{
  "type": "URL",
  "indicator": "https://moodle.rmhumanservices.org",
  "general": {
    "sections": [
      "general",
      "url_list",
      "http_scans",
      "screenshot"
    ],
    "indicator": "https://moodle.rmhumanservices.org",
    "type": "url",
    "type_title": "URL",
    "validation": [],
    "base_indicator": {
      "id": 4131745439,
      "indicator": "https://moodle.rmhumanservices.org",
      "type": "URL",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 4,
      "pulses": [
        {
          "id": "69c5c4d4d6c2c617810867ec",
          "name": "Independent Research",
          "description": "<The full list of names and locations for the domain-based service, which has now been deleted, has been published by the International Association of Professional Dreditors (IPCD) and the UK government>><<pretext.<",
          "modified": "2026-04-26T00:05:54.045000",
          "created": "2026-03-26T23:44:20.652000",
          "tags": [
            "cname",
            "status",
            "registrar url",
            "value name",
            "creation date",
            "domain id",
            "domain name",
            "expiration date",
            "name servers",
            "se registrant",
            "date",
            "server",
            "redacted for",
            "redacted admin",
            "privacy tech",
            "redacted tech",
            "city",
            "privacy admin",
            "country",
            "postal code",
            "stateprovince",
            "code"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 50,
            "domain": 47,
            "hostname": 118,
            "email": 6
          },
          "indicator_count": 221,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "35 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": false,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69c5b5cccffe6a5e0b756741",
          "name": "Unknown - Tracking",
          "description": "<HOSTNAME:MarkMonitor.comInc, a US-based company, has been added to Pulse.net, according to a report published by the Internet Service Authority (ICann).<pretext",
          "modified": "2026-04-25T23:14:19.460000",
          "created": "2026-03-26T22:40:12.417000",
          "tags": [
            "status",
            "creation date",
            "servers",
            "name servers",
            "pulse submit",
            "url analysis",
            "passive dns",
            "urls",
            "files",
            "ip address",
            "date",
            "whois show",
            "search",
            "record value",
            "emails",
            "name legal",
            "department name",
            "address po",
            "city seattle",
            "country us",
            "united",
            "unknown",
            "hostname",
            "location united",
            "algorithm",
            "key identifier",
            "x509v3 subject",
            "v3 serial",
            "number",
            "cus oamazon",
            "cnamazon rsa",
            "m01 validity",
            "subject public",
            "key info",
            "domain name",
            "domain",
            "expiry date",
            "update date",
            "thumbprint"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 23,
            "email": 10,
            "domain": 188,
            "hostname": 284,
            "URL": 399,
            "FileHash-SHA256": 440,
            "FileHash-SHA1": 55,
            "CVE": 2
          },
          "indicator_count": 1401,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "35 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69c5c7194394ff775d44f7e0",
          "name": "WaypointsStickyChromeCache",
          "description": "A complete analysis of user-created Pulses (AVs) at the University of California, Los Angeles, has been published by the BBC's Newsnight website, along with a series of links.<pretext",
          "modified": "2026-04-25T00:36:45.595000",
          "created": "2026-03-26T23:54:01.493000",
          "tags": [
            "http",
            "urls",
            "unique",
            "pulse pulses",
            "location united",
            "flag united",
            "related",
            "pulses",
            "related tags",
            "x tec",
            "log id",
            "gmtn",
            "tls web",
            "self",
            "encrypt",
            "b2 f6",
            "b0n timestamp",
            "f9401a",
            "timestamp",
            "url add",
            "false"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 121,
            "hostname": 31,
            "domain": 5,
            "FileHash-MD5": 20,
            "FileHash-SHA1": 18,
            "FileHash-SHA256": 98,
            "SSLCertFingerprint": 2,
            "CVE": 1
          },
          "indicator_count": 296,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "36 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "68cb233ba91aa1eb958b3f31",
          "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022  OneLouder",
          "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea",
          "modified": "2025-10-17T19:03:15.031000",
          "created": "2025-09-17T21:08:11.518000",
          "tags": [
            "script urls",
            "meta",
            "moved",
            "x tec",
            "passive dns",
            "encrypt",
            "america flag",
            "san francisco",
            "extraction",
            "data upload",
            "type indicatod",
            "united states",
            "a domains",
            "united",
            "gmt server",
            "jose",
            "university",
            "bill",
            "rmhs",
            "information",
            "board",
            "lorin",
            "joseph",
            "all veterans",
            "rocky mountain",
            "mission",
            "vice",
            "april",
            "school",
            "austin",
            "prior",
            "ipv4 add",
            "urls",
            "files",
            "location united",
            "wordpress",
            "rmhs meta",
            "tags viewport",
            "rmhs og",
            "rmhs article",
            "wpbakery page",
            "builder",
            "slider plugin",
            "google tag",
            "mountain human",
            "denver",
            "connecting",
            "denver start",
            "relevance home",
            "providers",
            "contact us",
            "rmhs main",
            "server",
            "redacted tech",
            "redacted admin",
            "registrar abuse",
            "algorithm",
            "key identifier",
            "x509v3 subject",
            "dnssec",
            "country",
            "ttl value",
            "graph summary",
            "resolved ips",
            "ip address",
            "port",
            "data",
            "screenshots no",
            "involved direct",
            "country name",
            "name response",
            "tcp connections",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "command",
            "adversaries",
            "found",
            "spawns",
            "t1590 gather",
            "path",
            "ascii text",
            "exif standard",
            "tiff image",
            "format",
            "stop",
            "false",
            "soldier",
            "model",
            "youth",
            "baby",
            "june",
            "general",
            "local",
            "click",
            "strings",
            "core",
            "warrior",
            "green",
            "emotion",
            "flash",
            "nina",
            "hunk",
            "fono",
            "daam",
            "mitre att",
            "ck techniques",
            "id name",
            "malicious",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "brand",
            "microsoft edge",
            "show process",
            "self",
            "date",
            "comspec",
            "hybrid",
            "form",
            "log id",
            "gmtn",
            "tls web",
            "b2 f6",
            "b0n timestamp",
            "f9401a",
            "record value",
            "x wix",
            "certificate",
            "domain add",
            "pulse submit",
            "body",
            "domain related",
            "blackbox",
            "apple",
            "helix",
            "dvrdns",
            "tracking",
            "remote access",
            "ios",
            "spyware",
            "hoax",
            "dynamicloader",
            "ptls6",
            "medium",
            "flashpix",
            "high",
            "ygjpavclsline",
            "officespace",
            "chartshared",
            "powershell",
            "write",
            "malware",
            "ygjpaulscontext",
            "status",
            "japan unknown",
            "domain",
            "pulses",
            "search",
            "accept",
            "apt10",
            "trojanspy",
            "win32",
            "entries",
            "susp",
            "backdoor",
            "useragent",
            "showing",
            "virtool",
            "twitter",
            "mozilla",
            "trojandropper",
            "trojan",
            "title",
            "onelouder",
            "yara det",
            "maware samoe",
            "genaco x",
            "ids detec",
            "ids terse",
            "win3 data",
            "include review",
            "exclude sugges",
            "targeting",
            "show",
            "copy",
            "reads",
            "dynamic",
            "vendor finding",
            "notes clamav",
            "files matching",
            "number",
            "sample analysis",
            "hide samples",
            "date hash",
            "next yara"
          ],
          "references": [
            "rmhumanservices.org",
            "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
            "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
            "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
            "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
            "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
            "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
            "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
            "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
            "https://www.mlkfoundation.net/ (Foundry DGA)",
            "remotewd.com x 34 devices",
            "South Africa based:  remote.advisoroffice.com",
            "acc.lehigtapp.com - malware",
            "http://watchhers.net/index.php (espionage entity /palantir relationship  - seen before with palantir and Pegasus sometimes simultaneously )",
            "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022  emails.redvue.com \u2022",
            "Active - pointing:  https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
            "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
            "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
            "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
            "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
            "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
            "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
            "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
            "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
            "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
            "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
            "1.organization.api.powerplatform.partner.microsoftonline.cn",
            "chinaeast2.admin.api.powerautomate.cn",
            "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
            "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
            "ssa-gov.authorizeddns",
            "hmmm\u2026http://palander.stjernstrom.se/",
            "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU"
          ],
          "public": 1,
          "adversary": "APT 10",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "APT 10",
              "display_name": "APT 10",
              "target": null
            },
            {
              "id": "OneLouder",
              "display_name": "OneLouder",
              "target": null
            },
            {
              "id": "Andromeda",
              "display_name": "Andromeda",
              "target": null
            },
            {
              "id": "Sality",
              "display_name": "Sality",
              "target": null
            },
            {
              "id": "KoobFace",
              "display_name": "KoobFace",
              "target": null
            },
            {
              "id": "Bayrob",
              "display_name": "Bayrob",
              "target": null
            },
            {
              "id": "Nivdort Checkin",
              "display_name": "Nivdort Checkin",
              "target": null
            },
            {
              "id": "Win.Malware.Installcore-6950365-0",
              "display_name": "Win.Malware.Installcore-6950365-0",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1102",
              "name": "Web Service",
              "display_name": "T1102 - Web Service"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1590",
              "name": "Gather Victim Network Information",
              "display_name": "T1590 - Gather Victim Network Information"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1132",
              "name": "Data Encoding",
              "display_name": "T1132 - Data Encoding"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1574.006",
              "name": "Dynamic Linker Hijacking",
              "display_name": "T1574.006 - Dynamic Linker Hijacking"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            }
          ],
          "industries": [
            "Golfing",
            "Healthcare",
            "Government"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 690,
            "hostname": 1912,
            "URL": 5925,
            "FileHash-SHA1": 273,
            "email": 8,
            "FileHash-SHA256": 3618,
            "CIDR": 3,
            "FileHash-MD5": 254,
            "SSLCertFingerprint": 19,
            "CVE": 2
          },
          "indicator_count": 12704,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 145,
          "modified_text": "225 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
        "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022  emails.redvue.com \u2022",
        "Active - pointing:  https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
        "hmmm\u2026http://palander.stjernstrom.se/",
        "http://watchhers.net/index.php (espionage entity /palantir relationship  - seen before with palantir and Pegasus sometimes simultaneously )",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
        "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
        "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
        "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
        "1.organization.api.powerplatform.partner.microsoftonline.cn",
        "rmhumanservices.org",
        "chinaeast2.admin.api.powerautomate.cn",
        "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "ssa-gov.authorizeddns",
        "https://www.mlkfoundation.net/ (Foundry DGA)",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
        "acc.lehigtapp.com - malware",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
        "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
        "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
        "South Africa based:  remote.advisoroffice.com",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
        "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
        "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
        "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
        "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU",
        "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
        "remotewd.com x 34 devices",
        "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
        "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": [],
          "unique_indicators": 0
        },
        "other": {
          "adversary": [
            "APT 10"
          ],
          "malware_families": [
            "Apt 10",
            "Win.malware.installcore-6950365-0",
            "Onelouder",
            "Sality",
            "Andromeda",
            "Nivdort checkin",
            "Bayrob",
            "Koobface"
          ],
          "industries": [
            "Government",
            "Golfing",
            "Healthcare"
          ],
          "unique_indicators": 14172
        }
      }
    },
    "false_positive": [],
    "alexa": "http://www.alexa.com/siteinfo/rmhumanservices.org",
    "whois": "http://whois.domaintools.com/rmhumanservices.org",
    "domain": "rmhumanservices.org",
    "hostname": "moodle.rmhumanservices.org"
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 4,
  "pulses": [
    {
      "id": "69c5c4d4d6c2c617810867ec",
      "name": "Independent Research",
      "description": "<The full list of names and locations for the domain-based service, which has now been deleted, has been published by the International Association of Professional Dreditors (IPCD) and the UK government>><<pretext.<",
      "modified": "2026-04-26T00:05:54.045000",
      "created": "2026-03-26T23:44:20.652000",
      "tags": [
        "cname",
        "status",
        "registrar url",
        "value name",
        "creation date",
        "domain id",
        "domain name",
        "expiration date",
        "name servers",
        "se registrant",
        "date",
        "server",
        "redacted for",
        "redacted admin",
        "privacy tech",
        "redacted tech",
        "city",
        "privacy admin",
        "country",
        "postal code",
        "stateprovince",
        "code"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 50,
        "domain": 47,
        "hostname": 118,
        "email": 6
      },
      "indicator_count": 221,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "35 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": false,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "69c5b5cccffe6a5e0b756741",
      "name": "Unknown - Tracking",
      "description": "<HOSTNAME:MarkMonitor.comInc, a US-based company, has been added to Pulse.net, according to a report published by the Internet Service Authority (ICann).<pretext",
      "modified": "2026-04-25T23:14:19.460000",
      "created": "2026-03-26T22:40:12.417000",
      "tags": [
        "status",
        "creation date",
        "servers",
        "name servers",
        "pulse submit",
        "url analysis",
        "passive dns",
        "urls",
        "files",
        "ip address",
        "date",
        "whois show",
        "search",
        "record value",
        "emails",
        "name legal",
        "department name",
        "address po",
        "city seattle",
        "country us",
        "united",
        "unknown",
        "hostname",
        "location united",
        "algorithm",
        "key identifier",
        "x509v3 subject",
        "v3 serial",
        "number",
        "cus oamazon",
        "cnamazon rsa",
        "m01 validity",
        "subject public",
        "key info",
        "domain name",
        "domain",
        "expiry date",
        "update date",
        "thumbprint"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 23,
        "email": 10,
        "domain": 188,
        "hostname": 284,
        "URL": 399,
        "FileHash-SHA256": 440,
        "FileHash-SHA1": 55,
        "CVE": 2
      },
      "indicator_count": 1401,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 68,
      "modified_text": "35 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "69c5c7194394ff775d44f7e0",
      "name": "WaypointsStickyChromeCache",
      "description": "A complete analysis of user-created Pulses (AVs) at the University of California, Los Angeles, has been published by the BBC's Newsnight website, along with a series of links.<pretext",
      "modified": "2026-04-25T00:36:45.595000",
      "created": "2026-03-26T23:54:01.493000",
      "tags": [
        "http",
        "urls",
        "unique",
        "pulse pulses",
        "location united",
        "flag united",
        "related",
        "pulses",
        "related tags",
        "x tec",
        "log id",
        "gmtn",
        "tls web",
        "self",
        "encrypt",
        "b2 f6",
        "b0n timestamp",
        "f9401a",
        "timestamp",
        "url add",
        "false"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 121,
        "hostname": 31,
        "domain": 5,
        "FileHash-MD5": 20,
        "FileHash-SHA1": 18,
        "FileHash-SHA256": 98,
        "SSLCertFingerprint": 2,
        "CVE": 1
      },
      "indicator_count": 296,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "36 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "68cb233ba91aa1eb958b3f31",
      "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022  OneLouder",
      "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea",
      "modified": "2025-10-17T19:03:15.031000",
      "created": "2025-09-17T21:08:11.518000",
      "tags": [
        "script urls",
        "meta",
        "moved",
        "x tec",
        "passive dns",
        "encrypt",
        "america flag",
        "san francisco",
        "extraction",
        "data upload",
        "type indicatod",
        "united states",
        "a domains",
        "united",
        "gmt server",
        "jose",
        "university",
        "bill",
        "rmhs",
        "information",
        "board",
        "lorin",
        "joseph",
        "all veterans",
        "rocky mountain",
        "mission",
        "vice",
        "april",
        "school",
        "austin",
        "prior",
        "ipv4 add",
        "urls",
        "files",
        "location united",
        "wordpress",
        "rmhs meta",
        "tags viewport",
        "rmhs og",
        "rmhs article",
        "wpbakery page",
        "builder",
        "slider plugin",
        "google tag",
        "mountain human",
        "denver",
        "connecting",
        "denver start",
        "relevance home",
        "providers",
        "contact us",
        "rmhs main",
        "server",
        "redacted tech",
        "redacted admin",
        "registrar abuse",
        "algorithm",
        "key identifier",
        "x509v3 subject",
        "dnssec",
        "country",
        "ttl value",
        "graph summary",
        "resolved ips",
        "ip address",
        "port",
        "data",
        "screenshots no",
        "involved direct",
        "country name",
        "name response",
        "tcp connections",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "command",
        "adversaries",
        "found",
        "spawns",
        "t1590 gather",
        "path",
        "ascii text",
        "exif standard",
        "tiff image",
        "format",
        "stop",
        "false",
        "soldier",
        "model",
        "youth",
        "baby",
        "june",
        "general",
        "local",
        "click",
        "strings",
        "core",
        "warrior",
        "green",
        "emotion",
        "flash",
        "nina",
        "hunk",
        "fono",
        "daam",
        "mitre att",
        "ck techniques",
        "id name",
        "malicious",
        "windows nt",
        "win64",
        "khtml",
        "gecko",
        "brand",
        "microsoft edge",
        "show process",
        "self",
        "date",
        "comspec",
        "hybrid",
        "form",
        "log id",
        "gmtn",
        "tls web",
        "b2 f6",
        "b0n timestamp",
        "f9401a",
        "record value",
        "x wix",
        "certificate",
        "domain add",
        "pulse submit",
        "body",
        "domain related",
        "blackbox",
        "apple",
        "helix",
        "dvrdns",
        "tracking",
        "remote access",
        "ios",
        "spyware",
        "hoax",
        "dynamicloader",
        "ptls6",
        "medium",
        "flashpix",
        "high",
        "ygjpavclsline",
        "officespace",
        "chartshared",
        "powershell",
        "write",
        "malware",
        "ygjpaulscontext",
        "status",
        "japan unknown",
        "domain",
        "pulses",
        "search",
        "accept",
        "apt10",
        "trojanspy",
        "win32",
        "entries",
        "susp",
        "backdoor",
        "useragent",
        "showing",
        "virtool",
        "twitter",
        "mozilla",
        "trojandropper",
        "trojan",
        "title",
        "onelouder",
        "yara det",
        "maware samoe",
        "genaco x",
        "ids detec",
        "ids terse",
        "win3 data",
        "include review",
        "exclude sugges",
        "targeting",
        "show",
        "copy",
        "reads",
        "dynamic",
        "vendor finding",
        "notes clamav",
        "files matching",
        "number",
        "sample analysis",
        "hide samples",
        "date hash",
        "next yara"
      ],
      "references": [
        "rmhumanservices.org",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
        "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
        "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
        "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
        "https://www.mlkfoundation.net/ (Foundry DGA)",
        "remotewd.com x 34 devices",
        "South Africa based:  remote.advisoroffice.com",
        "acc.lehigtapp.com - malware",
        "http://watchhers.net/index.php (espionage entity /palantir relationship  - seen before with palantir and Pegasus sometimes simultaneously )",
        "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022  emails.redvue.com \u2022",
        "Active - pointing:  https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
        "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
        "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
        "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
        "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
        "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
        "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
        "1.organization.api.powerplatform.partner.microsoftonline.cn",
        "chinaeast2.admin.api.powerautomate.cn",
        "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
        "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
        "ssa-gov.authorizeddns",
        "hmmm\u2026http://palander.stjernstrom.se/",
        "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU"
      ],
      "public": 1,
      "adversary": "APT 10",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "APT 10",
          "display_name": "APT 10",
          "target": null
        },
        {
          "id": "OneLouder",
          "display_name": "OneLouder",
          "target": null
        },
        {
          "id": "Andromeda",
          "display_name": "Andromeda",
          "target": null
        },
        {
          "id": "Sality",
          "display_name": "Sality",
          "target": null
        },
        {
          "id": "KoobFace",
          "display_name": "KoobFace",
          "target": null
        },
        {
          "id": "Bayrob",
          "display_name": "Bayrob",
          "target": null
        },
        {
          "id": "Nivdort Checkin",
          "display_name": "Nivdort Checkin",
          "target": null
        },
        {
          "id": "Win.Malware.Installcore-6950365-0",
          "display_name": "Win.Malware.Installcore-6950365-0",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1102",
          "name": "Web Service",
          "display_name": "T1102 - Web Service"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1590",
          "name": "Gather Victim Network Information",
          "display_name": "T1590 - Gather Victim Network Information"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1132",
          "name": "Data Encoding",
          "display_name": "T1132 - Data Encoding"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1574.006",
          "name": "Dynamic Linker Hijacking",
          "display_name": "T1574.006 - Dynamic Linker Hijacking"
        },
        {
          "id": "T1210",
          "name": "Exploitation of Remote Services",
          "display_name": "T1210 - Exploitation of Remote Services"
        },
        {
          "id": "T1449",
          "name": "Exploit SS7 to Redirect Phone Calls/SMS",
          "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
        },
        {
          "id": "TA0011",
          "name": "Command and Control",
          "display_name": "TA0011 - Command and Control"
        }
      ],
      "industries": [
        "Golfing",
        "Healthcare",
        "Government"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 9,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 690,
        "hostname": 1912,
        "URL": 5925,
        "FileHash-SHA1": 273,
        "email": 8,
        "FileHash-SHA256": 3618,
        "CIDR": 3,
        "FileHash-MD5": 254,
        "SSLCertFingerprint": 19,
        "CVE": 2
      },
      "indicator_count": 12704,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 145,
      "modified_text": "225 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "https://moodle.rmhumanservices.org",
    "type": "URL"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "https://moodle.rmhumanservices.org",
    "type": "URL",
    "found": false,
    "verdict": "clean",
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780235435.9901052
}