{ "type": "URL", "indicator": "https://norderswing.buzz/xp/system_s.js", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://norderswing.buzz/xp/system_s.js", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4041851549, "indicator": "https://norderswing.buzz/xp/system_s.js", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "682bef60c4841f09773d1c7f", "name": "Expanded: Close proximity RMS module attack. Critical infrastructure affected. Medical, Business, Legal., Religious institutions", "description": "Close proximity hacking tool used following stalking event. Connecting to device attacks other devices and critical systems.\nPegasusLoader expanded. \nCritical Issues \niOS is now an unidentifiable device.\nDuckDuckGo Search engine\nhas emoji arrows \nIOS default Google search engine has overlay and continuous flooding of bad traffic. Severe DNS issue. Botnet involvement, height priority messages intercepted. \nExcessive abuse of Mitre T1480 Execution Gaurdrails .Geopfencing. Targets attacked by illegal PegasusLoader.exe cannot use iOS devices as designed paid the same price as everyone. \n\nI can\u2019t explain how iCloud only backs up to unknown devices. Users have zero control of any technology devices or content.\nThreat actors have remotely rebuilt device infrastructure / architecture.\n-Team 8", "modified": "2025-06-19T02:03:50.197000", "created": "2025-05-20T02:56:31.741000", "tags": [ "win32 exe", "file type", "name file", "text state", "text", "text geoip6", "csv geoip", "get https", "dns resolutions", "number", "cnwe1 ogoogle", "trust", "cus subject", "response" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 176, "FileHash-SHA256": 3815, "URL": 2239, "domain": 850, "hostname": 906 }, "indicator_count": 8057, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "672f70d470cdbab07d3bdb8f", "name": "URLHaus Recent URLs", "description": "", "modified": "2025-05-15T13:30:30.738000", "created": "2024-11-09T14:25:24.551000", "tags": [], "references": [ "https://urlhaus.abuse.ch/downloads/csv_recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 313720 }, "indicator_count": 313720, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c3a191a3e2ab0ee0c35089", "name": "URLHaus data - 01-03-2025", "description": "", "modified": "2025-04-01T00:03:06.013000", "created": "2025-03-02T00:08:49.282000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "mirai", "sh", "ua-wget", "ddos", "64-bit", "gafgyt", "ClearFake", "hajime", "backdoor", "censys", "sshdkit", "VenomRAT", "vbs", "RemcosRAT", "exe", "hta", "AgentTesla", "ascii", "powershell", "ps1", "rat", "Formbook", "quasar", "opendir", "Encoded", "rev-base64-loader", "LummaStealer", "AsyncRAT", "Neshta", "encrypted", "GuLoader", "FakeCaptcha", "Triada", "FakeMP3", "ClickFix", "html", "apk", "botnetdomain", "moobot", "1049h", "mcaptcha", "fbi.gov", "PureCrypter", "Xorbot", "HijackLoader", "zip", "NetSupport", "password_kek", "I2Parcae", "mshta", "bash", "curl", "nginx", "wget" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 75, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "hostname": 24, "domain": 5 }, "indicator_count": 1029, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "426 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://urlhaus.abuse.ch/downloads/csv_recent/", "https://urlhaus.abuse.ch/browse/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 321665 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/norderswing.buzz", "whois": "http://whois.domaintools.com/norderswing.buzz", "domain": "norderswing.buzz", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "682bef60c4841f09773d1c7f", "name": "Expanded: Close proximity RMS module attack. Critical infrastructure affected. Medical, Business, Legal., Religious institutions", "description": "Close proximity hacking tool used following stalking event. Connecting to device attacks other devices and critical systems.\nPegasusLoader expanded. \nCritical Issues \niOS is now an unidentifiable device.\nDuckDuckGo Search engine\nhas emoji arrows \nIOS default Google search engine has overlay and continuous flooding of bad traffic. Severe DNS issue. Botnet involvement, height priority messages intercepted. \nExcessive abuse of Mitre T1480 Execution Gaurdrails .Geopfencing. Targets attacked by illegal PegasusLoader.exe cannot use iOS devices as designed paid the same price as everyone. \n\nI can\u2019t explain how iCloud only backs up to unknown devices. Users have zero control of any technology devices or content.\nThreat actors have remotely rebuilt device infrastructure / architecture.\n-Team 8", "modified": "2025-06-19T02:03:50.197000", "created": "2025-05-20T02:56:31.741000", "tags": [ "win32 exe", "file type", "name file", "text state", "text", "text geoip6", "csv geoip", "get https", "dns resolutions", "number", "cnwe1 ogoogle", "trust", "cus subject", "response" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 176, "FileHash-SHA256": 3815, "URL": 2239, "domain": 850, "hostname": 906 }, "indicator_count": 8057, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "672f70d470cdbab07d3bdb8f", "name": "URLHaus Recent URLs", "description": "", "modified": "2025-05-15T13:30:30.738000", "created": "2024-11-09T14:25:24.551000", "tags": [], "references": [ "https://urlhaus.abuse.ch/downloads/csv_recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 313720 }, "indicator_count": 313720, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c3a191a3e2ab0ee0c35089", "name": "URLHaus data - 01-03-2025", "description": "", "modified": "2025-04-01T00:03:06.013000", "created": "2025-03-02T00:08:49.282000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "mirai", "sh", "ua-wget", "ddos", "64-bit", "gafgyt", "ClearFake", "hajime", "backdoor", "censys", "sshdkit", "VenomRAT", "vbs", "RemcosRAT", "exe", "hta", "AgentTesla", "ascii", "powershell", "ps1", "rat", "Formbook", "quasar", "opendir", "Encoded", "rev-base64-loader", "LummaStealer", "AsyncRAT", "Neshta", "encrypted", "GuLoader", "FakeCaptcha", "Triada", "FakeMP3", "ClickFix", "html", "apk", "botnetdomain", "moobot", "1049h", "mcaptcha", "fbi.gov", "PureCrypter", "Xorbot", "HijackLoader", "zip", "NetSupport", "password_kek", "I2Parcae", "mshta", "bash", "curl", "nginx", "wget" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 75, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "hostname": 24, "domain": 5 }, "indicator_count": 1029, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "426 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://norderswing.buzz/xp/system_s.js", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://norderswing.buzz/xp/system_s.js", "type": "URL", "found": true, "verdict": "malicious", "url_status": "offline", "threat": "malware_download", "tags": [ "FakeCaptcha", "ps1" ], "date_added": "2025-03-01", "last_online": "", "reporter": "aachum", "host": "norderswing.buzz", "payloads": [], "error": null }, "from_cache": true, "_cached_at": 1780289222.5588534 }