{ "type": "URL", "indicator": "https://ns2.badgerdns.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ns2.badgerdns.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4281795639, "indicator": "https://ns2.badgerdns.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69c4281f5f232316375b225e", "name": "CoolWebSearch \u2022 Engine \u2022 Browser Hijack | Ransomware | Checkin | Tracking | Installer #pegasus_related", "description": "", "modified": "2026-03-25T18:23:27.601000", "created": "2026-03-25T18:23:27.601000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": "69c425ecfef08de19b962774", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c425ecfef08de19b962774", "name": "CoolWebSearc \u2022 Engine -Browser Hijack | Affects DropBox + other services | Checkin | Tracking | Installer #pegasus_related", "description": "", "modified": "2026-03-25T18:14:04.398000", "created": "2026-03-25T18:14:04.398000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": "69c41ac489f8cd00a59ef43e", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c41ac489f8cd00a59ef43e", "name": "CoolWebService -Browser Hijack | Affects DropBox and other services | Checkin", "description": "CoolWebService -Browser Hijack | Affects DropBox and other services | Checkin | Tracking \n| Search Engine Installer \n#pegasus_related", "modified": "2026-03-25T17:26:28.750000", "created": "2026-03-25T17:26:28.750000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "coolwebsearch.info | browser hijacker, malware , malicious" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.malware.installcore-9794583-0", "Win.malware.generic-9963787-0", "Win.dropper.darkkomet-9370806-0", "Win.trojan.generic-9909777-0 #lowfi:hstr:optimuminstaller", "Win.trojan.generic-9909777-0", "Win.malware.mydoom-6804696-0\tworm:win32/mydoom win.malware.mydoom-6804696-0\tworm:win32/mydoom sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#lowfi:hstr:optimuminstal", "Ransom:win32/wannacrypt.h", "Trojan:win32/mydoom", "Coolwebservice", "Alf:heraklezeval:pua:win32/installcore.r", "Win.malware.generickdz-9918324-0", "Checkin", "Tags", "Winsoft" ], "industries": [], "unique_indicators": 5771 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/badgerdns.com", "whois": "http://whois.domaintools.com/badgerdns.com", "domain": "badgerdns.com", "hostname": "ns2.badgerdns.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69c4281f5f232316375b225e", "name": "CoolWebSearch \u2022 Engine \u2022 Browser Hijack | Ransomware | Checkin | Tracking | Installer #pegasus_related", "description": "", "modified": "2026-03-25T18:23:27.601000", "created": "2026-03-25T18:23:27.601000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": "69c425ecfef08de19b962774", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c425ecfef08de19b962774", "name": "CoolWebSearc \u2022 Engine -Browser Hijack | Affects DropBox + other services | Checkin | Tracking | Installer #pegasus_related", "description": "", "modified": "2026-03-25T18:14:04.398000", "created": "2026-03-25T18:14:04.398000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": "69c41ac489f8cd00a59ef43e", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c41ac489f8cd00a59ef43e", "name": "CoolWebService -Browser Hijack | Affects DropBox and other services | Checkin", "description": "CoolWebService -Browser Hijack | Affects DropBox and other services | Checkin | Tracking \n| Search Engine Installer \n#pegasus_related", "modified": "2026-03-25T17:26:28.750000", "created": "2026-03-25T17:26:28.750000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ns2.badgerdns.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ns2.badgerdns.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776618308.0523238 }