "http://www.xonitec.com/pornosu/yuotubesex.html", "rowanandbenporn.ssssssssssssshadow.home64.de", "https://pagead2.googlesyndication.com/pagead/ads?ltd_cs=1&client=ca-pub-6165363645315831&output=html&adk=1812271804&adf=3025194257&lmt=1713778114&plat=3%3A16%2C4%3A16%2C8%3A4194304%2C9%3A134250504%2C16%3A8388608%2C17%3A32%2C24%3A32%2C25%3A32%2C30%3A1081344%2C32%3A32%2C41%3A32%2C42%3A32&format=0x0&url=https%3A%2F%2Fschroederdennis.de%2Fubiquiti%2Fubiquiti-unifi-u6-plus-vs-u6-lite-vergleich-access-point-wifi%2F&pra=5&wgl=1&easpi=0&asro=0&uach=WyJXaW4zMiIsIjEwLjAuMCIsIng4NiIsIiIsIjEyNC4wLjYzNjcuNjAiLG51bGwsMCx", "https://urlscan.io/result/019a5fbd-e7c6-743a-b9a7-a20e8b2943cd/", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Packed.Rrat-9798963-0", "display_name": "Win.Packed.Rrat-9798963-0", "target": null }, { "id": "Win.Dropper.LimeRAT-9776087-0", "display_name": "Win.Dropper.LimeRAT-9776087-0", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Healthcare", "Legal", "Government", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1258, "hostname": 2018, "URL": 3033, "FileHash-SHA256": 651, "email": 4, "FileHash-MD5": 62, "FileHash-SHA1": 69, "SSLCertFingerprint": 5 }, "indicator_count": 7100, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "132 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fbc84609098d17c316f23c", "name": "NSO - Multiple crimes", "description": "Multiple crimes including illegal gambling, loan sharking, cybercrimes , content reputation , instructions. Starfield seen again. Team 8 has seen Starfield in more than 300 pulses. Now it\u2019s gone. Check your devices for innocent looking searches you\u2019ve never searched. Browser extensions found on 3 targeted devices with an adversary with full CnC armed with a deletion and disk wipe service. Local - Denver. \n\nAlso, very concerning is specific Airline to be attacked revealed. It cant be researched without bringing down a flight or messing up air command & control. DJT has already made travel a risky feat by being influenced to fire the (NOAA) & (DOT). Its manipulation. PP Mafia bros. \n\nDoes anyone have any power? Contact someone. We did have a mystery plane incident in Denver after I first reported. Just space junk , ya know the usual. I am serious about preventing crime. I need some help!", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-24T18:41:10.936000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fc18514965ccd3b55c216d", "name": "Dorv \u2022 Obfuscator - Affecting DropBox", "description": "", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-25T00:22:41.686000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "68fbc84609098d17c316f23c", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://masonry.desandro.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://masonry.desandro.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776616671.3106015 }