{ "type": "URL", "indicator": "https://my.fastdomain.com/hosting/help/transferaway", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://my.fastdomain.com/hosting/help/transferaway", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3752599176, "indicator": "https://my.fastdomain.com/hosting/help/transferaway", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 26, "pulses": [ { "id": "688e31b80edd775fe5d2f34f", "name": "Social Engineering led to -#Lowfi:HSTR:Win32/iWin.B", "description": "Likely: Phone referral led to an in person meeting, financial transaction, telephone numbers exchange, website click, in home service call. The alternative is compromised target was redirected to malicious host or service provider became compromised by targeted persons issue.\nThere are several targeted people. This person is closely associated with a target.(idk -malicious)\nMitre: T1055.015\tListPlanting\t\nDefense Evasion\nPrivilege Escalation\nAdversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges.", "modified": "2025-09-01T15:02:58.791000", "created": "2025-08-02T15:41:44.319000", "tags": [ "united", "search", "moved", "ip address", "creation date", "record value", "date", "gmt server", "gmt content", "certificate", "apache", "encrypt", "gmt path", "set cookie", "httponly", "passive dns", "urls", "address", "meta", "dynamicloader", "write c", "medium", "tlsv1", "show", "entries", "high", "http", "copy", "upatre", "write", "unknown", "asn15169", "google", "asn46606", "unifiedlayeras1", "frankfurt", "main", "germany", "google safe", "browsing", "script urls", "a domains", "libs", "monstroid2", "link", "accept encoding", "script domains", "title", "vary", "jquery", "pulse pulses", "hostname xn", "files domain", "showing", "next associated", "urls show", "date checked", "url hostname", "server response", "present jul", "for privacy", "roboto", "delete", "trojan", "globalc", "mozilla", "guard", "malware", "iwin", "local", "lowfi", "helper", "nsisdl", "executable", "amazon s3", "pe exe", "dll windows", "http yara", "alerts", "meta http", "content", "pragma", "content type", "body", "service", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "windows nt", "mitre att", "ascii text", "show technique", "path", "span", "click", "august", "hybrid", "general", "strings", "footer", "ck matrix" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 460, "hostname": 744, "URL": 3496, "email": 4, "domain": 394, "FileHash-SHA256": 2072, "FileHash-MD5": 464, "SSLCertFingerprint": 7 }, "indicator_count": 7641, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "272 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6867653f0b2d5f4f1abeb55c", "name": "Graphite Mercenary Spyware? Skynet- I failed to adequately research prior pulse. Uh\u2026.hi!", "description": "", "modified": "2025-08-03T04:01:39.496000", "created": "2025-07-04T05:23:11.056000", "tags": [ "utc ua124682679", "google tag", "utc gr8frkfel9k", "utc gjycztvzbg0", "utc gfjlg9p3ltd", "utc g8dm6znp88p", "utc gvev1mxhhbn", "utc na", "palco", "home", "palco og", "palco article", "wordpress", "elementor", "status code", "body length", "kb body", "rdap database", "server", "date", "country", "dnssec", "code", "registrar abuse", "registrar iana", "registrar url", "registrar whois", "registrar", "ttl value", "language", "html document", "ascii text", "doctype", "network", "solutions", "email", "lookups", "for privacy", "united", "creation date", "overview domain", "passive dns", "urls", "files ip", "address", "location united", "asn as13335", "meta", "accept", "present mar", "date checked", "url hostname", "server response", "ip address", "google safe", "results jul", "present jun", "present apr", "entries", "urls show", "results jun", "script urls", "a domains", "moved", "encrypt", "search", "body", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "gmt content", "certificate", "results jan", "present sep", "present may", "present jul", "backdoor", "next associated", "win32", "error", "present", "response ip", "address google", "safe browsing", "associated urls", "show", "results may", "virgin islands", "unknown soa", "unknown ns", "domain", "aaaa", "status", "record value", "name servers", "afe browsing", "gmt setcookie", "path", "vfrbuk1", "lefasbor1", "formula", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "malware", "copy", "present showing", "files show", "date hash", "avast avg", "showing", "present feb", "virtool", "datacenter", "hosting", "vps reverse", "america flag", "america asn", "graphite", "skynet", "win64", "expiration date", "domain add", "pulse pulses", "files", "present nov", "present aug", "kryptikxp", "cname", "whois registrar", "markmonitor", "pulses", "tags", "related tags", "more indicator", "default", "regsetvalueexa", "process32nextw", "regdword", "high", "medium", "todo", "write", "belize", "overview ip", "location belize", "asn as210083", "privex", "alone email", "body doctype", "gmt server", "content type", "t1055", "discovery", "read", "createnowindow", "dock", "push", "motd", "front", "duster" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6867624b645b1724745d6584", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2054, "hostname": 368, "domain": 251, "CIDR": 1, "FileHash-MD5": 492, "FileHash-SHA1": 522, "URL": 508, "email": 8, "CVE": 1 }, "indicator_count": 4205, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "301 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6867624b645b1724745d6584", "name": "BotX | Multiple attack affects \u2018alleged\u2019 Workforce agency", "description": "A \u2018Unnamed\u2019 workforce agency of questionable legitimacy.\nSerious social engineering. #financial. #pii #phi #gathering. \n#Win32:BotX-gen\\ [Trj]\nIDS Detections\n\u2022 TLS Handshake Failure\nAlerts:\n#dead_host\n#network_icmp\n#nolookup_communication\n#modifies_proxy_wpad\n#allocates_rwx\n#injection_process_search\n#protection_rx\n#antivm_network_adapters\n#process_interest\n#antivm_queries_computername\n#checks_debugger\n#pe_unknown_resource\n#injection #apple #remote #rat #dns #virus #malware #bot_gen #attack #masquerading #monitored_target #staged #worforce #whatstrue #withu4ever\n#hoax #banker #ransom #malvertising #innerparty #overwatch #endgame #mirai #virtool #trojans #privilege #meritless #apple \nWeirdness: \n\u2022 simswap.in (mirai)\n\u2022 twitter\n\u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\ngirlsdoporn.com\t\n\u2022 https://twitter.com/PORNO_SEXYBABES\n\u2022 apple-dns.net\n\u2022 pornhub.com \u2022 www.pornhub.com #1984\n#whatdidtargetdo? #preemptive\n#Team8 wants to know.", "modified": "2025-08-03T04:01:39.496000", "created": "2025-07-04T05:10:35.672000", "tags": [ "utc ua124682679", "google tag", "utc gr8frkfel9k", "utc gjycztvzbg0", "utc gfjlg9p3ltd", "utc g8dm6znp88p", "utc gvev1mxhhbn", "utc na", "palco", "home", "palco og", "palco article", "wordpress", "elementor", "status code", "body length", "kb body", "rdap database", "server", "date", "country", "dnssec", "code", "registrar abuse", "registrar iana", "registrar url", "registrar whois", "registrar", "ttl value", "language", "html document", "ascii text", "doctype", "network", "solutions", "email", "lookups", "for privacy", "united", "creation date", "overview domain", "passive dns", "urls", "files ip", "address", "location united", "asn as13335", "meta", "accept", "present mar", "date checked", "url hostname", "server response", "ip address", "google safe", "results jul", "present jun", "present apr", "entries", "urls show", "results jun", "script urls", "a domains", "moved", "encrypt", "search", "body", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "gmt content", "certificate", "results jan", "present sep", "present may", "present jul", "backdoor", "next associated", "win32", "error", "present", "response ip", "address google", "safe browsing", "associated urls", "show", "results may", "virgin islands", "unknown soa", "unknown ns", "domain", "aaaa", "status", "record value", "name servers", "afe browsing", "gmt setcookie", "path", "vfrbuk1", "lefasbor1", "formula", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "malware", "copy", "present showing", "files show", "date hash", "avast avg", "showing", "present feb", "virtool", "datacenter", "hosting", "vps reverse", "america flag", "america asn", "graphite", "skynet", "win64", "expiration date", "domain add", "pulse pulses", "files", "present nov", "present aug", "kryptikxp", "cname", "whois registrar", "markmonitor", "pulses", "tags", "related tags", "more indicator", "default", "regsetvalueexa", "process32nextw", "regdword", "high", "medium", "todo", "write", "belize", "overview ip", "location belize", "asn as210083", "privex", "alone email", "body doctype", "gmt server", "content type", "t1055", "discovery", "read", "createnowindow", "dock", "push", "motd", "front", "duster" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2054, "hostname": 368, "domain": 251, "CIDR": 1, "FileHash-MD5": 492, "FileHash-SHA1": 522, "URL": 508, "email": 8, "CVE": 1 }, "indicator_count": 4205, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "301 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6698fe641699bd68de60f558", "name": "LevelBlue - Open Threat Exchange | idpmimic.org", "description": "Auto-populated \u00bb \"Last certificate\" - \"JARM\" - is the full text of a certificate issued by the US government's Let's Encrypt (Let'sEncrypt) website, signed by a member of the public.", "modified": "2024-08-17T11:00:31.537000", "created": "2024-07-18T11:37:08.737000", "tags": [ "historical ssl", "problems", "threat network", "infrastructure", "referrer", "microsoft stuff", "domain check", "record type", "ttl value", "mx a", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cne1", "validity", "subject public", "key info", "key algorithm", "redacted for", "whois lookup", "privacy", "privacy create", "domain", "expiry date", "name", "query time", "united", "registrant fax", "win32 exe", "bush", "pointers", "buckler", "ordination", "pungency", "type name", "apex lehends", "sapphire", "gustier", "privacy tech", "privacy admin", "date", "server", "registrar abuse", "postal code", "country", "stateprovince", "email", "code", "dns replication", "files", "asnone", "virgin islands", "unknown", "passive dns", "urls", "ddos", "trojan", "worm", "please", "accept", "downloader", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 198, "hostname": 270, "URL": 663, "FileHash-SHA1": 27, "FileHash-SHA256": 189, "FileHash-MD5": 28, "email": 3 }, "indicator_count": 1378, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "652 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a458c9934c2c2387556a", "name": "", "description": "", "modified": "2023-12-06T16:42:00.798000", "created": "2023-12-06T16:42:00.798000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a45205d13649df0844ba", "name": "iOS Hacktool Actively exploited", "description": "", "modified": "2023-12-06T16:41:54.157000", "created": "2023-12-06T16:41:54.157000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a44bb1c37c78fb86e09d", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:41:47.803000", "created": "2023-12-06T16:41:47.803000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a441d4e3eae9a6de91dd", "name": "Apple iOS - COBALT STRIKE", "description": "", "modified": "2023-12-06T16:41:37.067000", "created": "2023-12-06T16:41:37.067000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a43affc51769be1188f9", "name": "Apple exploit targets private citizen. Actively exploited.", "description": "", "modified": "2023-12-06T16:41:30.939000", "created": "2023-12-06T16:41:30.939000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a434c72e0d41666e0b43", "name": "Targetes iOS Apple Exploit \u2022 Where is Citizens Lab? Apple? This has roots.", "description": "", "modified": "2023-12-06T16:41:24.547000", "created": "2023-12-06T16:41:24.547000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a42c670fdf66b4af46df", "name": "Crimson Apple", "description": "", "modified": "2023-12-06T16:41:16.304000", "created": "2023-12-06T16:41:16.304000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4250011524abcdf1be0", "name": "Apple Tracking \u2022 Remote Access", "description": "", "modified": "2023-12-06T16:41:09.398000", "created": "2023-12-06T16:41:09.398000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a41e852f6b1b04648d44", "name": "Apple iOS Remote Access", "description": "", "modified": "2023-12-06T16:41:02.718000", "created": "2023-12-06T16:41:02.718000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4161da64500aa609121", "name": "Major Apple Exploit", "description": "", "modified": "2023-12-06T16:40:54.425000", "created": "2023-12-06T16:40:54.425000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a40e62ca90307d3ed7a3", "name": "Major Apple Exploit", "description": "", "modified": "2023-12-06T16:40:46.173000", "created": "2023-12-06T16:40:46.173000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ffd9a1a50c6f76a8f7de02", "name": "Major Apple Exploit", "description": "Exploit/Shellcode Apple \u2022 Remote, Access \u2022 Command and Control \u2022 24/7 Monitoring\nCrimson Apple", "modified": "2023-10-12T01:03:34.287000", "created": "2023-09-12T03:23:13.409000", "tags": [ "ssl certificate", "whois record", "threat roundup", "historical ssl", "september", "whois whois", "march", "resolutions", "august", "subdomains", "april", "cobalt strike", "hacktool", "unlocker", "december", "attack", "malware", "open", "name verdict", "yyyy", "d mmmm", "et tor", "known tor", "relayrouter", "exit", "node traffic", "severity", "misc attack", "llll", "hybrid", "pattern match", "windir", "mitre att", "local", "file", "indicator", "script", "facebook", "mutex", "crimson apple", "hashtablemutex", "drops", "antivirus", "dead", "ascii text", "windows nt", "appdata", "jpeg image", "png image", "jfif standard", "unicode text", "localappdata", "united", "flag", "date", "markmonitor", "name server", "server", "sample", "session details", "no relevant", "hybrid analysis", "click", "size", "copy md5", "sha1", "copy sha1", "sha256", "copy sha256", "runtime process", "type data", "av scan", "result", "openurl c", "prefetch2", "suricata alerts" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1215, "URL": 5266, "domain": 1247, "FileHash-MD5": 31, "FileHash-SHA1": 36, "FileHash-SHA256": 2468, "CVE": 2, "email": 6 }, "indicator_count": 10271, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ffdce908b6c507cf08faf7", "name": " ", "description": "", "modified": "2023-10-12T01:03:34.287000", "created": "2023-09-12T03:37:13.129000", "tags": [ "ssl certificate", "whois record", "threat roundup", "historical ssl", "september", "whois whois", "march", "resolutions", "august", "subdomains", "april", "cobalt strike", "hacktool", "unlocker", "december", "attack", "malware", "open", "name verdict", "yyyy", "d mmmm", "et tor", "known tor", "relayrouter", "exit", "node traffic", "severity", "misc attack", "llll", "hybrid", "pattern match", "windir", "mitre att", "local", "file", "indicator", "script", "facebook", "mutex", "crimson apple", "hashtablemutex", "drops", "antivirus", "dead", "ascii text", "windows nt", "appdata", "jpeg image", "png image", "jfif standard", "unicode text", "localappdata", "united", "flag", "date", "markmonitor", "name server", "server", "sample", "session details", "no relevant", "hybrid analysis", "click", "size", "copy md5", "sha1", "copy sha1", "sha256", "copy sha256", "runtime process", "type data", "av scan", "result", "openurl c", "prefetch2", "suricata alerts" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ffdba12fec032a4684721c", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1215, "URL": 5266, "domain": 1247, "FileHash-MD5": 31, "FileHash-SHA1": 36, "FileHash-SHA256": 2468, "CVE": 2, "email": 6 }, "indicator_count": 10271, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ffdc6c08b6c507cf08faf6", "name": " iOS Hacktool Actively exploited ", "description": "", "modified": "2023-10-12T01:03:34.287000", "created": "2023-09-12T03:35:08.802000", "tags": [ "ssl certificate", "whois record", "threat roundup", "historical ssl", "september", "whois whois", "march", "resolutions", "august", "subdomains", "april", "cobalt strike", "hacktool", "unlocker", "december", "attack", "malware", "open", "name verdict", "yyyy", "d mmmm", "et tor", "known tor", "relayrouter", "exit", "node traffic", "severity", "misc attack", "llll", "hybrid", "pattern match", "windir", "mitre att", "local", "file", "indicator", "script", "facebook", "mutex", "crimson apple", "hashtablemutex", "drops", "antivirus", "dead", "ascii text", "windows nt", "appdata", "jpeg image", "png image", "jfif standard", "unicode text", "localappdata", "united", "flag", "date", "markmonitor", "name server", "server", "sample", "session details", "no relevant", "hybrid analysis", "click", "size", "copy md5", "sha1", "copy sha1", "sha256", "copy sha256", "runtime process", "type data", "av scan", "result", "openurl c", "prefetch2", "suricata alerts" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ffdc42fa7e80fbb768244d", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1215, "URL": 5266, "domain": 1247, "FileHash-MD5": 31, "FileHash-SHA1": 36, "FileHash-SHA256": 2468, "CVE": 2, "email": 6 }, "indicator_count": 10271, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ffdc42fa7e80fbb768244d", "name": " ", "description": "", "modified": "2023-10-12T01:03:34.287000", "created": "2023-09-12T03:34:26.716000", "tags": [ "ssl certificate", "whois record", "threat roundup", "historical ssl", "september", "whois whois", "march", "resolutions", "august", "subdomains", "april", "cobalt strike", "hacktool", "unlocker", "december", "attack", "malware", "open", "name verdict", "yyyy", "d mmmm", "et tor", "known tor", "relayrouter", "exit", "node traffic", "severity", "misc attack", "llll", "hybrid", "pattern match", "windir", "mitre att", "local", "file", "indicator", "script", "facebook", "mutex", "crimson apple", "hashtablemutex", "drops", "antivirus", "dead", "ascii text", "windows nt", "appdata", "jpeg image", "png image", "jfif standard", "unicode text", "localappdata", "united", "flag", "date", "markmonitor", "name server", "server", "sample", "session details", "no relevant", "hybrid analysis", "click", "size", "copy md5", "sha1", "copy sha1", "sha256", "copy sha256", "runtime process", "type data", "av scan", "result", "openurl c", "prefetch2", "suricata alerts" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ffdc2d3c898b5a98fcfc64", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1215, "URL": 5266, "domain": 1247, "FileHash-MD5": 31, "FileHash-SHA1": 36, "FileHash-SHA256": 2468, "CVE": 2, "email": 6 }, "indicator_count": 10271, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ffdc2d3c898b5a98fcfc64", "name": "Apple iOS - COBALT STRIKE ", "description": "", "modified": "2023-10-12T01:03:34.287000", "created": "2023-09-12T03:34:05.784000", "tags": [ "ssl certificate", "whois record", "threat roundup", "historical ssl", "september", "whois whois", "march", "resolutions", "august", "subdomains", "april", "cobalt strike", "hacktool", "unlocker", "december", "attack", "malware", "open", "name verdict", "yyyy", "d mmmm", "et tor", "known tor", "relayrouter", "exit", "node traffic", "severity", "misc attack", "llll", "hybrid", "pattern match", "windir", "mitre att", "local", "file", "indicator", "script", "facebook", "mutex", "crimson apple", "hashtablemutex", "drops", "antivirus", "dead", "ascii text", "windows nt", "appdata", "jpeg image", "png image", "jfif standard", "unicode text", "localappdata", "united", "flag", "date", "markmonitor", "name server", "server", "sample", "session details", "no relevant", "hybrid analysis", "click", "size", "copy md5", "sha1", "copy sha1", "sha256", "copy sha256", "runtime process", "type data", "av scan", "result", "openurl c", "prefetch2", "suricata alerts" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ffdc093e1a5bc65f6b28b3", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1215, "URL": 5266, "domain": 1247, "FileHash-MD5": 31, "FileHash-SHA1": 36, "FileHash-SHA256": 2468, "CVE": 2, "email": 6 }, "indicator_count": 10271, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ffdc093e1a5bc65f6b28b3", "name": "Apple exploit targets private citizen. Actively exploited.", "description": "", "modified": "2023-10-12T01:03:34.287000", "created": "2023-09-12T03:33:29.774000", "tags": [ "ssl certificate", "whois record", "threat roundup", "historical ssl", "september", "whois whois", "march", "resolutions", "august", "subdomains", "april", "cobalt strike", "hacktool", "unlocker", "december", "attack", "malware", "open", "name verdict", "yyyy", "d mmmm", "et tor", "known tor", "relayrouter", "exit", "node traffic", "severity", "misc attack", "llll", "hybrid", "pattern match", "windir", "mitre att", "local", "file", "indicator", "script", "facebook", "mutex", "crimson apple", "hashtablemutex", "drops", "antivirus", "dead", "ascii text", "windows nt", "appdata", "jpeg image", "png image", "jfif standard", "unicode text", "localappdata", "united", "flag", "date", "markmonitor", "name server", "server", "sample", "session details", "no relevant", "hybrid analysis", "click", "size", "copy md5", "sha1", "copy sha1", "sha256", "copy sha256", "runtime process", "type data", "av scan", "result", "openurl c", "prefetch2", "suricata alerts" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ffdba12fec032a4684721c", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1215, "URL": 5266, "domain": 1247, "FileHash-MD5": 31, "FileHash-SHA1": 36, "FileHash-SHA256": 2468, "CVE": 2, "email": 6 }, "indicator_count": 10271, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ffdba12fec032a4684721c", "name": "Targetes iOS Apple Exploit \u2022 Where is Citizens Lab? Apple? This has roots.", "description": "", "modified": "2023-10-12T01:03:34.287000", "created": "2023-09-12T03:31:45.373000", "tags": [ "ssl certificate", "whois record", "threat roundup", "historical ssl", "september", "whois whois", "march", "resolutions", "august", "subdomains", "april", "cobalt strike", "hacktool", "unlocker", "december", "attack", "malware", "open", "name verdict", "yyyy", "d mmmm", "et tor", "known tor", "relayrouter", "exit", "node traffic", "severity", "misc attack", "llll", "hybrid", "pattern match", "windir", "mitre att", "local", "file", "indicator", "script", "facebook", "mutex", "crimson apple", "hashtablemutex", "drops", "antivirus", "dead", "ascii text", "windows nt", "appdata", "jpeg image", "png image", "jfif standard", "unicode text", "localappdata", "united", "flag", "date", "markmonitor", "name server", "server", "sample", "session details", "no relevant", "hybrid analysis", "click", "size", "copy md5", "sha1", "copy sha1", "sha256", "copy sha256", "runtime process", "type data", "av scan", "result", "openurl c", "prefetch2", "suricata alerts" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ffdaed5dc332a3b00549f1", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1215, "URL": 5266, "domain": 1247, "FileHash-MD5": 31, "FileHash-SHA1": 36, "FileHash-SHA256": 2468, "CVE": 2, "email": 6 }, "indicator_count": 10271, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ffdaed5dc332a3b00549f1", "name": "Crimson Apple ", "description": "", "modified": "2023-10-12T01:03:34.287000", "created": "2023-09-12T03:28:45.920000", "tags": [ "ssl certificate", "whois record", "threat roundup", "historical ssl", "september", "whois whois", "march", "resolutions", "august", "subdomains", "april", "cobalt strike", "hacktool", "unlocker", "december", "attack", "malware", "open", "name verdict", "yyyy", "d mmmm", "et tor", "known tor", "relayrouter", "exit", "node traffic", "severity", "misc attack", "llll", "hybrid", "pattern match", "windir", "mitre att", "local", "file", "indicator", "script", "facebook", "mutex", "crimson apple", "hashtablemutex", "drops", "antivirus", "dead", "ascii text", "windows nt", "appdata", "jpeg image", "png image", "jfif standard", "unicode text", "localappdata", "united", "flag", "date", "markmonitor", "name server", "server", "sample", "session details", "no relevant", "hybrid analysis", "click", "size", "copy md5", "sha1", "copy sha1", "sha256", "copy sha256", "runtime process", "type data", "av scan", "result", "openurl c", "prefetch2", "suricata alerts" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ffdad70ebc73b9922363f8", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1215, "URL": 5266, "domain": 1247, "FileHash-MD5": 31, "FileHash-SHA1": 36, "FileHash-SHA256": 2468, "CVE": 2, "email": 6 }, "indicator_count": 10271, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ffdad70ebc73b9922363f8", "name": "Apple Tracking \u2022 Remote Access ", "description": "", "modified": "2023-10-12T01:03:34.287000", "created": "2023-09-12T03:28:23.256000", "tags": [ "ssl certificate", "whois record", "threat roundup", "historical ssl", "september", "whois whois", "march", "resolutions", "august", "subdomains", "april", "cobalt strike", "hacktool", "unlocker", "december", "attack", "malware", "open", "name verdict", "yyyy", "d mmmm", "et tor", "known tor", "relayrouter", "exit", "node traffic", "severity", "misc attack", "llll", "hybrid", "pattern match", "windir", "mitre att", "local", "file", "indicator", "script", "facebook", "mutex", "crimson apple", "hashtablemutex", "drops", "antivirus", "dead", "ascii text", "windows nt", "appdata", "jpeg image", "png image", "jfif standard", "unicode text", "localappdata", "united", "flag", "date", "markmonitor", "name server", "server", "sample", "session details", "no relevant", "hybrid analysis", "click", "size", "copy md5", "sha1", "copy sha1", "sha256", "copy sha256", "runtime process", "type data", "av scan", "result", "openurl c", "prefetch2", "suricata alerts" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ffdaa6d6b8dec6c841dddf", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1215, "URL": 5266, "domain": 1247, "FileHash-MD5": 31, "FileHash-SHA1": 36, "FileHash-SHA256": 2468, "CVE": 2, "email": 6 }, "indicator_count": 10271, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ffdaa6d6b8dec6c841dddf", "name": "Apple iOS Remote Access ", "description": "", "modified": "2023-10-12T01:03:34.287000", "created": "2023-09-12T03:27:34.382000", "tags": [ "ssl certificate", "whois record", "threat roundup", "historical ssl", "september", "whois whois", "march", "resolutions", "august", "subdomains", "april", "cobalt strike", "hacktool", "unlocker", "december", "attack", "malware", "open", "name verdict", "yyyy", "d mmmm", "et tor", "known tor", "relayrouter", "exit", "node traffic", "severity", "misc attack", "llll", "hybrid", "pattern match", "windir", "mitre att", "local", "file", "indicator", "script", "facebook", "mutex", "crimson apple", "hashtablemutex", "drops", "antivirus", "dead", "ascii text", "windows nt", "appdata", "jpeg image", "png image", "jfif standard", "unicode text", "localappdata", "united", "flag", "date", "markmonitor", "name server", "server", "sample", "session details", "no relevant", "hybrid analysis", "click", "size", "copy md5", "sha1", "copy sha1", "sha256", "copy sha256", "runtime process", "type data", "av scan", "result", "openurl c", "prefetch2", "suricata alerts" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ffd9a1a50c6f76a8f7de02", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1215, "URL": 5266, "domain": 1247, "FileHash-MD5": 31, "FileHash-SHA1": 36, "FileHash-SHA256": 2468, "CVE": 2, "email": 6 }, "indicator_count": 10271, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ffd9a641b3478bfd23fe30", "name": "Major Apple Exploit", "description": "Exploit/Shellcode Apple \u2022 Remote, Access \u2022 Command and Control \u2022 24/7 Monitoring\nCrimson Apple", "modified": "2023-10-12T01:03:34.287000", "created": "2023-09-12T03:23:18.625000", "tags": [ "ssl certificate", "whois record", "threat roundup", "historical ssl", "september", "whois whois", "march", "resolutions", "august", "subdomains", "april", "cobalt strike", "hacktool", "unlocker", "december", "attack", "malware", "open", "name verdict", "yyyy", "d mmmm", "et tor", "known tor", "relayrouter", "exit", "node traffic", "severity", "misc attack", "llll", "hybrid", "pattern match", "windir", "mitre att", "local", "file", "indicator", "script", "facebook", "mutex", "crimson apple", "hashtablemutex", "drops", "antivirus", "dead", "ascii text", "windows nt", "appdata", "jpeg image", "png image", "jfif standard", "unicode text", "localappdata", "united", "flag", "date", "markmonitor", "name server", "server", "sample", "session details", "no relevant", "hybrid analysis", "click", "size", "copy md5", "sha1", "copy sha1", "sha256", "copy sha256", "runtime process", "type data", "av scan", "result", "openurl c", "prefetch2", "suricata alerts" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1215, "URL": 5266, "domain": 1247, "FileHash-MD5": 31, "FileHash-SHA1": 36, "FileHash-SHA256": 2468, "CVE": 2, "email": 6 }, "indicator_count": 10271, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 23531 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/fastdomain.com", "whois": "http://whois.domaintools.com/fastdomain.com", "domain": "fastdomain.com", "hostname": "my.fastdomain.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 26, "pulses": [ { "id": "688e31b80edd775fe5d2f34f", "name": "Social Engineering led to -#Lowfi:HSTR:Win32/iWin.B", "description": "Likely: Phone referral led to an in person meeting, financial transaction, telephone numbers exchange, website click, in home service call. The alternative is compromised target was redirected to malicious host or service provider became compromised by targeted persons issue.\nThere are several targeted people. This person is closely associated with a target.(idk -malicious)\nMitre: T1055.015\tListPlanting\t\nDefense Evasion\nPrivilege Escalation\nAdversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges.", "modified": "2025-09-01T15:02:58.791000", "created": "2025-08-02T15:41:44.319000", "tags": [ "united", "search", "moved", "ip address", "creation date", "record value", "date", "gmt server", "gmt content", "certificate", "apache", "encrypt", "gmt path", "set cookie", "httponly", "passive dns", "urls", "address", "meta", "dynamicloader", "write c", "medium", "tlsv1", "show", "entries", "high", "http", "copy", "upatre", "write", "unknown", "asn15169", "google", "asn46606", "unifiedlayeras1", "frankfurt", "main", "germany", "google safe", "browsing", "script urls", "a domains", "libs", "monstroid2", "link", "accept encoding", "script domains", "title", "vary", "jquery", "pulse pulses", "hostname xn", "files domain", "showing", "next associated", "urls show", "date checked", "url hostname", "server response", "present jul", "for privacy", "roboto", "delete", "trojan", "globalc", "mozilla", "guard", "malware", "iwin", "local", "lowfi", "helper", "nsisdl", "executable", "amazon s3", "pe exe", "dll windows", "http yara", "alerts", "meta http", "content", "pragma", "content type", "body", "service", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "windows nt", "mitre att", "ascii text", "show technique", "path", "span", "click", "august", "hybrid", "general", "strings", "footer", "ck matrix" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 460, "hostname": 744, "URL": 3496, "email": 4, "domain": 394, "FileHash-SHA256": 2072, "FileHash-MD5": 464, "SSLCertFingerprint": 7 }, "indicator_count": 7641, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "272 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6867653f0b2d5f4f1abeb55c", "name": "Graphite Mercenary Spyware? Skynet- I failed to adequately research prior pulse. Uh\u2026.hi!", "description": "", "modified": "2025-08-03T04:01:39.496000", "created": "2025-07-04T05:23:11.056000", "tags": [ "utc ua124682679", "google tag", "utc gr8frkfel9k", "utc gjycztvzbg0", "utc gfjlg9p3ltd", "utc g8dm6znp88p", "utc gvev1mxhhbn", "utc na", "palco", "home", "palco og", "palco article", "wordpress", "elementor", "status code", "body length", "kb body", "rdap database", "server", "date", "country", "dnssec", "code", "registrar abuse", "registrar iana", "registrar url", "registrar whois", "registrar", "ttl value", "language", "html document", "ascii text", "doctype", "network", "solutions", "email", "lookups", "for privacy", "united", "creation date", "overview domain", "passive dns", "urls", "files ip", "address", "location united", "asn as13335", "meta", "accept", "present mar", "date checked", "url hostname", "server response", "ip address", "google safe", "results jul", "present jun", "present apr", "entries", "urls show", "results jun", "script urls", "a domains", "moved", "encrypt", "search", "body", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "gmt content", "certificate", "results jan", "present sep", "present may", "present jul", "backdoor", "next associated", "win32", "error", "present", "response ip", "address google", "safe browsing", "associated urls", "show", "results may", "virgin islands", "unknown soa", "unknown ns", "domain", "aaaa", "status", "record value", "name servers", "afe browsing", "gmt setcookie", "path", "vfrbuk1", "lefasbor1", "formula", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "malware", "copy", "present showing", "files show", "date hash", "avast avg", "showing", "present feb", "virtool", "datacenter", "hosting", "vps reverse", "america flag", "america asn", "graphite", "skynet", "win64", "expiration date", "domain add", "pulse pulses", "files", "present nov", "present aug", "kryptikxp", "cname", "whois registrar", "markmonitor", "pulses", "tags", "related tags", "more indicator", "default", "regsetvalueexa", "process32nextw", "regdword", "high", "medium", "todo", "write", "belize", "overview ip", "location belize", "asn as210083", "privex", "alone email", "body doctype", "gmt server", "content type", "t1055", "discovery", "read", "createnowindow", "dock", "push", "motd", "front", "duster" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6867624b645b1724745d6584", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2054, "hostname": 368, "domain": 251, "CIDR": 1, "FileHash-MD5": 492, "FileHash-SHA1": 522, "URL": 508, "email": 8, "CVE": 1 }, "indicator_count": 4205, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "301 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6867624b645b1724745d6584", "name": "BotX | Multiple attack affects \u2018alleged\u2019 Workforce agency", "description": "A \u2018Unnamed\u2019 workforce agency of questionable legitimacy.\nSerious social engineering. #financial. #pii #phi #gathering. \n#Win32:BotX-gen\\ [Trj]\nIDS Detections\n\u2022 TLS Handshake Failure\nAlerts:\n#dead_host\n#network_icmp\n#nolookup_communication\n#modifies_proxy_wpad\n#allocates_rwx\n#injection_process_search\n#protection_rx\n#antivm_network_adapters\n#process_interest\n#antivm_queries_computername\n#checks_debugger\n#pe_unknown_resource\n#injection #apple #remote #rat #dns #virus #malware #bot_gen #attack #masquerading #monitored_target #staged #worforce #whatstrue #withu4ever\n#hoax #banker #ransom #malvertising #innerparty #overwatch #endgame #mirai #virtool #trojans #privilege #meritless #apple \nWeirdness: \n\u2022 simswap.in (mirai)\n\u2022 twitter\n\u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\ngirlsdoporn.com\t\n\u2022 https://twitter.com/PORNO_SEXYBABES\n\u2022 apple-dns.net\n\u2022 pornhub.com \u2022 www.pornhub.com #1984\n#whatdidtargetdo? #preemptive\n#Team8 wants to know.", "modified": "2025-08-03T04:01:39.496000", "created": "2025-07-04T05:10:35.672000", "tags": [ "utc ua124682679", "google tag", "utc gr8frkfel9k", "utc gjycztvzbg0", "utc gfjlg9p3ltd", "utc g8dm6znp88p", "utc gvev1mxhhbn", "utc na", "palco", "home", "palco og", "palco article", "wordpress", "elementor", "status code", "body length", "kb body", "rdap database", "server", "date", "country", "dnssec", "code", "registrar abuse", "registrar iana", "registrar url", "registrar whois", "registrar", "ttl value", "language", "html document", "ascii text", "doctype", "network", "solutions", "email", "lookups", "for privacy", "united", "creation date", "overview domain", "passive dns", "urls", "files ip", "address", "location united", "asn as13335", "meta", "accept", "present mar", "date checked", "url hostname", "server response", "ip address", "google safe", "results jul", "present jun", "present apr", "entries", "urls show", "results jun", "script urls", "a domains", "moved", "encrypt", "search", "body", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "gmt content", "certificate", "results jan", "present sep", "present may", "present jul", "backdoor", "next associated", "win32", "error", "present", "response ip", "address google", "safe browsing", "associated urls", "show", "results may", "virgin islands", "unknown soa", "unknown ns", "domain", "aaaa", "status", "record value", "name servers", "afe browsing", "gmt setcookie", "path", "vfrbuk1", "lefasbor1", "formula", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "malware", "copy", "present showing", "files show", "date hash", "avast avg", "showing", "present feb", "virtool", "datacenter", "hosting", "vps reverse", "america flag", "america asn", "graphite", "skynet", "win64", "expiration date", "domain add", "pulse pulses", "files", "present nov", "present aug", "kryptikxp", "cname", "whois registrar", "markmonitor", "pulses", "tags", "related tags", "more indicator", "default", "regsetvalueexa", "process32nextw", "regdword", "high", "medium", "todo", "write", "belize", "overview ip", "location belize", "asn as210083", "privex", "alone email", "body doctype", "gmt server", "content type", "t1055", "discovery", "read", "createnowindow", "dock", "push", "motd", "front", "duster" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2054, "hostname": 368, "domain": 251, "CIDR": 1, "FileHash-MD5": 492, "FileHash-SHA1": 522, "URL": 508, "email": 8, "CVE": 1 }, "indicator_count": 4205, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "301 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6698fe641699bd68de60f558", "name": "LevelBlue - Open Threat Exchange | idpmimic.org", "description": "Auto-populated \u00bb \"Last certificate\" - \"JARM\" - is the full text of a certificate issued by the US government's Let's Encrypt (Let'sEncrypt) website, signed by a member of the public.", "modified": "2024-08-17T11:00:31.537000", "created": "2024-07-18T11:37:08.737000", "tags": [ "historical ssl", "problems", "threat network", "infrastructure", "referrer", "microsoft stuff", "domain check", "record type", "ttl value", "mx a", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cne1", "validity", "subject public", "key info", "key algorithm", "redacted for", "whois lookup", "privacy", "privacy create", "domain", "expiry date", "name", "query time", "united", "registrant fax", "win32 exe", "bush", "pointers", "buckler", "ordination", "pungency", "type name", "apex lehends", "sapphire", "gustier", "privacy tech", "privacy admin", "date", "server", "registrar abuse", "postal code", "country", "stateprovince", "email", "code", "dns replication", "files", "asnone", "virgin islands", "unknown", "passive dns", "urls", "ddos", "trojan", "worm", "please", "accept", "downloader", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 198, "hostname": 270, "URL": 663, "FileHash-SHA1": 27, "FileHash-SHA256": 189, "FileHash-MD5": 28, "email": 3 }, "indicator_count": 1378, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "652 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a458c9934c2c2387556a", "name": "", "description": "", "modified": "2023-12-06T16:42:00.798000", "created": "2023-12-06T16:42:00.798000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a45205d13649df0844ba", "name": "iOS Hacktool Actively exploited", "description": "", "modified": "2023-12-06T16:41:54.157000", "created": "2023-12-06T16:41:54.157000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a44bb1c37c78fb86e09d", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:41:47.803000", "created": "2023-12-06T16:41:47.803000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a441d4e3eae9a6de91dd", "name": "Apple iOS - COBALT STRIKE", "description": "", "modified": "2023-12-06T16:41:37.067000", "created": "2023-12-06T16:41:37.067000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a43affc51769be1188f9", "name": "Apple exploit targets private citizen. Actively exploited.", "description": "", "modified": "2023-12-06T16:41:30.939000", "created": "2023-12-06T16:41:30.939000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a434c72e0d41666e0b43", "name": "Targetes iOS Apple Exploit \u2022 Where is Citizens Lab? Apple? This has roots.", "description": "", "modified": "2023-12-06T16:41:24.547000", "created": "2023-12-06T16:41:24.547000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://my.fastdomain.com/hosting/help/transferaway", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://my.fastdomain.com/hosting/help/transferaway", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780258907.4004984 }