{ "type": "URL", "indicator": "https://ns-0.awsdns-00.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ns-0.awsdns-00.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4019271198, "indicator": "https://ns-0.awsdns-00.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "69b2b7cb05b2098c1d2bf20f", "name": "federal goverment clone cellbrite credit q vashti", "description": "", "modified": "2026-03-12T12:55:39.046000", "created": "2026-03-12T12:55:39.046000", "tags": [ "url https", "url http", "germany", "united", "ukraine", "japan", "extraction", "data upload", "urls", "url analysis", "enter sc", "extr", "iocs", "active", "france unknown", "present jan", "servers", "homair sweet", "grabber", "encrypt", "ipv4", "role title", "divx", "pitfall", "internet", "ip role", "america asn", "extraction data", "leveibielabs", "all se", "enter source", "url or", "texirag", "drop", "present nov", "united states", "america", "levdibidelabs", "failed", "idron anv", "include manualv", "review data", "iterng", "name servers", "passive dns", "incapsula", "meta name", "robots content", "x ua", "ieedge chrome1", "script head", "request", "cookie", "indicator", "msie", "chrome", "backdoor", "gmt content", "ipv4 add", "twitter", "title", "process32nextw", "ms windows", "intel", "pe32", "regopenkeyexa", "read c", "medium", "class", "write", "template", "present oct", "present jul", "aaaa", "present sep", "present aug", "url add", "http", "hostname", "related tags", "kx81xdbx0f", "x86xd3", "xa7xe28x06", "x82xd4", "delete c", "regsetvalueexa", "regbinary", "xa1xf1", "xe8xc2x14", "malware", "stream", "unknown", "win32", "persistence", "execution", "push", "present dec", "italy", "present jun", "embeddedwb", "whitelisted", "windows nt", "dns traffic", "russia", "cname", "accept", "destination", "port", "et smtp", "message", "et trojan", "components", "suspicious", "download", "hostile", "next", "logic", "gather victim", "et info", "etpro trojan", "trojan", "report spam", "interesting", "created", "pegasus", "manipulation", "service", "capture", "et", "etpro", "host", "attack", "mtb description", "windows", "shellexecuteexw", "writeconsolew", "registry", "t1031", "modify existing", "dock", "type indicator", "added active", "related pulses", "arcflex", "filehashsha1", "types of", "learn more", "filehashsha256", "cellebrite", "white label", "search", "sha1", "france", "cmanual jan", "expiration date", "domain add", "pulse submit", "files", "ip address", "gmt cache", "sameorigin", "reverse dns", "unknown ns", "admin org", "zipcode", "gmt server", "pulse pulses", "entries", "hostname add", "verdict", "germany unknown", "status", "domain", "xpirat", "netherlands", "netherlands asn", "as35280 acorus", "dns resolutions", "error", "files ip", "copy", "telnet login", "suspicious path", "busybox", "login attempt", "gpl telnet", "high", "tcp syn", "telnet root", "path", "mirai", "emails", "domain name", "jlu11q", "tqbplo", "hours ago", "found", "yahoo", "gmail", "yandex", "https://cellebrite.com/en/federal-government/", "monitoring", "monitored target", "dangerous", "spyware", "80211", "colorado", "x amz", "government", "mirai login attempt", "emotet", "c2", ".ru", ".com", "denver", "indicator role", "title added", "active related", "pulses hostname", "dead connect", "hostile", "adversarial", "abuse", "criminal intent", "block messages", "botnet" ], "references": [ "fastwebnet.it | Cellebrite White Label Spyware Service", "putrhnwl.exe", "Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "IP\u2019s Contacted : 54.230.129.165", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "Domains Contacted: pitfall.divx.com www.google.com", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Yara: Detections Tofsee", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "ET TROJAN Suspicious double Server Header", "ET DNS DNS Query to a .tk domain - Likey", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "Needs to be sorted. Actively being exploited on US", "162.159.134.42 \u2022 https://cellebrite.com/", "https://cellebrite.com/en/federal-government/", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Germany", "Ireland", "Switzerland", "Poland", "Belgium", "Netherlands", "Sweden" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Aptdrop.RU", "display_name": "Trojan:Win32/Aptdrop.RU", "target": "/malware/Trojan:Win32/Aptdrop.RU" }, { "id": "Ransomware/Win.Stop.R4529", "display_name": "Ransomware/Win.Stop.R4529", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32/BackdoorX", "display_name": "Win32/BackdoorX", "target": null }, { "id": "Win.Trojan.Dialog-9873788-0", "display_name": "Win.Trojan.Dialog-9873788-0", "target": null }, { "id": "Tsunami-6981155-0", "display_name": "Tsunami-6981155-0", "target": null }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1196", "name": "Control Panel Items", "display_name": "T1196 - Control Panel Items" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1581", "name": "Geofencing", "display_name": "T1581 - Geofencing" }, { "id": "T1582", "name": "SMS Control", "display_name": "T1582 - SMS Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Journalists", "Government", "Civil Society" ], "TLP": "green", "cloned_from": "696f7d467763ed4d4e74d133", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4994, "domain": 2519, "hostname": 3281, "FileHash-SHA256": 4467, "FileHash-MD5": 1118, "FileHash-SHA1": 1056, "email": 12, "SSLCertFingerprint": 1 }, "indicator_count": 17448, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696f7d467763ed4d4e74d133", "name": "Federal Government-Cellebrite Attack found actively targeting iOS and other devices | Mirai login attempts | TelNet Login", "description": "https://cellebrite.com/en/federal-government/ | Found on a crime victims devices. Targets abused by spyware in an unethical manner by andvesarial \u2018governmental\u2019 possibly \u2018contracted\u2019 entities. Waged against targets such as victims of crime , journalists , researchers , students. Target Users: Serves public safety, enterprise, and government sectors, aiding first responders, investigators, prosecutors, and analysts. How it's Used Law enforcement uses it to unlock devices and retrieve evidence like messages, location history, and app data for criminal investigations. It helps uncover critical information from digital devices, even recovering data that users thought was permanently deleted. Controversy & Privacy Concerns While marketed as a tool for lawful investigations, its powerful data extraction capabilities raise significant privacy concerns and ethical debates.", "modified": "2026-02-19T12:05:47.166000", "created": "2026-01-20T13:04:06.622000", "tags": [ "url https", "url http", "germany", "united", "ukraine", "japan", "extraction", "data upload", "urls", "url analysis", "enter sc", "extr", "iocs", "active", "france unknown", "present jan", "servers", "homair sweet", "grabber", "encrypt", "ipv4", "role title", "divx", "pitfall", "internet", "ip role", "america asn", "extraction data", "leveibielabs", "all se", "enter source", "url or", "texirag", "drop", "present nov", "united states", "america", "levdibidelabs", "failed", "idron anv", "include manualv", "review data", "iterng", "name servers", "passive dns", "incapsula", "meta name", "robots content", "x ua", "ieedge chrome1", "script head", "request", "cookie", "indicator", "msie", "chrome", "backdoor", "gmt content", "ipv4 add", "twitter", "title", "process32nextw", "ms windows", "intel", "pe32", "regopenkeyexa", "read c", "medium", "class", "write", "template", "present oct", "present jul", "aaaa", "present sep", "present aug", "url add", "http", "hostname", "related tags", "kx81xdbx0f", "x86xd3", "xa7xe28x06", "x82xd4", "delete c", "regsetvalueexa", "regbinary", "xa1xf1", "xe8xc2x14", "malware", "stream", "unknown", "win32", "persistence", "execution", "push", "present dec", "italy", "present jun", "embeddedwb", "whitelisted", "windows nt", "dns traffic", "russia", "cname", "accept", "destination", "port", "et smtp", "message", "et trojan", "components", "suspicious", "download", "hostile", "next", "logic", "gather victim", "et info", "etpro trojan", "trojan", "report spam", "interesting", "created", "pegasus", "manipulation", "service", "capture", "et", "etpro", "host", "attack", "mtb description", "windows", "shellexecuteexw", "writeconsolew", "registry", "t1031", "modify existing", "dock", "type indicator", "added active", "related pulses", "arcflex", "filehashsha1", "types of", "learn more", "filehashsha256", "cellebrite", "white label", "search", "sha1", "france", "cmanual jan", "expiration date", "domain add", "pulse submit", "files", "ip address", "gmt cache", "sameorigin", "reverse dns", "unknown ns", "admin org", "zipcode", "gmt server", "pulse pulses", "entries", "hostname add", "verdict", "germany unknown", "status", "domain", "xpirat", "netherlands", "netherlands asn", "as35280 acorus", "dns resolutions", "error", "files ip", "copy", "telnet login", "suspicious path", "busybox", "login attempt", "gpl telnet", "high", "tcp syn", "telnet root", "path", "mirai", "emails", "domain name", "jlu11q", "tqbplo", "hours ago", "found", "yahoo", "gmail", "yandex", "https://cellebrite.com/en/federal-government/", "monitoring", "monitored target", "dangerous", "spyware", "80211", "colorado", "x amz", "government", "mirai login attempt", "emotet", "c2", ".ru", ".com", "denver", "indicator role", "title added", "active related", "pulses hostname", "dead connect", "hostile", "adversarial", "abuse", "criminal intent", "block messages", "botnet" ], "references": [ "fastwebnet.it | Cellebrite White Label Spyware Service", "putrhnwl.exe", "Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "IP\u2019s Contacted : 54.230.129.165", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "Domains Contacted: pitfall.divx.com www.google.com", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Yara: Detections Tofsee", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "ET TROJAN Suspicious double Server Header", "ET DNS DNS Query to a .tk domain - Likey", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "Needs to be sorted. Actively being exploited on US", "162.159.134.42 \u2022 https://cellebrite.com/", "https://cellebrite.com/en/federal-government/", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Germany", "Ireland", "Switzerland", "Poland", "Belgium", "Netherlands", "Sweden" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Aptdrop.RU", "display_name": "Trojan:Win32/Aptdrop.RU", "target": "/malware/Trojan:Win32/Aptdrop.RU" }, { "id": "Ransomware/Win.Stop.R4529", "display_name": "Ransomware/Win.Stop.R4529", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32/BackdoorX", "display_name": "Win32/BackdoorX", "target": null }, { "id": "Win.Trojan.Dialog-9873788-0", "display_name": "Win.Trojan.Dialog-9873788-0", "target": null }, { "id": "Tsunami-6981155-0", "display_name": "Tsunami-6981155-0", "target": null }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1196", "name": "Control Panel Items", "display_name": "T1196 - Control Panel Items" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1581", "name": "Geofencing", "display_name": "T1581 - Geofencing" }, { "id": "T1582", "name": "SMS Control", "display_name": "T1582 - SMS Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Journalists", "Government", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4994, "domain": 2519, "hostname": 3281, "FileHash-SHA256": 4467, "FileHash-MD5": 1118, "FileHash-SHA1": 1056, "email": 12, "SSLCertFingerprint": 1 }, "indicator_count": 17448, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6946ef0ba069c6b92160f8f6", "name": "Doomscroller \u2022 BrowserHappy | Part 1", "description": "Comments reserved for Part 2.\nOTX I extraction keeps timing out for me. Possibly location/signal related.", "modified": "2026-01-19T17:03:32.999000", "created": "2025-12-20T18:46:35.660000", "tags": [ "servers", "united states", "united", "script script", "cnc beacon", "x5drh", "ipv4", "urls", "twitter", "trojandropper", "ipv4 add", "reverse dns", "ransom", "mtb may", "backdoor", "trojanspy", "loee7oiy", "trojan", "win32", "susp", "mtb jul", "virtool", "mtb aug", "worm", "avast avg", "lowfi", "multiplug jun", "urls show", "url hostname", "server response", "ip address", "google safe", "results dec", "k dec", "read c", "process32nextw", "tls handshake", "search", "show", "et info", "failure", "unknown", "service", "malware", "tools", "win64", "write", "revil", "sodinokibi", "titan", "mtb trojan", "mtb alf", "win32dinwod may" ], "references": [ "Xpirat = doomscroller.io", "IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers", "Win32/Agent.BH PUP/PUA Downloader CnC Checkin", "Terse HTTP 1.0 Request Possible Nivdort Trojan-Banker.Win32.Agent.ree Checkin Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 4 AlphaCrypt CnC Beacon 3 WS/JS Downloader Mar 07 2017 M1 Koobface HTTP Request (2) Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "Trojan-Banker.Win32.Agent.ree Checkin Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 4 AlphaCrypt CnC Beacon 3 WS/JS Downloader Mar 07 2017 M1 Koobface HTTP Request (2) Alphacrypt/TeslaCrypt Ransomware CnC Beacon" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Sodinoki", "display_name": "Sodinoki", "target": null }, { "id": "Ransom:Win32/Revil.A", "display_name": "Ransom:Win32/Revil.A", "target": "/malware/Ransom:Win32/Revil.A" }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "!#HSTR:SigGen0136cb6c", "display_name": "!#HSTR:SigGen0136cb6c", "target": null }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Win.Malware", "display_name": "Win.Malware", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.BG", "display_name": "TrojanSpy:Win32/Nivdort.BG", "target": "/malware/TrojanSpy:Win32/Nivdort.BG" }, { "id": "#Lowfi:Lua:Mampa:99!ml", "display_name": "#Lowfi:Lua:Mampa:99!ml", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:HSTR:Installer:Multiplug", "display_name": "#Lowfi:HSTR:Installer:Multiplug", "target": null }, { "id": "TrojanDropper:Win32/Dinwod", "display_name": "TrojanDropper:Win32/Dinwod", "target": "/malware/TrojanDropper:Win32/Dinwod" }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CB", "display_name": "TrojanSpy:Win32/Nivdort.CB", "target": "/malware/TrojanSpy:Win32/Nivdort.CB" }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Trojan:Win32/Zbot.SIBB6!MTB", "display_name": "Trojan:Win32/Zbot.SIBB6!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBB6!MTB" }, { "id": "Ploprolo", "display_name": "Ploprolo", "target": null }, { "id": "#Lowfi:HSTR:VirTool:Win32/Obfuscator!Diplugem.F", "display_name": "#Lowfi:HSTR:VirTool:Win32/Obfuscator!Diplugem.F", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 692, "URL": 1666, "FileHash-SHA256": 630, "hostname": 804, "FileHash-MD5": 441, "FileHash-SHA1": 437, "SSLCertFingerprint": 1, "CVE": 1 }, "indicator_count": 4672, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a1ef2dd26ec62a3c298c", "name": "Listeners - Malicious Over the top espionage | Cyber Warfare?", "description": "Cyber attacks on targeted devices stored safely, separately, don\u2019t communicate with one another. PalantirFoundry.com shares IP addresses with Fastly. South African IP\u2019s and DGA domains bounce from US Denver , Co based IP and Domain addresses. Registrar Abuse: HTTP/2 404 content type: text/html content length: 2263 date: Wed 22 Oct 2025 22:32:18 GMT server: Envoy\n443 Certificate Subject: US\n443 Certificate Subject: Colorado\n443 Certificate Subject: Denver\n443 Certificate Subject: Palantir Technologies Inc.\n443 Certificate Subject: listeners.usw-19.palantirfoundry.com", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:33:03.315000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a6f4e35193c04401daaf", "name": "Emotet & VirTool Obsfuscator - Registrar abuse tracking civilians", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:54:28.671000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69069167e1e2a222bd7762f2", "name": "Palantir - Spyware", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-11-01T23:01:59.339000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6894f30905efa56990bb10f6", "name": "Expanded device-local-****remotewd.com", "description": "device-local-2ffdbd74-9f90-41fa-beb8-454ed65788c5.remotewd.com", "modified": "2025-09-06T06:03:31.462000", "created": "2025-08-07T18:40:09.876000", "tags": [ "hostname", "pulse pulses", "passive dns", "urls", "files", "ip address", "nameservers", "date hash", "avast avg", "entries", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "itre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "domain", "hostname add", "files ip", "address", "location united", "hash avast", "avg clamav", "msdefender aug", "united", "port", "destination", "as16509", "search", "unknown", "ocloudflare", "medium", "memcommit", "service", "write", "next", "persistence", "execution", "malware", "copy", "encrypt", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "next associated", "urls show", "date checked", "virtool", "win64", "worm", "mtb may", "files show", "heur", "script", "dropper", "ransom", "vitro", "pe32", "intel", "ms windows", "as15169", "read c", "asnone", "show", "packing t1045", "t1045", "delphi", "code", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6741, "domain": 5822, "FileHash-SHA256": 1550, "URL": 16348, "FileHash-MD5": 287, "FileHash-SHA1": 242, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 31000, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6894f4e6c41982f405592b55", "name": "Worm:Win32/Mydoom | Expanded device-local-****remotewd.com", "description": "", "modified": "2025-09-06T06:03:31.462000", "created": "2025-08-07T18:48:06.557000", "tags": [ "hostname", "pulse pulses", "passive dns", "urls", "files", "ip address", "nameservers", "date hash", "avast avg", "entries", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "itre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "domain", "hostname add", "files ip", "address", "location united", "hash avast", "avg clamav", "msdefender aug", "united", "port", "destination", "as16509", "search", "unknown", "ocloudflare", "medium", "memcommit", "service", "write", "next", "persistence", "execution", "malware", "copy", "encrypt", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "next associated", "urls show", "date checked", "virtool", "win64", "worm", "mtb may", "files show", "heur", "script", "dropper", "ransom", "vitro", "pe32", "intel", "ms windows", "as15169", "read c", "asnone", "show", "packing t1045", "t1045", "delphi", "code", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": "6894f30905efa56990bb10f6", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6741, "domain": 5822, "FileHash-SHA256": 1550, "URL": 16348, "FileHash-MD5": 287, "FileHash-SHA1": 242, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 31000, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6773128b197198508ca38129", "name": "norton extra", "description": "", "modified": "2025-05-28T16:34:24.019000", "created": "2024-12-30T21:37:15.935000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3079, "hostname": 5287, "URL": 17154, "FileHash-SHA256": 763 }, "indicator_count": 26283, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "326 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "Needs to be sorted. Actively being exploited on US", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "Trojan-Banker.Win32.Agent.ree Checkin Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 4 AlphaCrypt CnC Beacon 3 WS/JS Downloader Mar 07 2017 M1 Koobface HTTP Request (2) Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "162.159.134.42 \u2022 https://cellebrite.com/", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "Win32/Agent.BH PUP/PUA Downloader CnC Checkin", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "Yara Detections: Nullsoft_NSIS", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "Yara: Detections Tofsee", "fastwebnet.it | Cellebrite White Label Spyware Service", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "Domains Contacted: pitfall.divx.com www.google.com", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy.", "Xpirat = doomscroller.io", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "IP\u2019s Contacted : 54.230.129.165", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "putrhnwl.exe", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "Terse HTTP 1.0 Request Possible Nivdort Trojan-Banker.Win32.Agent.ree Checkin Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 4 AlphaCrypt CnC Beacon 3 WS/JS Downloader Mar 07 2017 M1 Koobface HTTP Request (2) Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "https://cellebrite.com/en/federal-government/", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/", "ET DNS DNS Query to a .tk domain - Likey", "ET TROJAN Suspicious double Server Header" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Quickstart" ], "malware_families": [ "Ransomware/win.stop.r4529", "Tsunami-6981155-0", "#lowfi:hstr:virtool:win32/obfuscator!diplugem.f", "Win32/backdoorx", "Backdoor:linux/demonbot", "Trojan:win32/aptdrop.ru", "Upatre", "Sodinoki", "Backdoor:win32/tofsee.t", "#lowfi:lua:mampa:99!ml", "Trojandownloader:win32/cutwail", "Win.trojan.barys-10005825-0", "Etpro", "Trojanspy:win32/nivdort.bg", "Bayrob", "Crypt3.bxvc", "Cutwail", "Zbot", "Mirai", "Trojanspy:win32/nivdort.cb", "Trojandownloader:win32/upatre.aa", "Ploprolo", "Trojan:win32/danabot", "Win32:trojan-gen", "!#hstr:siggen0136cb6c", "Multiple malware attack", "Pegasus", "Trojan:win32/zbot.sibb6!mtb", "Win.trojan.dialog-9873788-0", "Et", "Unix.trojan.tsunami-6981155-0", "Ransom:win32/revil.a", "#lowfi:hstr:installer:multiplug", "Trojandropper:win32/dinwod", "Win.malware", "Trojan:win32/emotet.pc!mtb" ], "industries": [ "Journalists", "Government", "Civil society", "Technology" ], "unique_indicators": 90597 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/awsdns-00.com", "whois": "http://whois.domaintools.com/awsdns-00.com", "domain": "awsdns-00.com", "hostname": "ns-0.awsdns-00.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "69b2b7cb05b2098c1d2bf20f", "name": "federal goverment clone cellbrite credit q vashti", "description": "", "modified": "2026-03-12T12:55:39.046000", "created": "2026-03-12T12:55:39.046000", "tags": [ "url https", "url http", "germany", "united", "ukraine", "japan", "extraction", "data upload", "urls", "url analysis", "enter sc", "extr", "iocs", "active", "france unknown", "present jan", "servers", "homair sweet", "grabber", "encrypt", "ipv4", "role title", "divx", "pitfall", "internet", "ip role", "america asn", "extraction data", "leveibielabs", "all se", "enter source", "url or", "texirag", "drop", "present nov", "united states", "america", "levdibidelabs", "failed", "idron anv", "include manualv", "review data", "iterng", "name servers", "passive dns", "incapsula", "meta name", "robots content", "x ua", "ieedge chrome1", "script head", "request", "cookie", "indicator", "msie", "chrome", "backdoor", "gmt content", "ipv4 add", "twitter", "title", "process32nextw", "ms windows", "intel", "pe32", "regopenkeyexa", "read c", "medium", "class", "write", "template", "present oct", "present jul", "aaaa", "present sep", "present aug", "url add", "http", "hostname", "related tags", "kx81xdbx0f", "x86xd3", "xa7xe28x06", "x82xd4", "delete c", "regsetvalueexa", "regbinary", "xa1xf1", "xe8xc2x14", "malware", "stream", "unknown", "win32", "persistence", "execution", "push", "present dec", "italy", "present jun", "embeddedwb", "whitelisted", "windows nt", "dns traffic", "russia", "cname", "accept", "destination", "port", "et smtp", "message", "et trojan", "components", "suspicious", "download", "hostile", "next", "logic", "gather victim", "et info", "etpro trojan", "trojan", "report spam", "interesting", "created", "pegasus", "manipulation", "service", "capture", "et", "etpro", "host", "attack", "mtb description", "windows", "shellexecuteexw", "writeconsolew", "registry", "t1031", "modify existing", "dock", "type indicator", "added active", "related pulses", "arcflex", "filehashsha1", "types of", "learn more", "filehashsha256", "cellebrite", "white label", "search", "sha1", "france", "cmanual jan", "expiration date", "domain add", "pulse submit", "files", "ip address", "gmt cache", "sameorigin", "reverse dns", "unknown ns", "admin org", "zipcode", "gmt server", "pulse pulses", "entries", "hostname add", "verdict", "germany unknown", "status", "domain", "xpirat", "netherlands", "netherlands asn", "as35280 acorus", "dns resolutions", "error", "files ip", "copy", "telnet login", "suspicious path", "busybox", "login attempt", "gpl telnet", "high", "tcp syn", "telnet root", "path", "mirai", "emails", "domain name", "jlu11q", "tqbplo", "hours ago", "found", "yahoo", "gmail", "yandex", "https://cellebrite.com/en/federal-government/", "monitoring", "monitored target", "dangerous", "spyware", "80211", "colorado", "x amz", "government", "mirai login attempt", "emotet", "c2", ".ru", ".com", "denver", "indicator role", "title added", "active related", "pulses hostname", "dead connect", "hostile", "adversarial", "abuse", "criminal intent", "block messages", "botnet" ], "references": [ "fastwebnet.it | Cellebrite White Label Spyware Service", "putrhnwl.exe", "Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "IP\u2019s Contacted : 54.230.129.165", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "Domains Contacted: pitfall.divx.com www.google.com", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Yara: Detections Tofsee", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "ET TROJAN Suspicious double Server Header", "ET DNS DNS Query to a .tk domain - Likey", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "Needs to be sorted. Actively being exploited on US", "162.159.134.42 \u2022 https://cellebrite.com/", "https://cellebrite.com/en/federal-government/", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Germany", "Ireland", "Switzerland", "Poland", "Belgium", "Netherlands", "Sweden" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Aptdrop.RU", "display_name": "Trojan:Win32/Aptdrop.RU", "target": "/malware/Trojan:Win32/Aptdrop.RU" }, { "id": "Ransomware/Win.Stop.R4529", "display_name": "Ransomware/Win.Stop.R4529", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32/BackdoorX", "display_name": "Win32/BackdoorX", "target": null }, { "id": "Win.Trojan.Dialog-9873788-0", "display_name": "Win.Trojan.Dialog-9873788-0", "target": null }, { "id": "Tsunami-6981155-0", "display_name": "Tsunami-6981155-0", "target": null }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1196", "name": "Control Panel Items", "display_name": "T1196 - Control Panel Items" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1581", "name": "Geofencing", "display_name": "T1581 - Geofencing" }, { "id": "T1582", "name": "SMS Control", "display_name": "T1582 - SMS Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Journalists", "Government", "Civil Society" ], "TLP": "green", "cloned_from": "696f7d467763ed4d4e74d133", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4994, "domain": 2519, "hostname": 3281, "FileHash-SHA256": 4467, "FileHash-MD5": 1118, "FileHash-SHA1": 1056, "email": 12, "SSLCertFingerprint": 1 }, "indicator_count": 17448, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696f7d467763ed4d4e74d133", "name": "Federal Government-Cellebrite Attack found actively targeting iOS and other devices | Mirai login attempts | TelNet Login", "description": "https://cellebrite.com/en/federal-government/ | Found on a crime victims devices. Targets abused by spyware in an unethical manner by andvesarial \u2018governmental\u2019 possibly \u2018contracted\u2019 entities. Waged against targets such as victims of crime , journalists , researchers , students. Target Users: Serves public safety, enterprise, and government sectors, aiding first responders, investigators, prosecutors, and analysts. How it's Used Law enforcement uses it to unlock devices and retrieve evidence like messages, location history, and app data for criminal investigations. It helps uncover critical information from digital devices, even recovering data that users thought was permanently deleted. Controversy & Privacy Concerns While marketed as a tool for lawful investigations, its powerful data extraction capabilities raise significant privacy concerns and ethical debates.", "modified": "2026-02-19T12:05:47.166000", "created": "2026-01-20T13:04:06.622000", "tags": [ "url https", "url http", "germany", "united", "ukraine", "japan", "extraction", "data upload", "urls", "url analysis", "enter sc", "extr", "iocs", "active", "france unknown", "present jan", "servers", "homair sweet", "grabber", "encrypt", "ipv4", "role title", "divx", "pitfall", "internet", "ip role", "america asn", "extraction data", "leveibielabs", "all se", "enter source", "url or", "texirag", "drop", "present nov", "united states", "america", "levdibidelabs", "failed", "idron anv", "include manualv", "review data", "iterng", "name servers", "passive dns", "incapsula", "meta name", "robots content", "x ua", "ieedge chrome1", "script head", "request", "cookie", "indicator", "msie", "chrome", "backdoor", "gmt content", "ipv4 add", "twitter", "title", "process32nextw", "ms windows", "intel", "pe32", "regopenkeyexa", "read c", "medium", "class", "write", "template", "present oct", "present jul", "aaaa", "present sep", "present aug", "url add", "http", "hostname", "related tags", "kx81xdbx0f", "x86xd3", "xa7xe28x06", "x82xd4", "delete c", "regsetvalueexa", "regbinary", "xa1xf1", "xe8xc2x14", "malware", "stream", "unknown", "win32", "persistence", "execution", "push", "present dec", "italy", "present jun", "embeddedwb", "whitelisted", "windows nt", "dns traffic", "russia", "cname", "accept", "destination", "port", "et smtp", "message", "et trojan", "components", "suspicious", "download", "hostile", "next", "logic", "gather victim", "et info", "etpro trojan", "trojan", "report spam", "interesting", "created", "pegasus", "manipulation", "service", "capture", "et", "etpro", "host", "attack", "mtb description", "windows", "shellexecuteexw", "writeconsolew", "registry", "t1031", "modify existing", "dock", "type indicator", "added active", "related pulses", "arcflex", "filehashsha1", "types of", "learn more", "filehashsha256", "cellebrite", "white label", "search", "sha1", "france", "cmanual jan", "expiration date", "domain add", "pulse submit", "files", "ip address", "gmt cache", "sameorigin", "reverse dns", "unknown ns", "admin org", "zipcode", "gmt server", "pulse pulses", "entries", "hostname add", "verdict", "germany unknown", "status", "domain", "xpirat", "netherlands", "netherlands asn", "as35280 acorus", "dns resolutions", "error", "files ip", "copy", "telnet login", "suspicious path", "busybox", "login attempt", "gpl telnet", "high", "tcp syn", "telnet root", "path", "mirai", "emails", "domain name", "jlu11q", "tqbplo", "hours ago", "found", "yahoo", "gmail", "yandex", "https://cellebrite.com/en/federal-government/", "monitoring", "monitored target", "dangerous", "spyware", "80211", "colorado", "x amz", "government", "mirai login attempt", "emotet", "c2", ".ru", ".com", "denver", "indicator role", "title added", "active related", "pulses hostname", "dead connect", "hostile", "adversarial", "abuse", "criminal intent", "block messages", "botnet" ], "references": [ "fastwebnet.it | Cellebrite White Label Spyware Service", "putrhnwl.exe", "Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "IP\u2019s Contacted : 54.230.129.165", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "Domains Contacted: pitfall.divx.com www.google.com", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Yara: Detections Tofsee", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "ET TROJAN Suspicious double Server Header", "ET DNS DNS Query to a .tk domain - Likey", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "Needs to be sorted. Actively being exploited on US", "162.159.134.42 \u2022 https://cellebrite.com/", "https://cellebrite.com/en/federal-government/", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Germany", "Ireland", "Switzerland", "Poland", "Belgium", "Netherlands", "Sweden" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Aptdrop.RU", "display_name": "Trojan:Win32/Aptdrop.RU", "target": "/malware/Trojan:Win32/Aptdrop.RU" }, { "id": "Ransomware/Win.Stop.R4529", "display_name": "Ransomware/Win.Stop.R4529", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32/BackdoorX", "display_name": "Win32/BackdoorX", "target": null }, { "id": "Win.Trojan.Dialog-9873788-0", "display_name": "Win.Trojan.Dialog-9873788-0", "target": null }, { "id": "Tsunami-6981155-0", "display_name": "Tsunami-6981155-0", "target": null }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1196", "name": "Control Panel Items", "display_name": "T1196 - Control Panel Items" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1581", "name": "Geofencing", "display_name": "T1581 - Geofencing" }, { "id": "T1582", "name": "SMS Control", "display_name": "T1582 - SMS Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Journalists", "Government", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4994, "domain": 2519, "hostname": 3281, "FileHash-SHA256": 4467, "FileHash-MD5": 1118, "FileHash-SHA1": 1056, "email": 12, "SSLCertFingerprint": 1 }, "indicator_count": 17448, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6946ef0ba069c6b92160f8f6", "name": "Doomscroller \u2022 BrowserHappy | Part 1", "description": "Comments reserved for Part 2.\nOTX I extraction keeps timing out for me. Possibly location/signal related.", "modified": "2026-01-19T17:03:32.999000", "created": "2025-12-20T18:46:35.660000", "tags": [ "servers", "united states", "united", "script script", "cnc beacon", "x5drh", "ipv4", "urls", "twitter", "trojandropper", "ipv4 add", "reverse dns", "ransom", "mtb may", "backdoor", "trojanspy", "loee7oiy", "trojan", "win32", "susp", "mtb jul", "virtool", "mtb aug", "worm", "avast avg", "lowfi", "multiplug jun", "urls show", "url hostname", "server response", "ip address", "google safe", "results dec", "k dec", "read c", "process32nextw", "tls handshake", "search", "show", "et info", "failure", "unknown", "service", "malware", "tools", "win64", "write", "revil", "sodinokibi", "titan", "mtb trojan", "mtb alf", "win32dinwod may" ], "references": [ "Xpirat = doomscroller.io", "IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers", "Win32/Agent.BH PUP/PUA Downloader CnC Checkin", "Terse HTTP 1.0 Request Possible Nivdort Trojan-Banker.Win32.Agent.ree Checkin Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 4 AlphaCrypt CnC Beacon 3 WS/JS Downloader Mar 07 2017 M1 Koobface HTTP Request (2) Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "Trojan-Banker.Win32.Agent.ree Checkin Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 4 AlphaCrypt CnC Beacon 3 WS/JS Downloader Mar 07 2017 M1 Koobface HTTP Request (2) Alphacrypt/TeslaCrypt Ransomware CnC Beacon" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Sodinoki", "display_name": "Sodinoki", "target": null }, { "id": "Ransom:Win32/Revil.A", "display_name": "Ransom:Win32/Revil.A", "target": "/malware/Ransom:Win32/Revil.A" }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "!#HSTR:SigGen0136cb6c", "display_name": "!#HSTR:SigGen0136cb6c", "target": null }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Win.Malware", "display_name": "Win.Malware", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.BG", "display_name": "TrojanSpy:Win32/Nivdort.BG", "target": "/malware/TrojanSpy:Win32/Nivdort.BG" }, { "id": "#Lowfi:Lua:Mampa:99!ml", "display_name": "#Lowfi:Lua:Mampa:99!ml", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:HSTR:Installer:Multiplug", "display_name": "#Lowfi:HSTR:Installer:Multiplug", "target": null }, { "id": "TrojanDropper:Win32/Dinwod", "display_name": "TrojanDropper:Win32/Dinwod", "target": "/malware/TrojanDropper:Win32/Dinwod" }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CB", "display_name": "TrojanSpy:Win32/Nivdort.CB", "target": "/malware/TrojanSpy:Win32/Nivdort.CB" }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Trojan:Win32/Zbot.SIBB6!MTB", "display_name": "Trojan:Win32/Zbot.SIBB6!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBB6!MTB" }, { "id": "Ploprolo", "display_name": "Ploprolo", "target": null }, { "id": "#Lowfi:HSTR:VirTool:Win32/Obfuscator!Diplugem.F", "display_name": "#Lowfi:HSTR:VirTool:Win32/Obfuscator!Diplugem.F", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 692, "URL": 1666, "FileHash-SHA256": 630, "hostname": 804, "FileHash-MD5": 441, "FileHash-SHA1": 437, "SSLCertFingerprint": 1, "CVE": 1 }, "indicator_count": 4672, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a1ef2dd26ec62a3c298c", "name": "Listeners - Malicious Over the top espionage | Cyber Warfare?", "description": "Cyber attacks on targeted devices stored safely, separately, don\u2019t communicate with one another. PalantirFoundry.com shares IP addresses with Fastly. South African IP\u2019s and DGA domains bounce from US Denver , Co based IP and Domain addresses. Registrar Abuse: HTTP/2 404 content type: text/html content length: 2263 date: Wed 22 Oct 2025 22:32:18 GMT server: Envoy\n443 Certificate Subject: US\n443 Certificate Subject: Colorado\n443 Certificate Subject: Denver\n443 Certificate Subject: Palantir Technologies Inc.\n443 Certificate Subject: listeners.usw-19.palantirfoundry.com", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:33:03.315000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a6f4e35193c04401daaf", "name": "Emotet & VirTool Obsfuscator - Registrar abuse tracking civilians", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:54:28.671000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69069167e1e2a222bd7762f2", "name": "Palantir - Spyware", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-11-01T23:01:59.339000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6894f30905efa56990bb10f6", "name": "Expanded device-local-****remotewd.com", "description": "device-local-2ffdbd74-9f90-41fa-beb8-454ed65788c5.remotewd.com", "modified": "2025-09-06T06:03:31.462000", "created": "2025-08-07T18:40:09.876000", "tags": [ "hostname", "pulse pulses", "passive dns", "urls", "files", "ip address", "nameservers", "date hash", "avast avg", "entries", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "itre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "domain", "hostname add", "files ip", "address", "location united", "hash avast", "avg clamav", "msdefender aug", "united", "port", "destination", "as16509", "search", "unknown", "ocloudflare", "medium", "memcommit", "service", "write", "next", "persistence", "execution", "malware", "copy", "encrypt", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "next associated", "urls show", "date checked", "virtool", "win64", "worm", "mtb may", "files show", "heur", "script", "dropper", "ransom", "vitro", "pe32", "intel", "ms windows", "as15169", "read c", "asnone", "show", "packing t1045", "t1045", "delphi", "code", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6741, "domain": 5822, "FileHash-SHA256": 1550, "URL": 16348, "FileHash-MD5": 287, "FileHash-SHA1": 242, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 31000, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6894f4e6c41982f405592b55", "name": "Worm:Win32/Mydoom | Expanded device-local-****remotewd.com", "description": "", "modified": "2025-09-06T06:03:31.462000", "created": "2025-08-07T18:48:06.557000", "tags": [ "hostname", "pulse pulses", "passive dns", "urls", "files", "ip address", "nameservers", "date hash", "avast avg", "entries", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "itre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "domain", "hostname add", "files ip", "address", "location united", "hash avast", "avg clamav", "msdefender aug", "united", "port", "destination", "as16509", "search", "unknown", "ocloudflare", "medium", "memcommit", "service", "write", "next", "persistence", "execution", "malware", "copy", "encrypt", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "next associated", "urls show", "date checked", "virtool", "win64", "worm", "mtb may", "files show", "heur", "script", "dropper", "ransom", "vitro", "pe32", "intel", "ms windows", "as15169", "read c", "asnone", "show", "packing t1045", "t1045", "delphi", "code", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": "6894f30905efa56990bb10f6", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6741, "domain": 5822, "FileHash-SHA256": 1550, "URL": 16348, "FileHash-MD5": 287, "FileHash-SHA1": 242, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 31000, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6773128b197198508ca38129", "name": "norton extra", "description": "", "modified": "2025-05-28T16:34:24.019000", "created": "2024-12-30T21:37:15.935000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3079, "hostname": 5287, "URL": 17154, "FileHash-SHA256": 763 }, "indicator_count": 26283, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "326 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ns-0.awsdns-00.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ns-0.awsdns-00.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776629269.2259798 }