{ "type": "URL", "indicator": "https://mx.m1bp.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://mx.m1bp.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3822746131, "indicator": "https://mx.m1bp.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "69b2b76c9a490b69b6a085b3", "name": "Exodus/cellbrite clone by Q Vashti", "description": "", "modified": "2026-03-12T12:54:04.160000", "created": "2026-03-12T12:54:04.160000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "6916e098df39114161354b23", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952febb1dbcf05ee601f050", "name": "Pegasus Ongoing l Cellbrite | Exodus | Brian Sabey | HallRender | Tulach (1.29.24)", "description": "", "modified": "2025-12-29T22:20:43.238000", "created": "2025-12-29T22:20:43.238000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65b80a20bbcd0eb305a740ec", "export_count": 29100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "110 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916e098df39114161354b23", "name": "Exodus l Cellbrite \u2022 Pegasus | Brian Sabey | HallRender | Tulach ", "description": "", "modified": "2025-12-14T07:05:42.106000", "created": "2025-11-14T07:56:08.872000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65a76c2901b34c79a681596d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6824aa10fa32899c33abc3be", "name": "tp://adorno.pl and http://vgt.pl INVESTIGATION requstor user Axelo", "description": "https://t.co/zTZNBTe8GV", "modified": "2025-06-14T00:00:30.956000", "created": "2025-05-14T14:34:56.497000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 426, "FileHash-SHA1": 455, "FileHash-SHA256": 5596, "URL": 15206, "IPv4": 409, "domain": 2473, "hostname": 5059, "CVE": 3 }, "indicator_count": 29627, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "309 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666a290827eb9a7dec1aa57f", "name": "just checking", "description": "", "modified": "2024-07-12T21:02:00.286000", "created": "2024-06-12T23:02:32.039000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 1278, "URL": 5288, "domain": 1217, "hostname": 2980, "CVE": 1 }, "indicator_count": 10774, "is_author": false, "is_subscribing": null, "subscriber_count": 178, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5c5ebba25ca46fc5b36bc", "name": "NSO Group Pegasus spyware found attack a US citizen. Silencing", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\n\u2022NSO Group develops best-in-class technology to help government agencies detect and prevent terrorism and crime.\n\u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. \nNon terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:11:39.752000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "msie", "chrome", "certificate", "hostname", "url analysis", "http response", "final url", "status code", "body length", "b body", "sha256", "headers date", "connection", "date sat", "html info", "forbidden", "google tag", "utc aw741566034", "utc redirection", "asnone united", "as54113", "cname", "script urls", "as19527 google", "as35280 acorus", "encrypt", "reverse dns", "location dublin", "domain name", "emails", "as23724", "as4812 china", "china", "win32mydoom jan", "ransom", "worm", "as4808 china", "browse scan", "endpoints all", "login", "sign up", "tulach", "c-67-181-73-197.hsd1.ca.comcast.net", "social engineering", "contact made by mark brian sabey", "contact made by o'dea", "benjamin c" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4655, "URL": 9981, "FileHash-MD5": 219, "FileHash-SHA1": 213, "FileHash-SHA256": 6722, "hostname": 4341, "CVE": 2, "email": 12, "BitcoinAddress": 3 }, "indicator_count": 26148, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "753 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5cbadc21b9891c459b9d2", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:13.975000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9995, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25999, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "753 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5cbbbcb7a479db222f053", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:27.745000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9996, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 26000, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "753 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a39f005c7f0a1c1eb33125", "name": "Formbook", "description": "FormBook is a data stealer that is being distributed as a MaaS. FormBook is available in the dark web market as a Malware-as-Service.\n I n known situations targets were contacted by bad actors via social media accounts Twitter & Facebook.", "modified": "2024-03-21T10:00:24.070000", "created": "2024-01-14T08:44:48.297000", "tags": [ "ssl certificate", "contacted", "execution", "ah6itbtgl", "whois record", "historical ssl", "referrer", "subdomains", "resolutions", "formbook", "threat roundup", "malware", "metro", "social engineering", "jansky", "script urls", "a domains", "united", "search", "date", "script domains", "creation date", "record value", "showing", "unknown", "meta", "body", "encrypt", "as63949 linode", "as41357", "united kingdom", "scan endpoints", "all octoseek", "domain", "pulse submit", "url analysis", "server", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "email", "registry domain", "win32 exe", "javascript", "eqsray", "zip blaze", "ms excel", "detections type", "name", "text", "csv order", "files", "microsoft", "dns replication", "bt6lcuigydc9yc", "jxaavf4jnzza0", "submission", "community score", "no security", "graph api", "status", "content type", "xcitium verdict", "cloud marketing", "history first", "thebrotherssabey", "passive dns", "gmt content", "plesklin", "ipv4", "pulse pulses", "urls", "vbs", "data center", "reverse dns", "first", "utc submissions", "submitters", "bbonline uk", "namecheap inc", "summary iocs", "graph community", "ionos se", "keysystems gmbh", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "sabey", "all search", "otx octoseek", "url http", "http", "hostname", "files domain", "msie", "chrome", "expiration date", "next", "whois lookup", "dnssec", "domain name", "abuse contact", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "cname", "as44273 host", "ip address" ], "references": [ "appleremote.net", "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111", "FormBook", "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc", "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1708, "hostname": 1920, "domain": 2221, "URL": 4822, "FileHash-MD5": 100, "FileHash-SHA1": 119, "email": 2, "CIDR": 1 }, "indicator_count": 10893, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "759 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b80944a3d1c9e36346e0c1", "name": "NSO Group Pegasus spyware used nefariously", "description": "", "modified": "2024-02-27T03:01:21.421000", "created": "2024-01-29T20:23:32.737000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": "65b5cbbbcb7a479db222f053", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4174, "URL": 9617, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6801, "hostname": 4314, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25400, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "782 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a7e576b3cbdf2f86a32acc", "name": "Skynet | prd.connectforhealthco.com | Identity theft |", "description": "Remote interception of health insurance applicants call. Social engineering - threat actor will walk target through process beginning with; verification of phone model, browser used, phone number, email, ssn# entered in staged health insurance enrollment application. Auto forwards ssn# to Experian, locking consumer from of all accounts, credit information is stolen, consumer identity theft. New accounts cannot be created, a password reset is required for scam, all emails requested, bad actor will ask for entire households email accounts, device use, etc. Sends malicious forms to devices. Takes consumer through a lengthy phone transfer scheme +++", "modified": "2024-02-16T13:04:46.804000", "created": "2024-01-17T14:34:30.204000", "tags": [ "whois record", "historical ssl", "ssl certificate", "april", "referrer", "threat roundup", "communicating", "whois", "rwi dtools", "jekyll", "metro", "skynet", "identity theft", "parking crew", "whois whois", "resolutions", "october", "august", "march", "june", "attack", "goldfinder", "sibot", "hacktool", "remote attack", "social engineering", "read c", "get autoit", "search", "regsetvalueexa", "show", "entries", "regdword", "intel", "ms windows", "showing", "autoit", "write", "worm", "copy", "unknown", "win32", "persistence", "execution", "malware", "autorun", "redacted for", "for privacy", "name servers", "date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "encrypt", "next", "sabey", "no expiration", "filehashsha256", "filehashsha1", "filehashmd5", "iocs", "create new", "pulse use", "pdf report", "pcap", "malware beacon", "useragent", "http request", "hostile", "autoit windows", "automation tool", "forbidden", "algorithm", "full name", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "info", "first", "detections type", "name", "javascript", "pdf community", "office open", "xml spreadsheet", "text", "siblings", "process32nextw", "fjlsedauv", "writeconsolea", "medium", "discovery", "high", "module load", "t1129", "united", "as63949 linode", "mtb jan", "passive dns", "backdoor", "mtb dec", "open", "body", "artro", "creation date", "servers", "urls", "record value", "expiration date", "vt graph", "parent referrer", "apple private", "data collection", "hidden privacy", "malicious", "verified", "utc submissions", "submitters", "summary iocs", "graph community", "tucows", "amazonaes", "china telecom", "group", "cloudflarenet", "akamaias", "pty ltd", "argon data", "communication", "limited", "digitaloceanasn", "twitter", "dropbox", "domainsite", "alibaba cloud", "computing", "beijing", "service", "ip address", "latest", "virustotal", "unclejohn", "us autonomous", "system46606", "unified layer", "urls latest", "contacted", "historical", "subdomains", "gootloader", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "binary", "sameorigin", "scammer", "spammer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "Sibot - S0589", "display_name": "Sibot - S0589", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Verified", "display_name": "Verified", "target": null }, { "id": "Downloader.Cerber/JS!1.A59C (CLASSIC)", "display_name": "Downloader.Cerber/JS!1.A59C (CLASSIC)", "target": null }, { "id": "W32/Expiro.fam", "display_name": "W32/Expiro.fam", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" } ], "industries": [ "Healthcare", "Insurance", "Finance", "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 515, "FileHash-SHA1": 504, "FileHash-SHA256": 3557, "URL": 5450, "domain": 1842, "hostname": 2221, "CVE": 2, "email": 6 }, "indicator_count": 14097, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a76c2901b34c79a681596d", "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "Brian Sabey of Hall Render Law firm is incredibly entrenched in spying on a single target. Having made contact,impersonal invitations to meet, filing a lawsuit dismissed by a judge , paying to silence SA victim and spending many years spying, destroying digital profile m libel, malvertizing is concerning. \nConsidering Brashears death threats, following , being approached and attempts on her personal safety is unwarranted. Brashears was the confirmed victim of life threatening SA. How does the Federal Government allow this? Found embedded in Brashears link that came from her iPhone.", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-17T05:56:57.948000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a77c6a22a236495c4548d6", "name": "PEGASUS | Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "I'm unclear if the legitimatecy of use of Cellbrite considering Brashears was the attacked. Brashears has spoken with every authority on her own terms. Law enforcement 'you're not that important. You're not a suspect .' FBI -' Brashears victim of Identity theft case that lasted months. Alleged false reports removed.' PI's - 'someone is abusing privilege' Was a SA advocate Non Profit. Awareness Saves & social media deleted by hackers", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-17T07:06:18.453000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "remote", "malvertizing", "spying", "cyber stalking" ], "references": [ "https://tulach.cc/", "go.sabey.com", "sabey.com", "cellebrite.com", "https://cellebrite.com/en/federal-government/ [Pegasus ck privilege collection]", "https://www.pornhub.com/video/search?search=tsara+brashears", "remote.aciscomputers.com", "https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY®ion=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0", "114.114.114.114 [Tulach]", "nr-data.net [Apple Private Data Collection]", "defenselawyernj.com", "attorney-marketing-specialists.com ?", "https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225", "http://www.apple.com/appleca/AppleIncRootCertificate.cer", "http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en", "https://t.me/hermitspyware/24", "hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact", "https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone", "http://watchhers.net/index.php [remote attackers | malware spreader]", "api-stage.pornhub.com", "newbrazzers.com [y8.com]", "www.videolan.org [info solutions]", "www2.blackbagtech.com [hidden users included]", "http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv", "http://pegasus.diskel.co.uk/ [phishing]", "wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "fds.cellebrite.com", "http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0", "healthcare.greatcall.com [fake call centers | PHI & PII info stealers]", "http://download.virtualbox.org/virtualbox/debian", "match.pegasus.isi.edu", "asp.net", "http://dropbox.com/ [ intrusions/ dropbox stealer]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" } ], "industries": [ "Individual", "Patient", "Healthcare", "Survivor" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3157, "domain": 2903, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13639, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b80a20bbcd0eb305a740ec", "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-29T20:27:12.899000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65a76c2901b34c79a681596d", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a4880cf26f0feaf9a75648", "name": "Formbook", "description": "", "modified": "2024-02-13T08:03:20.064000", "created": "2024-01-15T01:19:08.041000", "tags": [ "ssl certificate", "contacted", "execution", "ah6itbtgl", "whois record", "historical ssl", "referrer", "subdomains", "resolutions", "formbook", "threat roundup", "malware", "metro", "social engineering", "jansky", "script urls", "a domains", "united", "search", "date", "script domains", "creation date", "record value", "showing", "unknown", "meta", "body", "encrypt", "as63949 linode", "as41357", "united kingdom", "scan endpoints", "all octoseek", "domain", "pulse submit", "url analysis", "server", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "email", "registry domain", "win32 exe", "javascript", "eqsray", "zip blaze", "ms excel", "detections type", "name", "text", "csv order", "files", "microsoft", "dns replication", "bt6lcuigydc9yc", "jxaavf4jnzza0", "submission", "community score", "no security", "graph api", "status", "content type", "xcitium verdict", "cloud marketing", "history first", "thebrotherssabey", "passive dns", "gmt content", "plesklin", "ipv4", "pulse pulses", "urls", "vbs", "data center", "reverse dns", "first", "utc submissions", "submitters", "bbonline uk", "namecheap inc", "summary iocs", "graph community", "ionos se", "keysystems gmbh", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "sabey", "all search", "otx octoseek", "url http", "http", "hostname", "files domain", "msie", "chrome", "expiration date", "next", "whois lookup", "dnssec", "domain name", "abuse contact", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "cname", "as44273 host", "ip address" ], "references": [ "appleremote.net", "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111", "FormBook", "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc", "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65a39f005c7f0a1c1eb33125", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1650, "hostname": 1778, "domain": 2102, "URL": 4435, "FileHash-MD5": 100, "FileHash-SHA1": 119, "email": 2, "CIDR": 1 }, "indicator_count": 10187, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "796 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a20ff8db3854e863dca324", "name": "Shared Modules | Hijacker | Masquerading", "description": "", "modified": "2024-02-12T04:01:56.040000", "created": "2024-01-13T04:22:16.961000", "tags": [ "filehashmd5", "no expiration", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "hostname", "expiration", "domain", "url https", "url http", "source", "stix", "email", "email abuse", "goreasonlimited", "cc no", "tompc", "sum35", "domain xn", "searchbox0", "domainname0", "view", "apple", "apple id", "hijacking", "masquerading", "exploit", "cams", "monitoring", "loki bot", "dns", "open ports", "malvertizing", "malware hosting", "apple script", "js user", "dga", "dga domains", "malware", "multiple_versions", "wagersta", "decode", "system information discovery", "decrypt", "evasion", "defense evasion", "emotet", "android", "ios", "wannacry", "trojan", "worm", "cyber threat", "benjamin", "whois record", "ssl certificate", "contacted", "historical ssl", "referrer", "contacted urls", "execution", "whois whois", "whois sslcert", "and china", "drop", "uchealth", "university of cincinnati health" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 2296, "FileHash-SHA256": 3362, "URL": 6191, "domain": 2033, "hostname": 3097, "email": 37, "CVE": 2 }, "indicator_count": 19719, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://download.virtualbox.org/virtualbox/debian", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone", "https://www.pornhub.com/video/search?search=tsara+brashears", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "nr-data.net [Apple Private Data Collection]", "https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "http://dropbox.com/ [ intrusions/ dropbox stealer]", "www-stage40.pornhub.com", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://www.nsogroup.com", "cellebrite.com", "https://t.me/hermitspyware/24", "www2.blackbagtech.com [hidden users included]", "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc", "defenselawyernj.com", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "api-stage.pornhub.com", "http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "healthcare.greatcall.com [fake call centers | PHI & PII info stealers]", "http://pegasus.diskel.co.uk/ [phishing]", "asp.net", "enterprise.cellebrite.com [ digitalclues.com]", "sabey.com", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "FormBook", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "newbrazzers.com [y8.com]", "https://timersys.com/ [ phishing | deb opera.com]", "https://tulach.cc/ [malware engineering | phishing]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "appleremote.net", "https://twitter.com/PORNO_SEXYBABES", "work.a-poster.info", "hanmail.net", "deviceinbox.com [malware hosting]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "https://cellebrite.com/en/federal-government/ [Pegasus ck privilege collection]", "attorney-marketing-specialists.com ?", "hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv", "http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "http://watchhers.net/index.php [remote attackers | malware spreader]", "remote.aciscomputers.com", "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "114.114.114.114 [Tulach]", "http://www.apple.com/appleca/AppleIncRootCertificate.cer", "114.114.114.114", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY®ion=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0", "fds.cellebrite.com", "Tracking: 8.8.4.4 [ NOT a false.positive]", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net", "https://tulach.cc/", "match.pegasus.isi.edu", "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL", "go.sabey.com", "wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "www.videolan.org [info solutions]", "cellebrite.com | https://cellebrite.com/en/federal-government/", "message.htm.com [ message stealer]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111", "training001.blackbagtech.com [opportunity?]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO Group" ], "malware_families": [ "Hallrender", "Hacktool", "Sabey", "Trojan:win32/comspec", "Kimsuky", "Eternalblue", "Sibot - s0589", "Pegasus", "Verified", "Formbook", "Pws:win32/raven", "Virtool:win32/tofsee", "Backdoor:win32/mydoom", "Amadey", "Tulach", "Downloader.cerber/js!1.a59c (classic)", "Goldfinder", "Skynet", "Quasar rat", "W32/expiro.fam", "Exodus", "Artro" ], "industries": [ "Healthcare", "Patient", "Finance", "Individual", "Civil society", "Survivor", "Technology", "Government", "Insurance", "Telecommunications" ], "unique_indicators": 112030 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/m1bp.com", "whois": "http://whois.domaintools.com/m1bp.com", "domain": "m1bp.com", "hostname": "mx.m1bp.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "69b2b76c9a490b69b6a085b3", "name": "Exodus/cellbrite clone by Q Vashti", "description": "", "modified": "2026-03-12T12:54:04.160000", "created": "2026-03-12T12:54:04.160000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "6916e098df39114161354b23", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952febb1dbcf05ee601f050", "name": "Pegasus Ongoing l Cellbrite | Exodus | Brian Sabey | HallRender | Tulach (1.29.24)", "description": "", "modified": "2025-12-29T22:20:43.238000", "created": "2025-12-29T22:20:43.238000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65b80a20bbcd0eb305a740ec", "export_count": 29100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "110 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916e098df39114161354b23", "name": "Exodus l Cellbrite \u2022 Pegasus | Brian Sabey | HallRender | Tulach ", "description": "", "modified": "2025-12-14T07:05:42.106000", "created": "2025-11-14T07:56:08.872000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65a76c2901b34c79a681596d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6824aa10fa32899c33abc3be", "name": "tp://adorno.pl and http://vgt.pl INVESTIGATION requstor user Axelo", "description": "https://t.co/zTZNBTe8GV", "modified": "2025-06-14T00:00:30.956000", "created": "2025-05-14T14:34:56.497000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 426, "FileHash-SHA1": 455, "FileHash-SHA256": 5596, "URL": 15206, "IPv4": 409, "domain": 2473, "hostname": 5059, "CVE": 3 }, "indicator_count": 29627, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "309 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666a290827eb9a7dec1aa57f", "name": "just checking", "description": "", "modified": "2024-07-12T21:02:00.286000", "created": "2024-06-12T23:02:32.039000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 1278, "URL": 5288, "domain": 1217, "hostname": 2980, "CVE": 1 }, "indicator_count": 10774, "is_author": false, "is_subscribing": null, "subscriber_count": 178, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5c5ebba25ca46fc5b36bc", "name": "NSO Group Pegasus spyware found attack a US citizen. Silencing", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\n\u2022NSO Group develops best-in-class technology to help government agencies detect and prevent terrorism and crime.\n\u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. \nNon terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:11:39.752000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "msie", "chrome", "certificate", "hostname", "url analysis", "http response", "final url", "status code", "body length", "b body", "sha256", "headers date", "connection", "date sat", "html info", "forbidden", "google tag", "utc aw741566034", "utc redirection", "asnone united", "as54113", "cname", "script urls", "as19527 google", "as35280 acorus", "encrypt", "reverse dns", "location dublin", "domain name", "emails", "as23724", "as4812 china", "china", "win32mydoom jan", "ransom", "worm", "as4808 china", "browse scan", "endpoints all", "login", "sign up", "tulach", "c-67-181-73-197.hsd1.ca.comcast.net", "social engineering", "contact made by mark brian sabey", "contact made by o'dea", "benjamin c" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4655, "URL": 9981, "FileHash-MD5": 219, "FileHash-SHA1": 213, "FileHash-SHA256": 6722, "hostname": 4341, "CVE": 2, "email": 12, "BitcoinAddress": 3 }, "indicator_count": 26148, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "753 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5cbadc21b9891c459b9d2", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:13.975000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9995, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25999, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "753 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5cbbbcb7a479db222f053", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:27.745000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9996, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 26000, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "753 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a39f005c7f0a1c1eb33125", "name": "Formbook", "description": "FormBook is a data stealer that is being distributed as a MaaS. FormBook is available in the dark web market as a Malware-as-Service.\n I n known situations targets were contacted by bad actors via social media accounts Twitter & Facebook.", "modified": "2024-03-21T10:00:24.070000", "created": "2024-01-14T08:44:48.297000", "tags": [ "ssl certificate", "contacted", "execution", "ah6itbtgl", "whois record", "historical ssl", "referrer", "subdomains", "resolutions", "formbook", "threat roundup", "malware", "metro", "social engineering", "jansky", "script urls", "a domains", "united", "search", "date", "script domains", "creation date", "record value", "showing", "unknown", "meta", "body", "encrypt", "as63949 linode", "as41357", "united kingdom", "scan endpoints", "all octoseek", "domain", "pulse submit", "url analysis", "server", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "email", "registry domain", "win32 exe", "javascript", "eqsray", "zip blaze", "ms excel", "detections type", "name", "text", "csv order", "files", "microsoft", "dns replication", "bt6lcuigydc9yc", "jxaavf4jnzza0", "submission", "community score", "no security", "graph api", "status", "content type", "xcitium verdict", "cloud marketing", "history first", "thebrotherssabey", "passive dns", "gmt content", "plesklin", "ipv4", "pulse pulses", "urls", "vbs", "data center", "reverse dns", "first", "utc submissions", "submitters", "bbonline uk", "namecheap inc", "summary iocs", "graph community", "ionos se", "keysystems gmbh", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "sabey", "all search", "otx octoseek", "url http", "http", "hostname", "files domain", "msie", "chrome", "expiration date", "next", "whois lookup", "dnssec", "domain name", "abuse contact", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "cname", "as44273 host", "ip address" ], "references": [ "appleremote.net", "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111", "FormBook", "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc", "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1708, "hostname": 1920, "domain": 2221, "URL": 4822, "FileHash-MD5": 100, "FileHash-SHA1": 119, "email": 2, "CIDR": 1 }, "indicator_count": 10893, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "759 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b80944a3d1c9e36346e0c1", "name": "NSO Group Pegasus spyware used nefariously", "description": "", "modified": "2024-02-27T03:01:21.421000", "created": "2024-01-29T20:23:32.737000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": "65b5cbbbcb7a479db222f053", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4174, "URL": 9617, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6801, "hostname": 4314, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25400, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "782 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://mx.m1bp.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://mx.m1bp.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776630161.6008635 }