{
"type": "URL",
"indicator": "https://mt5.exclusivemarkets.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://mt5.exclusivemarkets.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4125832175,
"indicator": "https://mt5.exclusivemarkets.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 2,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68b5e672f492fdc96cf997aa",
"name": "UCHealth - Live Extraordinary (Ransom \u2022 Cycbot other vulnerabilities plague Medical Campus)",
"description": "The full text of the full report on the website of Enom.EDU, which is based in Denver, Colorado, and is available to view at www.ENOM.org, \n\nAdversaries continue to infiltrate a Denver Medical School and Campus. There is a fully operational bot network, calls are often answered by bot workers, PII and PHI deeply impacted, active image fraud, diagnoses tampering. It is a very serious issue that UCHealth knows needs addressing.| UCHealth is not simply being attack. UCH violates patients rights & privacy regularly, deny care, refuse to treat, provide medical records or care for diagnoses. Money motivated entity.\nIssues:\n\u2022 savethemalesdenver.com\t\n\u2022 IPv4\t168.200.5.63\t\n\u2022 a-info-dmz.uchealth.org\n\u2022 IPv4\t198.49.6.6",
"modified": "2025-11-19T23:14:59.744000",
"created": "2025-09-01T18:31:14.754000",
"tags": [
"indicator facts",
"dga domain",
"certificate",
"files",
"ip address",
"location united",
"asn as18693",
"date",
"enom",
"related tags",
"facts dga",
"cnsectigo rsa",
"secure server",
"ca certificate",
"entries related",
"domains show",
"search",
"domain related",
"entries",
"domain add",
"passive dns",
"asn as63949",
"present aug",
"present jun",
"present may",
"present jul",
"moved",
"present jan",
"gmt content",
"type",
"x frame",
"title",
"aurora",
"date checked",
"server response",
"google safe",
"results oct",
"present sep",
"backdoor",
"files show",
"date hash",
"avast avg",
"mtb aug",
"lowfi",
"trojandropper",
"mh may",
"win32upatre apr",
"mtb apr",
"trojan",
"win32",
"cybota",
"virtool",
"e oct",
"ransom",
"ipv4",
"america flag",
"united",
"america asn",
"suspicious",
"gdpr cookie",
"consent plugin",
"uchealth",
"full",
"my health",
"uchealth app",
"research",
"urgent care",
"billing",
"contact",
"find",
"download",
"falling",
"bill",
"media",
"live",
"jeff",
"metro",
"accept",
"dynamicloader",
"medium",
"show",
"dynamic",
"thread local",
"storage",
"pe section",
"checks system",
"write",
"delphi",
"code",
"stream",
"yara detections",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"medium risk",
"whois registrar",
"ipv4 add",
"reverse dns",
"error",
"british virgin",
"http",
"related nids",
"files location",
"islands flag",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"found",
"list planting",
"t1055.015",
"key identifier",
"x509v3 subject",
"data",
"v3 serial",
"number",
"cgb stgreater",
"ca validity",
"cus stcolorado",
"info",
"ttl value",
"server",
"dnssec",
"domain name",
"iana id",
"llc registry",
"pii",
"phi",
"icmp traffic",
"packing t1045",
"t1045",
"pe resource",
"md5 add",
"malware",
"msie",
"windows nt",
"unknown",
"tls handshake",
"failure",
"tlsv1",
"forbidden",
"ogoogle trust",
"encrypt",
"post http",
"port",
"post method",
"destination",
"intel",
"ms windows",
"showing",
"114.114.114.114",
"tulach",
"state",
"hallrender",
"sabey type"
],
"references": [
"Im refraining from leaving many references for this pulse due to 3 days of continuous resetting of pulse.",
"Found in savethemalesdenver.com \u2022 www.savethemalesdenver Whois Server\tWHOIS.ENOM.COM",
"Servers :NS3.UCH.EDU Org *Dnssec unsigned Domain Name: SAVETHEMALESDENVER.COM",
"Domain Name: savethemalesdenver.com Name Servers\tNS4.UCH.EDU Registrar ENOM, INC. State\tCO"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:JASYP:Backdoor:Win32/Cycbot!atmn",
"display_name": "ALF:JASYP:Backdoor:Win32/Cycbot!atmn",
"target": null
},
{
"id": "Ransom:Win32/StopCrypt.AK!MTB",
"display_name": "Ransom:Win32/StopCrypt.AK!MTB",
"target": "/malware/Ransom:Win32/StopCrypt.AK!MTB"
},
{
"id": "Pushdo",
"display_name": "Pushdo",
"target": null
},
{
"id": "virtool:Win32/VBInject.gen",
"display_name": "virtool:Win32/VBInject.gen",
"target": "/malware/virtool:Win32/VBInject.gen"
},
{
"id": "TrojanDropper:Win32/Muldrop.V!MTB",
"display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
"target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
}
],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1055.014",
"name": "VDSO Hijacking",
"display_name": "T1055.014 - VDSO Hijacking"
},
{
"id": "T1055.013",
"name": "Process Doppelg\u00e4nging",
"display_name": "T1055.013 - Process Doppelg\u00e4nging"
},
{
"id": "T1483",
"name": "Domain Generation Algorithms",
"display_name": "T1483 - Domain Generation Algorithms"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Health",
"Medical"
],
"TLP": "white",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 615,
"hostname": 1496,
"URL": 3178,
"FileHash-MD5": 670,
"FileHash-SHA1": 579,
"FileHash-SHA256": 3844,
"email": 1,
"SSLCertFingerprint": 19
},
"indicator_count": 10402,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 149,
"modified_text": "192 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"Found in savethemalesdenver.com \u2022 www.savethemalesdenver Whois Server\tWHOIS.ENOM.COM",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"Same legal , and quasi governmental pattern identified",
"Im refraining from leaving many references for this pulse due to 3 days of continuous resetting of pulse.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"Servers :NS3.UCH.EDU Org *Dnssec unsigned Domain Name: SAVETHEMALESDENVER.COM",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find",
"div>
",
"I apologize for the lack of reference.",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"Domain Name: savethemalesdenver.com Name Servers\tNS4.UCH.EDU Registrar ENOM, INC. State\tCO"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Trojandropper:win32/muldrop.v!mtb",
"Alf:jasyp:backdoor:win32/cycbot!atmn",
"Virtool:win32/vbinject.gen",
"#lowfi:lua:dllsuspiciousexport.a",
"Icedid",
"Ransom:win32/stopcrypt.ak!mtb",
"Mydoom",
"Trojan:win32/smkldr.h!mtb",
"Pushdo"
],
"industries": [
"Health",
"Medical",
"Technology",
"Telecom",
"Legal"
],
"unique_indicators": 24074
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/exclusivemarkets.com",
"whois": "http://whois.domaintools.com/exclusivemarkets.com",
"domain": "exclusivemarkets.com",
"hostname": "mt5.exclusivemarkets.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 2,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68b5e672f492fdc96cf997aa",
"name": "UCHealth - Live Extraordinary (Ransom \u2022 Cycbot other vulnerabilities plague Medical Campus)",
"description": "The full text of the full report on the website of Enom.EDU, which is based in Denver, Colorado, and is available to view at www.ENOM.org, \n\nAdversaries continue to infiltrate a Denver Medical School and Campus. There is a fully operational bot network, calls are often answered by bot workers, PII and PHI deeply impacted, active image fraud, diagnoses tampering. It is a very serious issue that UCHealth knows needs addressing.| UCHealth is not simply being attack. UCH violates patients rights & privacy regularly, deny care, refuse to treat, provide medical records or care for diagnoses. Money motivated entity.\nIssues:\n\u2022 savethemalesdenver.com\t\n\u2022 IPv4\t168.200.5.63\t\n\u2022 a-info-dmz.uchealth.org\n\u2022 IPv4\t198.49.6.6",
"modified": "2025-11-19T23:14:59.744000",
"created": "2025-09-01T18:31:14.754000",
"tags": [
"indicator facts",
"dga domain",
"certificate",
"files",
"ip address",
"location united",
"asn as18693",
"date",
"enom",
"related tags",
"facts dga",
"cnsectigo rsa",
"secure server",
"ca certificate",
"entries related",
"domains show",
"search",
"domain related",
"entries",
"domain add",
"passive dns",
"asn as63949",
"present aug",
"present jun",
"present may",
"present jul",
"moved",
"present jan",
"gmt content",
"type",
"x frame",
"title",
"aurora",
"date checked",
"server response",
"google safe",
"results oct",
"present sep",
"backdoor",
"files show",
"date hash",
"avast avg",
"mtb aug",
"lowfi",
"trojandropper",
"mh may",
"win32upatre apr",
"mtb apr",
"trojan",
"win32",
"cybota",
"virtool",
"e oct",
"ransom",
"ipv4",
"america flag",
"united",
"america asn",
"suspicious",
"gdpr cookie",
"consent plugin",
"uchealth",
"full",
"my health",
"uchealth app",
"research",
"urgent care",
"billing",
"contact",
"find",
"download",
"falling",
"bill",
"media",
"live",
"jeff",
"metro",
"accept",
"dynamicloader",
"medium",
"show",
"dynamic",
"thread local",
"storage",
"pe section",
"checks system",
"write",
"delphi",
"code",
"stream",
"yara detections",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"medium risk",
"whois registrar",
"ipv4 add",
"reverse dns",
"error",
"british virgin",
"http",
"related nids",
"files location",
"islands flag",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"found",
"list planting",
"t1055.015",
"key identifier",
"x509v3 subject",
"data",
"v3 serial",
"number",
"cgb stgreater",
"ca validity",
"cus stcolorado",
"info",
"ttl value",
"server",
"dnssec",
"domain name",
"iana id",
"llc registry",
"pii",
"phi",
"icmp traffic",
"packing t1045",
"t1045",
"pe resource",
"md5 add",
"malware",
"msie",
"windows nt",
"unknown",
"tls handshake",
"failure",
"tlsv1",
"forbidden",
"ogoogle trust",
"encrypt",
"post http",
"port",
"post method",
"destination",
"intel",
"ms windows",
"showing",
"114.114.114.114",
"tulach",
"state",
"hallrender",
"sabey type"
],
"references": [
"Im refraining from leaving many references for this pulse due to 3 days of continuous resetting of pulse.",
"Found in savethemalesdenver.com \u2022 www.savethemalesdenver Whois Server\tWHOIS.ENOM.COM",
"Servers :NS3.UCH.EDU Org *Dnssec unsigned Domain Name: SAVETHEMALESDENVER.COM",
"Domain Name: savethemalesdenver.com Name Servers\tNS4.UCH.EDU Registrar ENOM, INC. State\tCO"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:JASYP:Backdoor:Win32/Cycbot!atmn",
"display_name": "ALF:JASYP:Backdoor:Win32/Cycbot!atmn",
"target": null
},
{
"id": "Ransom:Win32/StopCrypt.AK!MTB",
"display_name": "Ransom:Win32/StopCrypt.AK!MTB",
"target": "/malware/Ransom:Win32/StopCrypt.AK!MTB"
},
{
"id": "Pushdo",
"display_name": "Pushdo",
"target": null
},
{
"id": "virtool:Win32/VBInject.gen",
"display_name": "virtool:Win32/VBInject.gen",
"target": "/malware/virtool:Win32/VBInject.gen"
},
{
"id": "TrojanDropper:Win32/Muldrop.V!MTB",
"display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
"target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
}
],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1055.014",
"name": "VDSO Hijacking",
"display_name": "T1055.014 - VDSO Hijacking"
},
{
"id": "T1055.013",
"name": "Process Doppelg\u00e4nging",
"display_name": "T1055.013 - Process Doppelg\u00e4nging"
},
{
"id": "T1483",
"name": "Domain Generation Algorithms",
"display_name": "T1483 - Domain Generation Algorithms"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Health",
"Medical"
],
"TLP": "white",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 615,
"hostname": 1496,
"URL": 3178,
"FileHash-MD5": 670,
"FileHash-SHA1": 579,
"FileHash-SHA256": 3844,
"email": 1,
"SSLCertFingerprint": 19
},
"indicator_count": 10402,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 149,
"modified_text": "192 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://mt5.exclusivemarkets.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://mt5.exclusivemarkets.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780248744.173643
}