{ "type": "URL", "indicator": "https://nexus-australia-websocket.intercom.io", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://nexus-australia-websocket.intercom.io", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #983", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain intercom.io", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain intercom.io", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4000663652, "indicator": "https://nexus-australia-websocket.intercom.io", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "6a1fc3671bc3d0f5ce8b06e6", "name": "Grok \u2022 X \u2022 Twitter Vflooder | SystemBC | QNAPCrypt", "description": "I continue to research issues affecting iOS and other smart devices, browsers, search engines and targeted individuals.\nI will limit my comments as further evaluation is required. Twitter appears to be used as a weapon to abuse of several targeted persons and their schools or businesses. Research is required to determine how. Is Twitter / X a weapon or is it abused by threat actors. Ongoing attacks dating back at least 5 years. || \n*DESCRIPTION: Detects systembc RAT REFERENCE: https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior\n\n#malicious #spyware #twitter #x #ai_ agents #seen_before #systembc #vtflooder #qnapcrypt #cve #checkin #scripiting #injection #extraction #gobinary #operation", "modified": "2026-06-03T06:02:15.229000", "created": "2026-06-03T06:02:15.229000", "tags": [ "sysv", "buildid", "united", "windows nt", "msie", "germany as8560", "yara detections", "contacted", "z74457024643q1", "systembc", "trojan", "elf executable", "exec amd6464", "linux", "elf64 operation", "unix", "compiler", "debugging", "go binary", "injection", "header elf64", "v exec", "executable file", "advanced micro", "note", "strtab", "gmbh", "gandi sas", "group india", "private limited", "qnapcrypt", "hacktool", "chrome", "yandex", "stripchat", "amazonaws", "mal_elf_systembc", "apple ios", "ios", "apple", "telhash", "data upload", "cursor", "se data", "extraction", "n https", "data", "failed", "cve cve20246387", "log id", "gmtn", "path", "secure", "self", "samesitenone", "encrypt", "d8n timestamp", "timestamp", "organization", "false", "certificate", "search", "emails", "twitter", "twitter spyware", "twitter vtflooder", "x", "unknown aaaa", "present jun", "ip address", "belize unknown", "unknown ns", "grok x", "cursor agents", "ai", "url url", "url hostnams", "hostn url", "url data", "belize", "a domains", "moved", "alone email", "gmt server", "url analysis", "accept", "namecheap", "namecheap inc", "namesilo", "expim", "url https", "dynamicloader", "host", "ff d5", "yara rule", "ee fc", "generic http", "exe upload", "f0 ff", "eb e1", "write", "vflooder", "malware", "upload inbound", "av detections", "ids detections", "alerts", "analysis date", "checkin generic", "http exe", "upload inbound", "outbound yara", "nrv2x", "upxoepplace", "google", "adversaries", "adversarial attacks", "techniques", "create", "modify system", "process t1064", "t1543 systemd", "technir create", "full reports", "v tcp", "help", "ja3 digests", "hashes o", "et http", "get http", "post http", "dns resolutions", "cams", "adult content", "ff bb", "ff ff", "f7 b9", "c1 e8", "copy", "markus", "august", "title", "gamehack", "alberta.ca", "songculture", "lizardsquad" ], "references": [ "FileHash-SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "TelfHash t135324a7149bc74b5b6a6d910b3a3b4b8a6772d6566f434f51023ad84ffc1e801ce283b", "Names: testpaging \u2022 upof6w.exe \u2022 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt", "Yara Detections: is__elf IP\u2019s", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113", "IP\u2019s Contacted: 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "ELF - ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked,", "Go BuildID=qBC61D7N3q3H7j2Pq55o/WsPsx2ArOJ0T24axAUMZ/K6isHEI8QMyAMkIM3HH8/QQevOAoeyrO7eZGdBARa,", "BuildID[sha1]=068f07f6460b85817e4be47c18c10d1a1fbef817, stripped", "motherlesslive.com", "blackbox21.shop", "passwordreset.gscs.ca \u2022 https://passwordreset.gscs.ca/", "alberta.ca impacts an OTX user", "https://stripchat.org/ \u2022 27bsmextreme.tech \u2022 35bsmextreme.tech \u2022 46bsmextreme.tech \u2022", "FileHash-SHA256 9da8632065cc24646086ff5fb769c452f777aa6c2470a02a16d209baabd1e4b5", "storage/analyses/1000549/network 9da8632065cc24646086f f5 fb769c45\"", "? Con*-cted jp-\u0661\u0660\u0661\u0660\u0660\u0660.--- \u0644\u062d\u0645\u0627", "https://arena.ai/apple-touch-icon-dark.png", "https://www.forbes.com/consent/ketch/?toURL=https://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html", "nr-data.net \u2022 push.apple.com", "https://twitter.com/PORNO_SEXYBABES \u2022 twitter.com", "Vtflooder-9783271-0 -> 7476476bdc93726f46f75f5bdd5ce6c619d73f7ee82b7d93ad835c993ff14661", "Win.Malware.Vtflooder-9783271-0 -> Domains Contacted twitter.com www.virustotal.com", "IP\u2019s Contacted 162.159.140.229 34.54.88.138", "IDS Detections: Win32/Vflooder.B Checkin \u2022 Generic HTTP EXE Upload Inbound \u2022 Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2 , UPX , Nrv2x , UPX_OEP_place , , UPXv20MarkusLaszloReiser", "Yara Detections: UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: procmem_yara suricata_alert dynamic_function_loading network_cnc_https_generic reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name injection_rwx dead_connect exec_crash", "Sigma: Matches rule Suspicious Outbound SMTP Connections by frack113", "Suspicious DNS Query for IP Lookup Service APls by Brandon George (blog post) Thomas Patzke", "Crowdsourced IDS: ET DROP Spamhaus Listed Traffic Inbound group 60", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip amazonaws .com)", "Matches rule ET INFO External IP Check (checkip.amazonaws.com)", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "(Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "Matches rule SURICATA Applayer Detect protocol only one direction virustotal.com", "DESCRIPTION: Detects systembc RAT REFERENCE: https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "https://docs.cursor.com/en/cli/reference/slash-commands", "https://api.cursor.com/v0/agents/", "https://grok.com/imagine/agent/d5e99582-a7e7-4138-b129-780e171ba9ac", "beacons.bcp.gvt.com \u2022 http://vtboss.yolox.net/md5.php \u2022 finanse.mf.gov.pl", "cdn10.mypornvid.fun impacted a targeted individual", "https://click.italiansexclub.fun/click/HpdeyDt6", "https://sexfortokens.com/hotmilfbitch", "Win.Malware.Gamehack-6822792-0 IDS Detections Riskware/Cheathappens Checkin (songculture attack)" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan.Systembc/yxgdgz", "display_name": "Trojan.Systembc/yxgdgz", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Malware.Vtflooder-6722904-1", "display_name": "Win.Malware.Vtflooder-6722904-1", "target": null }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "QNAPCrypt", "display_name": "QNAPCrypt", "target": null }, { "id": "Win.Malware.Gamehack-6822792-0", "display_name": "Win.Malware.Gamehack-6822792-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0028", "name": "Persistence", "display_name": "TA0028 - Persistence" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1468", "name": "Remotely Track Device Without Authorization", "display_name": "T1468 - Remotely Track Device Without Authorization" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1262, "FileHash-MD5": 164, "FileHash-SHA1": 207, "IPv4": 180, "URL": 1780, "domain": 370, "hostname": 708, "CVE": 3, "email": 4, "SSLCertFingerprint": 4 }, "indicator_count": 4682, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "16 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6608aaf7ca0e965e593ed1d4", "name": "MUI programu Microsoft Office Access (w j\u0119zyku angielskim) zosta\u0142o u\u017cyte do wys\u0142ania z\u0142o\u015bliwego oprogramowania na serwer w Czechach jest to pierwszy tego typu atak na komputer. e", "description": "A look back at some of the key words and phrases used to describe the situation in Italy, as \"probacja\" (or \"democrata), as they were translated into English.", "modified": "2025-10-17T11:03:07.034000", "created": "2024-03-31T00:14:47.183000", "tags": [ "sha256", "ssdeep", "reputacja", "tworzy pliki", "informacje", "bardzo duga", "tworzy", "adresy url", "tworzy katalog", "win64", "ameryki", "typ pliku", "serwer nazw", "san jose", "adres", "digital", "data wyganicia", "csc corporate", "domains", "ca data", "data utworzenia", "dnssec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6432, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2140, "hostname": 5874, "FileHash-SHA256": 12539, "FileHash-MD5": 3686, "FileHash-SHA1": 2751, "IPv4": 503, "URL": 10770, "email": 26, "CVE": 88, "YARA": 6, "JA3": 2, "IPv6": 28, "SSLCertFingerprint": 5, "BitcoinAddress": 3, "CIDR": 1 }, "indicator_count": 38422, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689af6a1704fa2745bc8c2a3", "name": "Hijacked Twitter / X.com account. Phishing | Abnormal use", "description": "Hijacked phishing Twitter/ X.com.\nWin32/Unruy.C Activity\n#phishing #hijacked #intercoms #unruy #trojan #VTflood #malware #attack", "modified": "2025-09-11T08:02:36.759000", "created": "2025-08-12T08:09:05.642000", "tags": [ "log id", "gmtn", "secure", "tls web", "passive dns", "urls", "path", "self", "encrypt", "ca issuers", "false", "search", "read c", "united", "entries", "show", "showing", "msie", "windows nt", "wow64", "slcc2", "copy", "write", "suspicious", "malware", "unknown", "process32nextw", "shellexecuteexw", "medium process", "discovery t1057", "t1057", "discovery", "medium", "locally unique", "identifier", "veailmboprd", "next associated", "ipv4 add", "pulse pulses", "files", "asn as13335", "dns resolutions", "domains top", "smoke loader", "trojan", "body", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "show process", "programfiles", "command decode", "flag", "suricata ipv4", "mitre att", "show technique", "ck matrix", "date", "comspec", "model", "twitter", "august", "hybrid", "general", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1504, "FileHash-SHA256": 1232, "SSLCertFingerprint": 14, "domain": 245, "hostname": 526, "FileHash-MD5": 43, "FileHash-SHA1": 38 }, "indicator_count": 3602, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "265 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684522ae1f20db8b90ea41a4", "name": "Stealthy Nexus Australia -X.com attacks against monitored targets", "description": "Nexus-australia-websocket-Austraia .\n#malware #injected #trojandropper #delf_deletes_spyware #spyware #malicious #badactor #backdoor #encrypts #warning_office_encrypted_doc", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T05:42:06.731000", "tags": [ "url https", "url http", "united", "china", "hong kong", "russia", "search", "type indicator", "role title", "added active", "amer", "related pulses", "ipv4", "entries", "flag", "indicator role", "title added", "active related", "filehashmd5", "ck ids", "t1057", "discovery", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1553", "log id", "gmtn", "passive dns", "urls", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "organization", "false", "pulses hostname", "showing", "dynamicloader", "medium", "write c", "show", "yara detections", "copy", "high", "t1055", "write", "april", "report spam", "business social", "media account", "created", "minutes ago", "t1060", "run keys", "startup", "folder", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "flag united", "filehash", "sha256 add", "av detections", "ids detections", "alerts", "analysis date", "detections name", "previous", "exif data", "value exe", "fileflags", "machinetype amd", "amd64 exe", "fileos windows", "pulse", "file score", "low risk", "pulses" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 888, "domain": 115, "hostname": 275, "FileHash-MD5": 34, "FileHash-SHA256": 158, "FileHash-SHA1": 30, "SSLCertFingerprint": 2 }, "indicator_count": 1502, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6843fe89793d0ef8e2afc34d", "name": "Deleted SocialMedia", "description": "Bad Actor Deleted SocialMedia account found in breach forum.", "modified": "2025-07-07T08:03:42.325000", "created": "2025-06-07T08:55:37.612000", "tags": [ "body", "secure", "self", "path", "date sat", "gmt contenttype", "connection", "accept", "gmt pragma", "deny", "maxage34214400", "learn", "spawns", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "ssl certificate", "found", "copy sha256", "copy md5", "copy sha1", "sha1", "sha256", "size", "type data", "ascii text", "pattern match", "mitre att", "show technique", "ck matrix", "file", "indicator", "show process", "encrypt", "june", "hybrid", "local" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1628, "domain": 58, "URL": 390, "hostname": 204, "FileHash-MD5": 84, "FileHash-SHA1": 88, "SSLCertFingerprint": 4 }, "indicator_count": 2456, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "681386d75c34469176686756", "name": "x.com/KulinskiArkadi", "description": "", "modified": "2025-05-31T14:01:10.044000", "created": "2025-05-01T14:36:07.422000", "tags": [ "script", "etag", "sharing", "cors", "mediatype", "mediasubtype", "contenttype", "header", "combination", "compression", "encrypt", "cookie", "critical", "twitter", "iframe", "insert", "info", "error", "suspicious", "find", "screen", "grok", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 471, "CIDR": 34, "FileHash-MD5": 9, "FileHash-SHA1": 5, "FileHash-SHA256": 1177, "domain": 214, "hostname": 430, "email": 2 }, "indicator_count": 2342, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "368 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6759e015bddb89de26c4219a", "name": "fonts.gstatic.com/s/opensans/v15/mem8YaGs126MiZpBA-UFVZ0b.woff2", "description": "The full text of the text above the line of this page, which has been published by BBC Radio 5 live, can be viewed by the BBC iPlayer, iplayer, app and website.", "modified": "2025-05-14T21:24:40.387000", "created": "2024-12-11T18:55:17.578000", "tags": [ "callnexthookex", "callwindowprocw", "createbitmap", "createfilea", "createwindowexw", "decodepointer", "defwindowprocw", "destroywindow", "enablewindow", "encodepointer", "cachebuster", "or requesturl", "url praca", "opswatreputacja", "ssdeep", "brak", "blob", "indie", "hetzner online", "gmbh", "helsinki", "niemcy", "finlandia", "globe telecoms", "ovh hosting", "zredagowano dla", "prywatnoci" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "FileHash-SHA1": 3, "URL": 378, "domain": 43, "hostname": 151, "FileHash-MD5": 2, "IPv4": 36 }, "indicator_count": 616, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "385 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IP\u2019s Contacted 162.159.140.229 34.54.88.138", "https://docs.cursor.com/en/cli/reference/slash-commands", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name injection_rwx dead_connect exec_crash", "https://arena.ai/apple-touch-icon-dark.png", "TelfHash t135324a7149bc74b5b6a6d910b3a3b4b8a6772d6566f434f51023ad84ffc1e801ce283b", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "Yara Detections: SUSP_Imphash_Mar23_2 , UPX , Nrv2x , UPX_OEP_place , , UPXv20MarkusLaszloReiser", "https://stripchat.org/ \u2022 27bsmextreme.tech \u2022 35bsmextreme.tech \u2022 46bsmextreme.tech \u2022", "Alerts: procmem_yara suricata_alert dynamic_function_loading network_cnc_https_generic reads_self", "? Con*-cted jp-\u0661\u0660\u0661\u0660\u0660\u0660.--- \u0644\u062d\u0645\u0627", "Suspicious DNS Query for IP Lookup Service APls by Brandon George (blog post) Thomas Patzke", "https://twitter.com/PORNO_SEXYBABES \u2022 twitter.com", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113", "Matches rule ET INFO External IP Check (checkip.amazonaws.com)", "motherlesslive.com", "FileHash-SHA256 9da8632065cc24646086ff5fb769c452f777aa6c2470a02a16d209baabd1e4b5", "Win.Malware.Vtflooder-9783271-0 -> Domains Contacted twitter.com www.virustotal.com", "Names: testpaging \u2022 upof6w.exe \u2022 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt", "https://click.italiansexclub.fun/click/HpdeyDt6", "https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip amazonaws .com)", "storage/analyses/1000549/network 9da8632065cc24646086f f5 fb769c45\"", "blackbox21.shop", "cdn10.mypornvid.fun impacted a targeted individual", "nr-data.net \u2022 push.apple.com", "Vtflooder-9783271-0 -> 7476476bdc93726f46f75f5bdd5ce6c619d73f7ee82b7d93ad835c993ff14661", "Matches rule SURICATA Applayer Detect protocol only one direction virustotal.com", "alberta.ca impacts an OTX user", "Win.Malware.Gamehack-6822792-0 IDS Detections Riskware/Cheathappens Checkin (songculture attack)", "FileHash-SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "passwordreset.gscs.ca \u2022 https://passwordreset.gscs.ca/", "beacons.bcp.gvt.com \u2022 http://vtboss.yolox.net/md5.php \u2022 finanse.mf.gov.pl", "Go BuildID=qBC61D7N3q3H7j2Pq55o/WsPsx2ArOJ0T24axAUMZ/K6isHEI8QMyAMkIM3HH8/QQevOAoeyrO7eZGdBARa,", "https://grok.com/imagine/agent/d5e99582-a7e7-4138-b129-780e171ba9ac", "IP\u2019s Contacted: 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "(Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "DESCRIPTION: Detects systembc RAT REFERENCE: https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "https://api.cursor.com/v0/agents/", "IDS Detections: Win32/Vflooder.B Checkin \u2022 Generic HTTP EXE Upload Inbound \u2022 Generic HTTP EXE Upload Outbound", "Sigma: Matches rule Suspicious Outbound SMTP Connections by frack113", "BuildID[sha1]=068f07f6460b85817e4be47c18c10d1a1fbef817, stripped", "https://sexfortokens.com/hotmilfbitch", "Yara Detections: is__elf IP\u2019s", "https://www.forbes.com/consent/ketch/?toURL=https://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html", "Crowdsourced IDS: ET DROP Spamhaus Listed Traffic Inbound group 60", "Yara Detections: UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "ELF - ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked," ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Cve-2025-20393", "Trojan:win32/vflooder", "Cve-2024-6387", "Win.malware.gamehack-6822792-0", "Trojan.systembc/yxgdgz", "Qnapcrypt", "Win.malware.vtflooder-6722904-1", "Cve-2023-22518" ], "industries": [ "Financial" ], "unique_indicators": 54228 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/intercom.io", "whois": "http://whois.domaintools.com/intercom.io", "domain": "intercom.io", "hostname": "nexus-australia-websocket.intercom.io" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "6a1fc3671bc3d0f5ce8b06e6", "name": "Grok \u2022 X \u2022 Twitter Vflooder | SystemBC | QNAPCrypt", "description": "I continue to research issues affecting iOS and other smart devices, browsers, search engines and targeted individuals.\nI will limit my comments as further evaluation is required. Twitter appears to be used as a weapon to abuse of several targeted persons and their schools or businesses. Research is required to determine how. Is Twitter / X a weapon or is it abused by threat actors. Ongoing attacks dating back at least 5 years. || \n*DESCRIPTION: Detects systembc RAT REFERENCE: https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior\n\n#malicious #spyware #twitter #x #ai_ agents #seen_before #systembc #vtflooder #qnapcrypt #cve #checkin #scripiting #injection #extraction #gobinary #operation", "modified": "2026-06-03T06:02:15.229000", "created": "2026-06-03T06:02:15.229000", "tags": [ "sysv", "buildid", "united", "windows nt", "msie", "germany as8560", "yara detections", "contacted", "z74457024643q1", "systembc", "trojan", "elf executable", "exec amd6464", "linux", "elf64 operation", "unix", "compiler", "debugging", "go binary", "injection", "header elf64", "v exec", "executable file", "advanced micro", "note", "strtab", "gmbh", "gandi sas", "group india", "private limited", "qnapcrypt", "hacktool", "chrome", "yandex", "stripchat", "amazonaws", "mal_elf_systembc", "apple ios", "ios", "apple", "telhash", "data upload", "cursor", "se data", "extraction", "n https", "data", "failed", "cve cve20246387", "log id", "gmtn", "path", "secure", "self", "samesitenone", "encrypt", "d8n timestamp", "timestamp", "organization", "false", "certificate", "search", "emails", "twitter", "twitter spyware", "twitter vtflooder", "x", "unknown aaaa", "present jun", "ip address", "belize unknown", "unknown ns", "grok x", "cursor agents", "ai", "url url", "url hostnams", "hostn url", "url data", "belize", "a domains", "moved", "alone email", "gmt server", "url analysis", "accept", "namecheap", "namecheap inc", "namesilo", "expim", "url https", "dynamicloader", "host", "ff d5", "yara rule", "ee fc", "generic http", "exe upload", "f0 ff", "eb e1", "write", "vflooder", "malware", "upload inbound", "av detections", "ids detections", "alerts", "analysis date", "checkin generic", "http exe", "upload inbound", "outbound yara", "nrv2x", "upxoepplace", "google", "adversaries", "adversarial attacks", "techniques", "create", "modify system", "process t1064", "t1543 systemd", "technir create", "full reports", "v tcp", "help", "ja3 digests", "hashes o", "et http", "get http", "post http", "dns resolutions", "cams", "adult content", "ff bb", "ff ff", "f7 b9", "c1 e8", "copy", "markus", "august", "title", "gamehack", "alberta.ca", "songculture", "lizardsquad" ], "references": [ "FileHash-SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "TelfHash t135324a7149bc74b5b6a6d910b3a3b4b8a6772d6566f434f51023ad84ffc1e801ce283b", "Names: testpaging \u2022 upof6w.exe \u2022 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt", "Yara Detections: is__elf IP\u2019s", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113", "IP\u2019s Contacted: 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "ELF - ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked,", "Go BuildID=qBC61D7N3q3H7j2Pq55o/WsPsx2ArOJ0T24axAUMZ/K6isHEI8QMyAMkIM3HH8/QQevOAoeyrO7eZGdBARa,", "BuildID[sha1]=068f07f6460b85817e4be47c18c10d1a1fbef817, stripped", "motherlesslive.com", "blackbox21.shop", "passwordreset.gscs.ca \u2022 https://passwordreset.gscs.ca/", "alberta.ca impacts an OTX user", "https://stripchat.org/ \u2022 27bsmextreme.tech \u2022 35bsmextreme.tech \u2022 46bsmextreme.tech \u2022", "FileHash-SHA256 9da8632065cc24646086ff5fb769c452f777aa6c2470a02a16d209baabd1e4b5", "storage/analyses/1000549/network 9da8632065cc24646086f f5 fb769c45\"", "? Con*-cted jp-\u0661\u0660\u0661\u0660\u0660\u0660.--- \u0644\u062d\u0645\u0627", "https://arena.ai/apple-touch-icon-dark.png", "https://www.forbes.com/consent/ketch/?toURL=https://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html", "nr-data.net \u2022 push.apple.com", "https://twitter.com/PORNO_SEXYBABES \u2022 twitter.com", "Vtflooder-9783271-0 -> 7476476bdc93726f46f75f5bdd5ce6c619d73f7ee82b7d93ad835c993ff14661", "Win.Malware.Vtflooder-9783271-0 -> Domains Contacted twitter.com www.virustotal.com", "IP\u2019s Contacted 162.159.140.229 34.54.88.138", "IDS Detections: Win32/Vflooder.B Checkin \u2022 Generic HTTP EXE Upload Inbound \u2022 Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2 , UPX , Nrv2x , UPX_OEP_place , , UPXv20MarkusLaszloReiser", "Yara Detections: UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: procmem_yara suricata_alert dynamic_function_loading network_cnc_https_generic reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name injection_rwx dead_connect exec_crash", "Sigma: Matches rule Suspicious Outbound SMTP Connections by frack113", "Suspicious DNS Query for IP Lookup Service APls by Brandon George (blog post) Thomas Patzke", "Crowdsourced IDS: ET DROP Spamhaus Listed Traffic Inbound group 60", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip amazonaws .com)", "Matches rule ET INFO External IP Check (checkip.amazonaws.com)", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "(Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "Matches rule SURICATA Applayer Detect protocol only one direction virustotal.com", "DESCRIPTION: Detects systembc RAT REFERENCE: https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "https://docs.cursor.com/en/cli/reference/slash-commands", "https://api.cursor.com/v0/agents/", "https://grok.com/imagine/agent/d5e99582-a7e7-4138-b129-780e171ba9ac", "beacons.bcp.gvt.com \u2022 http://vtboss.yolox.net/md5.php \u2022 finanse.mf.gov.pl", "cdn10.mypornvid.fun impacted a targeted individual", "https://click.italiansexclub.fun/click/HpdeyDt6", "https://sexfortokens.com/hotmilfbitch", "Win.Malware.Gamehack-6822792-0 IDS Detections Riskware/Cheathappens Checkin (songculture attack)" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan.Systembc/yxgdgz", "display_name": "Trojan.Systembc/yxgdgz", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Malware.Vtflooder-6722904-1", "display_name": "Win.Malware.Vtflooder-6722904-1", "target": null }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "QNAPCrypt", "display_name": "QNAPCrypt", "target": null }, { "id": "Win.Malware.Gamehack-6822792-0", "display_name": "Win.Malware.Gamehack-6822792-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0028", "name": "Persistence", "display_name": "TA0028 - Persistence" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1468", "name": "Remotely Track Device Without Authorization", "display_name": "T1468 - Remotely Track Device Without Authorization" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1262, "FileHash-MD5": 164, "FileHash-SHA1": 207, "IPv4": 180, "URL": 1780, "domain": 370, "hostname": 708, "CVE": 3, "email": 4, "SSLCertFingerprint": 4 }, "indicator_count": 4682, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "16 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6608aaf7ca0e965e593ed1d4", "name": "MUI programu Microsoft Office Access (w j\u0119zyku angielskim) zosta\u0142o u\u017cyte do wys\u0142ania z\u0142o\u015bliwego oprogramowania na serwer w Czechach jest to pierwszy tego typu atak na komputer. e", "description": "A look back at some of the key words and phrases used to describe the situation in Italy, as \"probacja\" (or \"democrata), as they were translated into English.", "modified": "2025-10-17T11:03:07.034000", "created": "2024-03-31T00:14:47.183000", "tags": [ "sha256", "ssdeep", "reputacja", "tworzy pliki", "informacje", "bardzo duga", "tworzy", "adresy url", "tworzy katalog", "win64", "ameryki", "typ pliku", "serwer nazw", "san jose", "adres", "digital", "data wyganicia", "csc corporate", "domains", "ca data", "data utworzenia", "dnssec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6432, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2140, "hostname": 5874, "FileHash-SHA256": 12539, "FileHash-MD5": 3686, "FileHash-SHA1": 2751, "IPv4": 503, "URL": 10770, "email": 26, "CVE": 88, "YARA": 6, "JA3": 2, "IPv6": 28, "SSLCertFingerprint": 5, "BitcoinAddress": 3, "CIDR": 1 }, "indicator_count": 38422, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689af6a1704fa2745bc8c2a3", "name": "Hijacked Twitter / X.com account. Phishing | Abnormal use", "description": "Hijacked phishing Twitter/ X.com.\nWin32/Unruy.C Activity\n#phishing #hijacked #intercoms #unruy #trojan #VTflood #malware #attack", "modified": "2025-09-11T08:02:36.759000", "created": "2025-08-12T08:09:05.642000", "tags": [ "log id", "gmtn", "secure", "tls web", "passive dns", "urls", "path", "self", "encrypt", "ca issuers", "false", "search", "read c", "united", "entries", "show", "showing", "msie", "windows nt", "wow64", "slcc2", "copy", "write", "suspicious", "malware", "unknown", "process32nextw", "shellexecuteexw", "medium process", "discovery t1057", "t1057", "discovery", "medium", "locally unique", "identifier", "veailmboprd", "next associated", "ipv4 add", "pulse pulses", "files", "asn as13335", "dns resolutions", "domains top", "smoke loader", "trojan", "body", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "show process", "programfiles", "command decode", "flag", "suricata ipv4", "mitre att", "show technique", "ck matrix", "date", "comspec", "model", "twitter", "august", "hybrid", "general", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1504, "FileHash-SHA256": 1232, "SSLCertFingerprint": 14, "domain": 245, "hostname": 526, "FileHash-MD5": 43, "FileHash-SHA1": 38 }, "indicator_count": 3602, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "265 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684522ae1f20db8b90ea41a4", "name": "Stealthy Nexus Australia -X.com attacks against monitored targets", "description": "Nexus-australia-websocket-Austraia .\n#malware #injected #trojandropper #delf_deletes_spyware #spyware #malicious #badactor #backdoor #encrypts #warning_office_encrypted_doc", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T05:42:06.731000", "tags": [ "url https", "url http", "united", "china", "hong kong", "russia", "search", "type indicator", "role title", "added active", "amer", "related pulses", "ipv4", "entries", "flag", "indicator role", "title added", "active related", "filehashmd5", "ck ids", "t1057", "discovery", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1553", "log id", "gmtn", "passive dns", "urls", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "organization", "false", "pulses hostname", "showing", "dynamicloader", "medium", "write c", "show", "yara detections", "copy", "high", "t1055", "write", "april", "report spam", "business social", "media account", "created", "minutes ago", "t1060", "run keys", "startup", "folder", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "flag united", "filehash", "sha256 add", "av detections", "ids detections", "alerts", "analysis date", "detections name", "previous", "exif data", "value exe", "fileflags", "machinetype amd", "amd64 exe", "fileos windows", "pulse", "file score", "low risk", "pulses" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 888, "domain": 115, "hostname": 275, "FileHash-MD5": 34, "FileHash-SHA256": 158, "FileHash-SHA1": 30, "SSLCertFingerprint": 2 }, "indicator_count": 1502, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6843fe89793d0ef8e2afc34d", "name": "Deleted SocialMedia", "description": "Bad Actor Deleted SocialMedia account found in breach forum.", "modified": "2025-07-07T08:03:42.325000", "created": "2025-06-07T08:55:37.612000", "tags": [ "body", "secure", "self", "path", "date sat", "gmt contenttype", "connection", "accept", "gmt pragma", "deny", "maxage34214400", "learn", "spawns", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "ssl certificate", "found", "copy sha256", "copy md5", "copy sha1", "sha1", "sha256", "size", "type data", "ascii text", "pattern match", "mitre att", "show technique", "ck matrix", "file", "indicator", "show process", "encrypt", "june", "hybrid", "local" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1628, "domain": 58, "URL": 390, "hostname": 204, "FileHash-MD5": 84, "FileHash-SHA1": 88, "SSLCertFingerprint": 4 }, "indicator_count": 2456, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "681386d75c34469176686756", "name": "x.com/KulinskiArkadi", "description": "", "modified": "2025-05-31T14:01:10.044000", "created": "2025-05-01T14:36:07.422000", "tags": [ "script", "etag", "sharing", "cors", "mediatype", "mediasubtype", "contenttype", "header", "combination", "compression", "encrypt", "cookie", "critical", "twitter", "iframe", "insert", "info", "error", "suspicious", "find", "screen", "grok", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 471, "CIDR": 34, "FileHash-MD5": 9, "FileHash-SHA1": 5, "FileHash-SHA256": 1177, "domain": 214, "hostname": 430, "email": 2 }, "indicator_count": 2342, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "368 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6759e015bddb89de26c4219a", "name": "fonts.gstatic.com/s/opensans/v15/mem8YaGs126MiZpBA-UFVZ0b.woff2", "description": "The full text of the text above the line of this page, which has been published by BBC Radio 5 live, can be viewed by the BBC iPlayer, iplayer, app and website.", "modified": "2025-05-14T21:24:40.387000", "created": "2024-12-11T18:55:17.578000", "tags": [ "callnexthookex", "callwindowprocw", "createbitmap", "createfilea", "createwindowexw", "decodepointer", "defwindowprocw", "destroywindow", "enablewindow", "encodepointer", "cachebuster", "or requesturl", "url praca", "opswatreputacja", "ssdeep", "brak", "blob", "indie", "hetzner online", "gmbh", "helsinki", "niemcy", "finlandia", "globe telecoms", "ovh hosting", "zredagowano dla", "prywatnoci" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "FileHash-SHA1": 3, "URL": 378, "domain": 43, "hostname": 151, "FileHash-MD5": 2, "IPv4": 36 }, "indicator_count": 616, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "385 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://nexus-australia-websocket.intercom.io", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://nexus-australia-websocket.intercom.io", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780524311.720489 }