{ "type": "URL", "indicator": "https://meta.com.apple/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://meta.com.apple/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4299354122, "indicator": "https://meta.com.apple/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69d6619d62ea0c3bbf0ebf75", "name": "Mac OS Unwanted Programs | Mac Booster application potentially installed in background without target\u2019s knowledge", "description": "Not installed by users I\u2019m researching for. Downloaded as an unwanted program Overview of com.iobit.MacBooster-3\ncom.iobit.MacBooster-3 is the package identifier for MacBooster 3, a software application developed by IObit. This application is specifically designed for optimizing and maintaining Mac computers.\nKey Features\nMacBooster 3 includes several essential features aimed at enhancing the performance and security of Mac systems:\nSystem Cleanup: .\nPerformance Boosting: \nMalware Protection: .\nCompatibility\nMacBooster 3 is compatible with macOS versions starting from OS X 10.9. False - \nWhat are the potential risks of using MacBooster 3 on a Mac computer?\nUsing MacBooster 3 on a Mac computer can lead to potentially unwanted program (PUP) behavior, including browser interference, frequent pop-ups, and the installation of unnecessary software.", "modified": "2026-04-08T14:09:33.432000", "created": "2026-04-08T14:09:33.432000", "tags": [ "issuer apple", "valid from", "valid", "serial number", "macho", "macho 64bit", "mac os", "x macho", "intel", "file version", "team identifier", "apple root", "ca feb", "am ma9eduzpcw", "signers", "issuer valid", "from valid", "status issuer", "apple inc", "valid apple", "a9 a8", "process32nextw", "regsetvalueexa", "read c", "regdword", "tls handshake", "failure", "msie", "malware", "write", "win32", "unknown", "dynamicloader", "high", "myapp", "device driver", "host", "worm", "delphi", "error", "code", "defender", "next", "file score", "cryp", "virus", "checkin tls", "forbidden yara", "msvisualcpp2008", "less ip", "contacted", "scanning host", "trojan", "exploit host", "apple inc", "monitored target", "targeting", "name servers", "servers", "expiration date", "value emails", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "tulach" ], "references": [ "com.iobit.MacBooster-3", "IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden", "Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,", "Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun", "Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer", "Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe", "Alerts: injection_process_search antivm_network_adapters privilege_luid_check", "Alerts: checks_debugger has_pdb raises_exception", "IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96", "Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com", "Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen", "I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.", "https://otx.alienvault.com/indicator/cve/CVE-2023-22518", "Issue! Team member found CVE-2023-22518 have origins from the State of Colorado", "Issue! Multiple IoC\u2019s missing.", "A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more", "I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place", "Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue", "Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s", "Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.", "Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?", "Researching using an easy powerful tool like this has led to confrontations.", "I liked the tool. There is something strange happening with the pulses & IoC\u2019s", "I did not clone my pulse to read Bit.io", "I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members", "There are serious researchers on here for a short time hoping to resolve serious cyber issues", "I am unable to reach Level Blue regarding issues. Mailer Daemon only", "It\u2019s not just me. I have contacted from very secured emails, networks, devices", "I typically follow targets who have truly dangerous situations who no longer pulse.", "This would be sent in an email but \u2026.", "About pulse, found in peripheral.", "When your pulse says contacted, who is contacted besides OTX?", "An earlier version contacted entities affected or affecting targets." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "FileHash-MD5": 102, "FileHash-SHA256": 2076, "IPv4": 111, "URL": 2496, "CVE": 2, "domain": 483, "hostname": 938, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 6289, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d5984ae3b073952a9f8559", "name": "VirusTotal report for geomi / cape / yomi hunter / zenbox", "description": "The collision of legacy software, rapidly advancing AI, and modern infrastructure has created a critical juncture for digital oversight. Current surveillance practices within these hybrid environments often operate without transparency or defined accountability, leading to heightened risks in data privacy and system security. The only viable forward path is adopting a stance of deliberate, good intent and establishing stringent accountability structures to preserve the foundational integrity of the internet. This should not happen, ever.", "modified": "2026-04-08T01:27:12.512000", "created": "2026-04-07T23:50:34.805000", "tags": [ "a nxdomain", "ds nxdomain", "nxdomain", "unknown", "passive dns", "ip address", "domain", "pulse pulses", "urls", "files", "msie", "windows nt", "wow64", "slcc2", "media center", "ref b", "file type", "sysv", "sample", "drops", "ascii", "https", "performs dns", "tls version", "mitre attack", "network info", "reads cpu", "proc indicative", "persistence", "memory pattern", "dns resolutions", "ip traffic", "domains", "urls http", "tls sni", "hashes cape", "linux", "zenbox linux", "file system", "ipv4", "cdn range", "ssltls client", "less ip", "contacted", "related pulses", "pulses", "tags", "related tags", "ascii text", "size", "sha256", "ssdeep", "magic", "trid null", "macbinary", "memo file", "apollo database", "engine", "magika iso", "file size", "accept", "gmt ifnonematch", "uri data", "united", "pdfkit.net", "sim", "uuid", "privileged access", "evasion", "wiper", "not cryptographically sound", "time change auth by root date" ], "references": [ "https://otx.alienvault.com/pulse/69d5859750dfad7fe7989ef4", "https://www.virustotal.com/gui/file/64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b/behavior", "https://www.virustotal.com/gui/file/2e9df8987212300815928e0426e9358b1380a1eaba38270d03dd69e421686b5b/behavior", "https://www.virustotal.com/gui/file/897b30acabf35da4937b1b8258d30dd2f89cf64ada8522b558d01eb503b7b85f/behavior", "https://www.virustotal.com/graph/gd016713b8645450da71f7493b0829def1376ce3e16cf4f6d95061a7400af5447", "https://www.virustotal.com/gui/file/4bf52ea159354bc0aefecb53fbf93b2fea7019eabf9ada27c58fa00c1e9bb990/details", "https://www.virustotal.com/gui/file/c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f/detection/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 147, "FileHash-SHA1": 117, "FileHash-SHA256": 110, "URL": 243, "hostname": 138, "domain": 15, "IPv4": 176, "CVE": 4 }, "indicator_count": 950, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d5a070bf1c88b4790eea91", "name": "Geomi / Cape Threat / Yomi Hunter / Zenbox | ", "description": "", "modified": "2026-04-08T00:25:20.217000", "created": "2026-04-08T00:25:20.217000", "tags": [ "a nxdomain", "ds nxdomain", "nxdomain", "unknown", "passive dns", "ip address", "domain", "pulse pulses", "urls", "files", "msie", "windows nt", "wow64", "slcc2", "media center", "ref b", "file type", "sysv", "sample", "drops", "ascii", "https", "performs dns", "tls version", "mitre attack", "network info", "reads cpu", "proc indicative", "persistence", "memory pattern", "dns resolutions", "ip traffic", "domains", "urls http", "tls sni", "hashes cape", "linux", "zenbox linux", "file system", "ipv4", "cdn range", "ssltls client", "less ip", "contacted", "related pulses", "pulses", "tags", "related tags", "ascii text", "size", "sha256", "ssdeep", "magic", "trid null", "macbinary", "memo file", "apollo database", "engine", "magika iso", "file size", "accept", "gmt ifnonematch", "uri data", "united", "pdfkit.net", "sim", "uuid", "privileged access", "evasion", "wiper", "not cryptographically sound", "time change auth by root date" ], "references": [ "https://otx.alienvault.com/pulse/69d5859750dfad7fe7989ef4", "https://www.virustotal.com/gui/file/64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b/behavior", "https://www.virustotal.com/gui/file/2e9df8987212300815928e0426e9358b1380a1eaba38270d03dd69e421686b5b/behavior", "https://www.virustotal.com/gui/file/897b30acabf35da4937b1b8258d30dd2f89cf64ada8522b558d01eb503b7b85f/behavior", "https://www.virustotal.com/graph/gd016713b8645450da71f7493b0829def1376ce3e16cf4f6d95061a7400af5447", "https://www.virustotal.com/gui/file/4bf52ea159354bc0aefecb53fbf93b2fea7019eabf9ada27c58fa00c1e9bb990/details", "https://www.virustotal.com/gui/file/c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f/detection/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" } ], "industries": [], "TLP": "green", "cloned_from": "69d5984ae3b073952a9f8559", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 147, "FileHash-SHA1": 117, "FileHash-SHA256": 110, "URL": 243, "hostname": 138, "domain": 14, "IPv4": 176, "CVE": 4 }, "indicator_count": 949, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d586108786e7be59439809", "name": "Bot.io", "description": "", "modified": "2026-04-07T22:32:48.996000", "created": "2026-04-07T22:32:48.996000", "tags": [ "added active", "related pulses", "found", "zergeca botnet", "zergeca", "upx packer", "khtml", "gecko", "united", "ids detections", "yara detections", "https domain", "tls sni", "ip lookup", "external ip", "malware", "encrypt", "techniques", "modify system", "process", "https", "performs dns", "tls version", "reads cpu", "proc indicative", "urls", "downloads", "persistence", "data upload", "extraction", "find s", "failed", "typ don", "ipv4 url", "canreb", "type ipv4", "url domail", "domail showing", "elf conta", "typ url", "zercega", "enter sc", "type", "include", "review", "n1 exclude", "suggestedincc", "a50 typ", "ipv4", "matches yara", "dete data", "yara detectea", "cro intormation", "exclude sugges", "sc car", "extra lte", "referen", "l extraction", "droo anv", "extr referen", "lte all", "je matches", "yara detel", "yara dete", "include review", "exchange lte", "je elf", "passive dns", "certificate", "files", "trojan", "related tags", "worm", "medium", "write c", "write", "high", "binary", "yara rule", "default", "moved", "schaan", "as834 ipxo", "dynamicloader", "program", "ee fc", "users", "ff d5", "python", "windows", "autoit", "confuserex", "stream", "guard", "launcher", "updater", "global", "america flag", "ashburn", "america related", "tags", "indicator facts", "historical otx", "controller fake", "akamai rank", "russia", "present nov", "aaaa", "link", "a domains", "ip address", "meta", "cve -2014-2321", "handle", "address range", "cidr", "network name", "allocation type", "pa status", "whois server", "included iocs", "manually add", "iocs o", "iocs", "sugges", "stop show", "types", "external", "ripe", "pa abusec", "neterra", "sofia", "bulgaria phone", "filtered person", "neven dilkov", "bg phone", "filtered route", "a5ip", "aa2023", "aamirai", "a2scanner", "apple inc", "issuer", "valid", "algorit", "thum", "name", "a9 a8", "status", "macho", "macho 64bit", "mac os", "x macho", "intel", "typ no", "td td", "td tr", "a td", "dynamic dns", "date", "name servers", "arial", "error", "null", "enough", "hosts", "win32", "fast", "contacted", "MacSync_AppleScript_Stealer", "cve-2018-10562", "source", "roboto", "robotodraft", "helvetica", "iframe", "manually ada", "review iocs", "abv0", "qaeaav0", "cptbdev", "w4uninitialized", "qaeaav01", "abv01", "qaexn", "qbenxz", "phoneidentify", "qbepaxxz" ], "references": [ "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Zercega \u2022 IPv4 84.54.51.82", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "Zercega \u2022 multi-user.target", "Zercega \u2022 ootheca.pw", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS rules:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "Yara detected: Xmrig cryptocurrency miner", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "meta.com \u2022 meta.com.apple", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "ELF contains segments with high entropy indicating compressed/encrypted content", "/etc/systemd/system/geomi.service File type: ASCII text", "http://www.bing.lt/search?q=", "Win.Malware.Salat-10058846-0", "Yara Detections: MacSync_AppleScript_Stealer", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Alerts: packer_unknown_pe_section_name script_tool_executed", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Contacted: 188.114.96.1 Domains Contacted dns.google", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "CVE-2014-2321", "display_name": "CVE-2014-2321", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" } ], "industries": [], "TLP": "green", "cloned_from": "69d5859750dfad7fe7989ef4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 169, "URL": 1871, "domain": 393, "hostname": 925, "FileHash-MD5": 391, "FileHash-SHA1": 390, "FileHash-SHA256": 2452, "CVE": 1, "SSLCertFingerprint": 1, "IPv6": 9, "email": 4, "CIDR": 1 }, "indicator_count": 6607, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d5859750dfad7fe7989ef4", "name": "Apple / Cloud/ Data Network within Zergeca / Zerg Botnet \u2022 MacSync_AppleScript_Stealer", "description": "", "modified": "2026-04-07T22:30:47.312000", "created": "2026-04-07T22:30:47.312000", "tags": [ "added active", "related pulses", "found", "zergeca botnet", "zergeca", "upx packer", "khtml", "gecko", "united", "ids detections", "yara detections", "https domain", "tls sni", "ip lookup", "external ip", "malware", "encrypt", "techniques", "modify system", "process", "https", "performs dns", "tls version", "reads cpu", "proc indicative", "urls", "downloads", "persistence", "data upload", "extraction", "find s", "failed", "typ don", "ipv4 url", "canreb", "type ipv4", "url domail", "domail showing", "elf conta", "typ url", "zercega", "enter sc", "type", "include", "review", "n1 exclude", "suggestedincc", "a50 typ", "ipv4", "matches yara", "dete data", "yara detectea", "cro intormation", "exclude sugges", "sc car", "extra lte", "referen", "l extraction", "droo anv", "extr referen", "lte all", "je matches", "yara detel", "yara dete", "include review", "exchange lte", "je elf", "passive dns", "certificate", "files", "trojan", "related tags", "worm", "medium", "write c", "write", "high", "binary", "yara rule", "default", "moved", "schaan", "as834 ipxo", "dynamicloader", "program", "ee fc", "users", "ff d5", "python", "windows", "autoit", "confuserex", "stream", "guard", "launcher", "updater", "global", "america flag", "ashburn", "america related", "tags", "indicator facts", "historical otx", "controller fake", "akamai rank", "russia", "present nov", "aaaa", "link", "a domains", "ip address", "meta", "cve -2014-2321", "handle", "address range", "cidr", "network name", "allocation type", "pa status", "whois server", "included iocs", "manually add", "iocs o", "iocs", "sugges", "stop show", "types", "external", "ripe", "pa abusec", "neterra", "sofia", "bulgaria phone", "filtered person", "neven dilkov", "bg phone", "filtered route", "a5ip", "aa2023", "aamirai", "a2scanner", "apple inc", "issuer", "valid", "algorit", "thum", "name", "a9 a8", "status", "macho", "macho 64bit", "mac os", "x macho", "intel", "typ no", "td td", "td tr", "a td", "dynamic dns", "date", "name servers", "arial", "error", "null", "enough", "hosts", "win32", "fast", "contacted", "MacSync_AppleScript_Stealer", "cve-2018-10562", "source", "roboto", "robotodraft", "helvetica", "iframe", "manually ada", "review iocs", "abv0", "qaeaav0", "cptbdev", "w4uninitialized", "qaeaav01", "abv01", "qaexn", "qbenxz", "phoneidentify", "qbepaxxz" ], "references": [ "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Zercega \u2022 IPv4 84.54.51.82", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "Zercega \u2022 multi-user.target", "Zercega \u2022 ootheca.pw", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS rules:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "Yara detected: Xmrig cryptocurrency miner", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "meta.com \u2022 meta.com.apple", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "ELF contains segments with high entropy indicating compressed/encrypted content", "/etc/systemd/system/geomi.service File type: ASCII text", "http://www.bing.lt/search?q=", "Win.Malware.Salat-10058846-0", "Yara Detections: MacSync_AppleScript_Stealer", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Alerts: packer_unknown_pe_section_name script_tool_executed", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Contacted: 188.114.96.1 Domains Contacted dns.google", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "CVE-2014-2321", "display_name": "CVE-2014-2321", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 169, "URL": 1871, "domain": 393, "hostname": 925, "FileHash-MD5": 391, "FileHash-SHA1": 390, "FileHash-SHA256": 2452, "CVE": 1, "SSLCertFingerprint": 1, "IPv6": 9, "email": 4, "CIDR": 1 }, "indicator_count": 6607, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Yara detected: Xmrig cryptocurrency miner", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue", "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "https://www.virustotal.com/gui/file/64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b/behavior", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden", "Alerts: checks_debugger has_pdb raises_exception", "Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.", "https://www.virustotal.com/graph/gd016713b8645450da71f7493b0829def1376ce3e16cf4f6d95061a7400af5447", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "I did not clone my pulse to read Bit.io", "It\u2019s not just me. I have contacted from very secured emails, networks, devices", "About pulse, found in peripheral.", "https://otx.alienvault.com/pulse/69d5859750dfad7fe7989ef4", "Crowdsourced IDS rules:", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Zercega \u2022 IPv4 84.54.51.82", "ELF contains segments with high entropy indicating compressed/encrypted content", "Zercega \u2022 ootheca.pw", "https://otx.alienvault.com/indicator/cve/CVE-2023-22518", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "When your pulse says contacted, who is contacted besides OTX?", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com", "An earlier version contacted entities affected or affecting targets.", "I am unable to reach Level Blue regarding issues. Mailer Daemon only", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page", "Issue! Team member found CVE-2023-22518 have origins from the State of Colorado", "https://www.virustotal.com/gui/file/2e9df8987212300815928e0426e9358b1380a1eaba38270d03dd69e421686b5b/behavior", "Alerts: injection_process_search antivm_network_adapters privilege_luid_check", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Alerts: packer_unknown_pe_section_name script_tool_executed", "IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96", "meta.com \u2022 meta.com.apple", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?", "This would be sent in an email but \u2026.", "https://www.virustotal.com/gui/file/897b30acabf35da4937b1b8258d30dd2f89cf64ada8522b558d01eb503b7b85f/behavior", "I typically follow targets who have truly dangerous situations who no longer pulse.", "I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members", "https://www.virustotal.com/gui/file/c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f/detection/", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer", "/etc/systemd/system/geomi.service File type: ASCII text", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "http://www.bing.lt/search?q=", "Win.Malware.Salat-10058846-0", "Researching using an easy powerful tool like this has led to confrontations.", "Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s", "Yara Detections: MacSync_AppleScript_Stealer", "I liked the tool. There is something strange happening with the pulses & IoC\u2019s", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more", "Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Issue! Multiple IoC\u2019s missing.", "I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.", "https://www.virustotal.com/gui/file/4bf52ea159354bc0aefecb53fbf93b2fea7019eabf9ada27c58fa00c1e9bb990/details", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe", "Contacted: 188.114.96.1 Domains Contacted dns.google", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "com.iobit.MacBooster-3", "Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen", "There are serious researchers on here for a short time hoping to resolve serious cyber issues", "Zercega \u2022 multi-user.target", "I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Worm:win32/autorun!atmn", "Cve-2025-20393", "Zergeca", "Cve-2018-10562", "Cve-2023-22518", "Autoit", "Win.trojan.emotet-9850453-0", "Cve-2024-6387", "Exploit:win32/cve-2017-0147", "Cve-2014-2321", "Virus:win32/floxif.h", "Alf:jasyp:trojandownloader:win32/smallagent!", "Win.trojan.tofsee-7102058-0\tbackdoor:win32/tofsee.t", "Ransom:win32/cve-2017-0147", "Botnet", "Win.malware.salat-10058846-0" ], "industries": [], "unique_indicators": 12477 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/com.apple", "whois": "http://whois.domaintools.com/com.apple", "domain": "com.apple", "hostname": "meta.com.apple" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69d6619d62ea0c3bbf0ebf75", "name": "Mac OS Unwanted Programs | Mac Booster application potentially installed in background without target\u2019s knowledge", "description": "Not installed by users I\u2019m researching for. Downloaded as an unwanted program Overview of com.iobit.MacBooster-3\ncom.iobit.MacBooster-3 is the package identifier for MacBooster 3, a software application developed by IObit. This application is specifically designed for optimizing and maintaining Mac computers.\nKey Features\nMacBooster 3 includes several essential features aimed at enhancing the performance and security of Mac systems:\nSystem Cleanup: .\nPerformance Boosting: \nMalware Protection: .\nCompatibility\nMacBooster 3 is compatible with macOS versions starting from OS X 10.9. False - \nWhat are the potential risks of using MacBooster 3 on a Mac computer?\nUsing MacBooster 3 on a Mac computer can lead to potentially unwanted program (PUP) behavior, including browser interference, frequent pop-ups, and the installation of unnecessary software.", "modified": "2026-04-08T14:09:33.432000", "created": "2026-04-08T14:09:33.432000", "tags": [ "issuer apple", "valid from", "valid", "serial number", "macho", "macho 64bit", "mac os", "x macho", "intel", "file version", "team identifier", "apple root", "ca feb", "am ma9eduzpcw", "signers", "issuer valid", "from valid", "status issuer", "apple inc", "valid apple", "a9 a8", "process32nextw", "regsetvalueexa", "read c", "regdword", "tls handshake", "failure", "msie", "malware", "write", "win32", "unknown", "dynamicloader", "high", "myapp", "device driver", "host", "worm", "delphi", "error", "code", "defender", "next", "file score", "cryp", "virus", "checkin tls", "forbidden yara", "msvisualcpp2008", "less ip", "contacted", "scanning host", "trojan", "exploit host", "apple inc", "monitored target", "targeting", "name servers", "servers", "expiration date", "value emails", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "tulach" ], "references": [ "com.iobit.MacBooster-3", "IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden", "Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,", "Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun", "Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer", "Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe", "Alerts: injection_process_search antivm_network_adapters privilege_luid_check", "Alerts: checks_debugger has_pdb raises_exception", "IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96", "Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com", "Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen", "I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.", "https://otx.alienvault.com/indicator/cve/CVE-2023-22518", "Issue! Team member found CVE-2023-22518 have origins from the State of Colorado", "Issue! Multiple IoC\u2019s missing.", "A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more", "I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place", "Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue", "Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s", "Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.", "Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?", "Researching using an easy powerful tool like this has led to confrontations.", "I liked the tool. There is something strange happening with the pulses & IoC\u2019s", "I did not clone my pulse to read Bit.io", "I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members", "There are serious researchers on here for a short time hoping to resolve serious cyber issues", "I am unable to reach Level Blue regarding issues. Mailer Daemon only", "It\u2019s not just me. I have contacted from very secured emails, networks, devices", "I typically follow targets who have truly dangerous situations who no longer pulse.", "This would be sent in an email but \u2026.", "About pulse, found in peripheral.", "When your pulse says contacted, who is contacted besides OTX?", "An earlier version contacted entities affected or affecting targets." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "FileHash-MD5": 102, "FileHash-SHA256": 2076, "IPv4": 111, "URL": 2496, "CVE": 2, "domain": 483, "hostname": 938, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 6289, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d5984ae3b073952a9f8559", "name": "VirusTotal report for geomi / cape / yomi hunter / zenbox", "description": "The collision of legacy software, rapidly advancing AI, and modern infrastructure has created a critical juncture for digital oversight. Current surveillance practices within these hybrid environments often operate without transparency or defined accountability, leading to heightened risks in data privacy and system security. The only viable forward path is adopting a stance of deliberate, good intent and establishing stringent accountability structures to preserve the foundational integrity of the internet. This should not happen, ever.", "modified": "2026-04-08T01:27:12.512000", "created": "2026-04-07T23:50:34.805000", "tags": [ "a nxdomain", "ds nxdomain", "nxdomain", "unknown", "passive dns", "ip address", "domain", "pulse pulses", "urls", "files", "msie", "windows nt", "wow64", "slcc2", "media center", "ref b", "file type", "sysv", "sample", "drops", "ascii", "https", "performs dns", "tls version", "mitre attack", "network info", "reads cpu", "proc indicative", "persistence", "memory pattern", "dns resolutions", "ip traffic", "domains", "urls http", "tls sni", "hashes cape", "linux", "zenbox linux", "file system", "ipv4", "cdn range", "ssltls client", "less ip", "contacted", "related pulses", "pulses", "tags", "related tags", "ascii text", "size", "sha256", "ssdeep", "magic", "trid null", "macbinary", "memo file", "apollo database", "engine", "magika iso", "file size", "accept", "gmt ifnonematch", "uri data", "united", "pdfkit.net", "sim", "uuid", "privileged access", "evasion", "wiper", "not cryptographically sound", "time change auth by root date" ], "references": [ "https://otx.alienvault.com/pulse/69d5859750dfad7fe7989ef4", "https://www.virustotal.com/gui/file/64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b/behavior", "https://www.virustotal.com/gui/file/2e9df8987212300815928e0426e9358b1380a1eaba38270d03dd69e421686b5b/behavior", "https://www.virustotal.com/gui/file/897b30acabf35da4937b1b8258d30dd2f89cf64ada8522b558d01eb503b7b85f/behavior", "https://www.virustotal.com/graph/gd016713b8645450da71f7493b0829def1376ce3e16cf4f6d95061a7400af5447", "https://www.virustotal.com/gui/file/4bf52ea159354bc0aefecb53fbf93b2fea7019eabf9ada27c58fa00c1e9bb990/details", "https://www.virustotal.com/gui/file/c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f/detection/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 147, "FileHash-SHA1": 117, "FileHash-SHA256": 110, "URL": 243, "hostname": 138, "domain": 15, "IPv4": 176, "CVE": 4 }, "indicator_count": 950, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d5a070bf1c88b4790eea91", "name": "Geomi / Cape Threat / Yomi Hunter / Zenbox | ", "description": "", "modified": "2026-04-08T00:25:20.217000", "created": "2026-04-08T00:25:20.217000", "tags": [ "a nxdomain", "ds nxdomain", "nxdomain", "unknown", "passive dns", "ip address", "domain", "pulse pulses", "urls", "files", "msie", "windows nt", "wow64", "slcc2", "media center", "ref b", "file type", "sysv", "sample", "drops", "ascii", "https", "performs dns", "tls version", "mitre attack", "network info", "reads cpu", "proc indicative", "persistence", "memory pattern", "dns resolutions", "ip traffic", "domains", "urls http", "tls sni", "hashes cape", "linux", "zenbox linux", "file system", "ipv4", "cdn range", "ssltls client", "less ip", "contacted", "related pulses", "pulses", "tags", "related tags", "ascii text", "size", "sha256", "ssdeep", "magic", "trid null", "macbinary", "memo file", "apollo database", "engine", "magika iso", "file size", "accept", "gmt ifnonematch", "uri data", "united", "pdfkit.net", "sim", "uuid", "privileged access", "evasion", "wiper", "not cryptographically sound", "time change auth by root date" ], "references": [ "https://otx.alienvault.com/pulse/69d5859750dfad7fe7989ef4", "https://www.virustotal.com/gui/file/64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b/behavior", "https://www.virustotal.com/gui/file/2e9df8987212300815928e0426e9358b1380a1eaba38270d03dd69e421686b5b/behavior", "https://www.virustotal.com/gui/file/897b30acabf35da4937b1b8258d30dd2f89cf64ada8522b558d01eb503b7b85f/behavior", "https://www.virustotal.com/graph/gd016713b8645450da71f7493b0829def1376ce3e16cf4f6d95061a7400af5447", "https://www.virustotal.com/gui/file/4bf52ea159354bc0aefecb53fbf93b2fea7019eabf9ada27c58fa00c1e9bb990/details", "https://www.virustotal.com/gui/file/c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f/detection/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" } ], "industries": [], "TLP": "green", "cloned_from": "69d5984ae3b073952a9f8559", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 147, "FileHash-SHA1": 117, "FileHash-SHA256": 110, "URL": 243, "hostname": 138, "domain": 14, "IPv4": 176, "CVE": 4 }, "indicator_count": 949, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d586108786e7be59439809", "name": "Bot.io", "description": "", "modified": "2026-04-07T22:32:48.996000", "created": "2026-04-07T22:32:48.996000", "tags": [ "added active", "related pulses", "found", "zergeca botnet", "zergeca", "upx packer", "khtml", "gecko", "united", "ids detections", "yara detections", "https domain", "tls sni", "ip lookup", "external ip", "malware", "encrypt", "techniques", "modify system", "process", "https", "performs dns", "tls version", "reads cpu", "proc indicative", "urls", "downloads", "persistence", "data upload", "extraction", "find s", "failed", "typ don", "ipv4 url", "canreb", "type ipv4", "url domail", "domail showing", "elf conta", "typ url", "zercega", "enter sc", "type", "include", "review", "n1 exclude", "suggestedincc", "a50 typ", "ipv4", "matches yara", "dete data", "yara detectea", "cro intormation", "exclude sugges", "sc car", "extra lte", "referen", "l extraction", "droo anv", "extr referen", "lte all", "je matches", "yara detel", "yara dete", "include review", "exchange lte", "je elf", "passive dns", "certificate", "files", "trojan", "related tags", "worm", "medium", "write c", "write", "high", "binary", "yara rule", "default", "moved", "schaan", "as834 ipxo", "dynamicloader", "program", "ee fc", "users", "ff d5", "python", "windows", "autoit", "confuserex", "stream", "guard", "launcher", "updater", "global", "america flag", "ashburn", "america related", "tags", "indicator facts", "historical otx", "controller fake", "akamai rank", "russia", "present nov", "aaaa", "link", "a domains", "ip address", "meta", "cve -2014-2321", "handle", "address range", "cidr", "network name", "allocation type", "pa status", "whois server", "included iocs", "manually add", "iocs o", "iocs", "sugges", "stop show", "types", "external", "ripe", "pa abusec", "neterra", "sofia", "bulgaria phone", "filtered person", "neven dilkov", "bg phone", "filtered route", "a5ip", "aa2023", "aamirai", "a2scanner", "apple inc", "issuer", "valid", "algorit", "thum", "name", "a9 a8", "status", "macho", "macho 64bit", "mac os", "x macho", "intel", "typ no", "td td", "td tr", "a td", "dynamic dns", "date", "name servers", "arial", "error", "null", "enough", "hosts", "win32", "fast", "contacted", "MacSync_AppleScript_Stealer", "cve-2018-10562", "source", "roboto", "robotodraft", "helvetica", "iframe", "manually ada", "review iocs", "abv0", "qaeaav0", "cptbdev", "w4uninitialized", "qaeaav01", "abv01", "qaexn", "qbenxz", "phoneidentify", "qbepaxxz" ], "references": [ "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Zercega \u2022 IPv4 84.54.51.82", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "Zercega \u2022 multi-user.target", "Zercega \u2022 ootheca.pw", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS rules:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "Yara detected: Xmrig cryptocurrency miner", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "meta.com \u2022 meta.com.apple", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "ELF contains segments with high entropy indicating compressed/encrypted content", "/etc/systemd/system/geomi.service File type: ASCII text", "http://www.bing.lt/search?q=", "Win.Malware.Salat-10058846-0", "Yara Detections: MacSync_AppleScript_Stealer", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Alerts: packer_unknown_pe_section_name script_tool_executed", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Contacted: 188.114.96.1 Domains Contacted dns.google", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "CVE-2014-2321", "display_name": "CVE-2014-2321", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" } ], "industries": [], "TLP": "green", "cloned_from": "69d5859750dfad7fe7989ef4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 169, "URL": 1871, "domain": 393, "hostname": 925, "FileHash-MD5": 391, "FileHash-SHA1": 390, "FileHash-SHA256": 2452, "CVE": 1, "SSLCertFingerprint": 1, "IPv6": 9, "email": 4, "CIDR": 1 }, "indicator_count": 6607, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d5859750dfad7fe7989ef4", "name": "Apple / Cloud/ Data Network within Zergeca / Zerg Botnet \u2022 MacSync_AppleScript_Stealer", "description": "", "modified": "2026-04-07T22:30:47.312000", "created": "2026-04-07T22:30:47.312000", "tags": [ "added active", "related pulses", "found", "zergeca botnet", "zergeca", "upx packer", "khtml", "gecko", "united", "ids detections", "yara detections", "https domain", "tls sni", "ip lookup", "external ip", "malware", "encrypt", "techniques", "modify system", "process", "https", "performs dns", "tls version", "reads cpu", "proc indicative", "urls", "downloads", "persistence", "data upload", "extraction", "find s", "failed", "typ don", "ipv4 url", "canreb", "type ipv4", "url domail", "domail showing", "elf conta", "typ url", "zercega", "enter sc", "type", "include", "review", "n1 exclude", "suggestedincc", "a50 typ", "ipv4", "matches yara", "dete data", "yara detectea", "cro intormation", "exclude sugges", "sc car", "extra lte", "referen", "l extraction", "droo anv", "extr referen", "lte all", "je matches", "yara detel", "yara dete", "include review", "exchange lte", "je elf", "passive dns", "certificate", "files", "trojan", "related tags", "worm", "medium", "write c", "write", "high", "binary", "yara rule", "default", "moved", "schaan", "as834 ipxo", "dynamicloader", "program", "ee fc", "users", "ff d5", "python", "windows", "autoit", "confuserex", "stream", "guard", "launcher", "updater", "global", "america flag", "ashburn", "america related", "tags", "indicator facts", "historical otx", "controller fake", "akamai rank", "russia", "present nov", "aaaa", "link", "a domains", "ip address", "meta", "cve -2014-2321", "handle", "address range", "cidr", "network name", "allocation type", "pa status", "whois server", "included iocs", "manually add", "iocs o", "iocs", "sugges", "stop show", "types", "external", "ripe", "pa abusec", "neterra", "sofia", "bulgaria phone", "filtered person", "neven dilkov", "bg phone", "filtered route", "a5ip", "aa2023", "aamirai", "a2scanner", "apple inc", "issuer", "valid", "algorit", "thum", "name", "a9 a8", "status", "macho", "macho 64bit", "mac os", "x macho", "intel", "typ no", "td td", "td tr", "a td", "dynamic dns", "date", "name servers", "arial", "error", "null", "enough", "hosts", "win32", "fast", "contacted", "MacSync_AppleScript_Stealer", "cve-2018-10562", "source", "roboto", "robotodraft", "helvetica", "iframe", "manually ada", "review iocs", "abv0", "qaeaav0", "cptbdev", "w4uninitialized", "qaeaav01", "abv01", "qaexn", "qbenxz", "phoneidentify", "qbepaxxz" ], "references": [ "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Zercega \u2022 IPv4 84.54.51.82", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "Zercega \u2022 multi-user.target", "Zercega \u2022 ootheca.pw", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS rules:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "Yara detected: Xmrig cryptocurrency miner", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "meta.com \u2022 meta.com.apple", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "ELF contains segments with high entropy indicating compressed/encrypted content", "/etc/systemd/system/geomi.service File type: ASCII text", "http://www.bing.lt/search?q=", "Win.Malware.Salat-10058846-0", "Yara Detections: MacSync_AppleScript_Stealer", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Alerts: packer_unknown_pe_section_name script_tool_executed", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Contacted: 188.114.96.1 Domains Contacted dns.google", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "CVE-2014-2321", "display_name": "CVE-2014-2321", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 169, "URL": 1871, "domain": 393, "hostname": 925, "FileHash-MD5": 391, "FileHash-SHA1": 390, "FileHash-SHA256": 2452, "CVE": 1, "SSLCertFingerprint": 1, "IPv6": 9, "email": 4, "CIDR": 1 }, "indicator_count": 6607, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://meta.com.apple/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://meta.com.apple/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776639740.7860174 }