{ "type": "URL", "indicator": "https://nextcloud.project-conquer.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://nextcloud.project-conquer.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3839327432, "indicator": "https://nextcloud.project-conquer.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "687c07591d641de3c896d4a9", "name": "icon.palantirfoundry.com - Brazzers Porn", "description": "Another strange pulse. Persistent bad actors moved and changed name of operation; of course. Usual - Hostname\nicon.palantirfoundry.com , Apple, Samsung , X.com , Twitter , Facebook, Google, Palantir NSA or a poser? I was threatened this week, I was told that if I was on the \u2018list\u2019 they have to do anything that is asked including \u2018blow me up\u2019. Sounds nuts but I can\u2019t believe this. Whoever has been doing this is hyper dangerous.\n\nicon.palantirfoundry.com ? P.S. Huge pulse. Can\u2019t use private option to cherry pick the IoC\u2019s I\u2019d like to breakdown. Have I broken a rule?", "modified": "2025-08-18T18:01:11.130000", "created": "2025-07-19T21:00:09.343000", "tags": [ "canada unknown", "passive dns", "ransom", "entries", "ipv4", "pulse submit", "url analysis", "urls", "files", "reverse dns", "united", "unknown ns", "moved", "ip address", "creation date", "search", "omain", "pulse pulses", "body", "date", "showing", "domain", "hostname", "ocloudflare", "stca", "lsan francisco", "ecc ca3", "ecc ca2", "as16509", "unknown", "ms windows", "encrypt", "write", "next", "service", "malware", "copy", "unknown soa", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "present jan", "medium", "memcommit", "module load", "t1129", "regopenkeyexw", "fjlsedauv", "et useragents", "go http", "registry run", "persistence", "execution", "checks", "keys", "start folder", "richhash", "external", "virustotal api", "screenshots", "find", "show", "types", "seard type", "indicator", "data upload", "extraction", "failed", "sc data", "type", "extri included", "review data", "sugges data", "find suxxesteu", "typ indicalon" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 62, "FileHash-SHA1": 17, "FileHash-SHA256": 1433, "URL": 10188, "hostname": 5658, "domain": 5753, "email": 4, "SSLCertFingerprint": 20 }, "indicator_count": 23135, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f6f2cd37f508d362c2db", "name": "PegaSystems | Apple iOS iPad | Malicious | Tracking", "description": "", "modified": "2024-07-01T00:23:14.084000", "created": "2024-07-01T00:23:14.084000", "tags": [ "united", "passive dns", "as14449", "moved", "urls", "authority", "body", "object", "certificate", "scan endpoints", "unknown", "date", "as11377", "as16552 tiggee", "as174 cogent", "ireland unknown", "cname", "as11404 wave", "all scoreblue", "pulse pulses", "entries", "ipv4", "pulse submit", "url analysis", "dynamicloader", "port", "destination", "high", "medium", "windows", "cmd c", "default", "document file", "v2 document", "write", "copy", "name verdict", "falcon sandbox", "sha1", "sha256", "misc attack", "mitre att", "et tor", "known tor", "relayrouter", "exit", "node traffic", "ascii text", "hybrid", "starfield", "click", "strings", "core", "contact", "as396982 google", "historical ssl", "referrer", "co20230203", "malware", "discord", "credential", "lunar client", "trendmicro av", "neural netw", "upscayl", "steam game", "server", "domain status", "registrar abuse", "google", "community", "record type", "ttl value", "data", "v3 serial", "number" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": "664fceb9e0acfc0baee851c2", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "URL": 3584, "domain": 836, "hostname": 1749, "FileHash-SHA256": 726, "FileHash-MD5": 88, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 7068, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "657 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "664fceb9e0acfc0baee851c2", "name": "PegaSystems | Apple iOS iPad | Malicious | Tracking", "description": "Tags, findings of this report is auto generated by Level Blue OTX.AlienVault.\nPer my research: \nMalicious Score: 10/10\nAlerts: Alerts\nransomware_file_modifications, script_created_process, stealth_network, infostealer_cookies, suspicious_command_tools,\ndynamic_function_loading, reads_self,\nstealth_window, cmdline_http_link, uses_windows_utilities, antidebug_setunhandledexceptionfilter, cmdline_terminate, stealth_timeout,\n\nAffected Device: Apples iOS Ipad, Update 17.5.1\npegasystems.voicestorm.com -Cisco Umbrella {permanently moved as of 5.23.2024} found in Apple link - http://apps.apple.com/app/, nsis, downloaders,injection, data local, remotewd devices, tracking,", "modified": "2024-06-22T23:05:37.577000", "created": "2024-05-23T23:18:17.563000", "tags": [ "united", "passive dns", "as14449", "moved", "urls", "authority", "body", "object", "certificate", "scan endpoints", "unknown", "date", "as11377", "as16552 tiggee", "as174 cogent", "ireland unknown", "cname", "as11404 wave", "all scoreblue", "pulse pulses", "entries", "ipv4", "pulse submit", "url analysis", "dynamicloader", "port", "destination", "high", "medium", "windows", "cmd c", "default", "document file", "v2 document", "write", "copy", "name verdict", "falcon sandbox", "sha1", "sha256", "misc attack", "mitre att", "et tor", "known tor", "relayrouter", "exit", "node traffic", "ascii text", "hybrid", "starfield", "click", "strings", "core", "contact", "as396982 google", "historical ssl", "referrer", "co20230203", "malware", "discord", "credential", "lunar client", "trendmicro av", "neural netw", "upscayl", "steam game", "server", "domain status", "registrar abuse", "google", "community", "record type", "ttl value", "data", "v3 serial", "number" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "URL": 3584, "domain": 836, "hostname": 1749, "FileHash-SHA256": 726, "FileHash-MD5": 88, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 7068, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "665 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb4768b06f4da2fba5959b", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:44.270000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb476d0566c2d07e474df5", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:49.140000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb476d935dd560b4a3e938", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:49.380000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb4772c3d3ad1f7accc98a", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:53.179000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "http://micrologin.ogspy.net/track/dhl-information-contact.html", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "CVE: CVE-2023-23397", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "https://twitter.com/PORNO_SEXYBABES", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "www.supernetforme.com [command_and_control]", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "workers.dev [extraction \u2022 GET request attack]", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "ddos.dnsnb8.net [command_and_control]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "sex-ukraine.net", "nexus.b2btest.ertelecom.ru" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Lolkek", "Qakbot", "Ursnif", "Emotet", "Ryuk ransomware", "Hacktool", "Makop", "Lockbit", "Malware", "Sabey", "Hallrender", "Ransomexx", "Hallgrand" ], "industries": [], "unique_indicators": 52062 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/project-conquer.com", "whois": "http://whois.domaintools.com/project-conquer.com", "domain": "project-conquer.com", "hostname": "nextcloud.project-conquer.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "687c07591d641de3c896d4a9", "name": "icon.palantirfoundry.com - Brazzers Porn", "description": "Another strange pulse. Persistent bad actors moved and changed name of operation; of course. Usual - Hostname\nicon.palantirfoundry.com , Apple, Samsung , X.com , Twitter , Facebook, Google, Palantir NSA or a poser? I was threatened this week, I was told that if I was on the \u2018list\u2019 they have to do anything that is asked including \u2018blow me up\u2019. Sounds nuts but I can\u2019t believe this. Whoever has been doing this is hyper dangerous.\n\nicon.palantirfoundry.com ? P.S. Huge pulse. Can\u2019t use private option to cherry pick the IoC\u2019s I\u2019d like to breakdown. Have I broken a rule?", "modified": "2025-08-18T18:01:11.130000", "created": "2025-07-19T21:00:09.343000", "tags": [ "canada unknown", "passive dns", "ransom", "entries", "ipv4", "pulse submit", "url analysis", "urls", "files", "reverse dns", "united", "unknown ns", "moved", "ip address", "creation date", "search", "omain", "pulse pulses", "body", "date", "showing", "domain", "hostname", "ocloudflare", "stca", "lsan francisco", "ecc ca3", "ecc ca2", "as16509", "unknown", "ms windows", "encrypt", "write", "next", "service", "malware", "copy", "unknown soa", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "present jan", "medium", "memcommit", "module load", "t1129", "regopenkeyexw", "fjlsedauv", "et useragents", "go http", "registry run", "persistence", "execution", "checks", "keys", "start folder", "richhash", "external", "virustotal api", "screenshots", "find", "show", "types", "seard type", "indicator", "data upload", "extraction", "failed", "sc data", "type", "extri included", "review data", "sugges data", "find suxxesteu", "typ indicalon" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 62, "FileHash-SHA1": 17, "FileHash-SHA256": 1433, "URL": 10188, "hostname": 5658, "domain": 5753, "email": 4, "SSLCertFingerprint": 20 }, "indicator_count": 23135, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f6f2cd37f508d362c2db", "name": "PegaSystems | Apple iOS iPad | Malicious | Tracking", "description": "", "modified": "2024-07-01T00:23:14.084000", "created": "2024-07-01T00:23:14.084000", "tags": [ "united", "passive dns", "as14449", "moved", "urls", "authority", "body", "object", "certificate", "scan endpoints", "unknown", "date", "as11377", "as16552 tiggee", "as174 cogent", "ireland unknown", "cname", "as11404 wave", "all scoreblue", "pulse pulses", "entries", "ipv4", "pulse submit", "url analysis", "dynamicloader", "port", "destination", "high", "medium", "windows", "cmd c", "default", "document file", "v2 document", "write", "copy", "name verdict", "falcon sandbox", "sha1", "sha256", "misc attack", "mitre att", "et tor", "known tor", "relayrouter", "exit", "node traffic", "ascii text", "hybrid", "starfield", "click", "strings", "core", "contact", "as396982 google", "historical ssl", "referrer", "co20230203", "malware", "discord", "credential", "lunar client", "trendmicro av", "neural netw", "upscayl", "steam game", "server", "domain status", "registrar abuse", "google", "community", "record type", "ttl value", "data", "v3 serial", "number" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": "664fceb9e0acfc0baee851c2", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "URL": 3584, "domain": 836, "hostname": 1749, "FileHash-SHA256": 726, "FileHash-MD5": 88, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 7068, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "657 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "664fceb9e0acfc0baee851c2", "name": "PegaSystems | Apple iOS iPad | Malicious | Tracking", "description": "Tags, findings of this report is auto generated by Level Blue OTX.AlienVault.\nPer my research: \nMalicious Score: 10/10\nAlerts: Alerts\nransomware_file_modifications, script_created_process, stealth_network, infostealer_cookies, suspicious_command_tools,\ndynamic_function_loading, reads_self,\nstealth_window, cmdline_http_link, uses_windows_utilities, antidebug_setunhandledexceptionfilter, cmdline_terminate, stealth_timeout,\n\nAffected Device: Apples iOS Ipad, Update 17.5.1\npegasystems.voicestorm.com -Cisco Umbrella {permanently moved as of 5.23.2024} found in Apple link - http://apps.apple.com/app/, nsis, downloaders,injection, data local, remotewd devices, tracking,", "modified": "2024-06-22T23:05:37.577000", "created": "2024-05-23T23:18:17.563000", "tags": [ "united", "passive dns", "as14449", "moved", "urls", "authority", "body", "object", "certificate", "scan endpoints", "unknown", "date", "as11377", "as16552 tiggee", "as174 cogent", "ireland unknown", "cname", "as11404 wave", "all scoreblue", "pulse pulses", "entries", "ipv4", "pulse submit", "url analysis", "dynamicloader", "port", "destination", "high", "medium", "windows", "cmd c", "default", "document file", "v2 document", "write", "copy", "name verdict", "falcon sandbox", "sha1", "sha256", "misc attack", "mitre att", "et tor", "known tor", "relayrouter", "exit", "node traffic", "ascii text", "hybrid", "starfield", "click", "strings", "core", "contact", "as396982 google", "historical ssl", "referrer", "co20230203", "malware", "discord", "credential", "lunar client", "trendmicro av", "neural netw", "upscayl", "steam game", "server", "domain status", "registrar abuse", "google", "community", "record type", "ttl value", "data", "v3 serial", "number" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "URL": 3584, "domain": 836, "hostname": 1749, "FileHash-SHA256": 726, "FileHash-MD5": 88, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 7068, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "665 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb4768b06f4da2fba5959b", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:44.270000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb476d0566c2d07e474df5", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:49.140000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb476d935dd560b4a3e938", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:49.380000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb4772c3d3ad1f7accc98a", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:53.179000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://nextcloud.project-conquer.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://nextcloud.project-conquer.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776638330.2661295 }