{
"type": "URL",
"indicator": "https://ns2.bbcbook.net",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://ns2.bbcbook.net",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4222325422,
"indicator": "https://ns2.bbcbook.net",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 3,
"pulses": [
{
"id": "69a2127d12dce12538b57d72",
"name": "FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets ~ Apple Jacked Targets",
"description": "Remote Attack - FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets.\n\nChecked search history on a targeted device and found an FBI link apparently delivered via unknown AI technology.\n|| yara detections\nzur foerderung\nA\n+ Add Tag\n\u8840\nCount: 1\nGRO Probability: 1\nText: Suricata Alerts Event\nCategory Description CID\nIND131.188.40.12g otx.alienvault.com\nlocal:49181 (TCP) Misc\nAttack ET TOR Known Tor\nRelay/Router (Not Exit)\n\"A\" | [[Next pulse will list on malware, rats , bats, Trojans used]",
"modified": "2026-03-29T20:03:36.333000",
"created": "2026-02-27T21:54:05.261000",
"tags": [
"pattern match",
"heuristic match",
"all url",
"files domain",
"pulses otx",
"germany unknown",
"aaaa",
"ip address",
"emails",
"gmt server",
"vary",
"modified",
"accept",
"title",
"present feb",
"present jan",
"united",
"part",
"moved",
"passive dns",
"cname",
"final",
"bill",
"antivm",
"xlsx",
"xlsm",
"urls",
"otx logo",
"all hostname",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"direct",
"february",
"http",
"dfn verein",
"zur foerderung",
"domain",
"page url",
"tags",
"de summary",
"erlangen",
"germany",
"securitytrails",
"de seen",
"general info",
"geo erlangen",
"as as680",
"de note",
"route",
"data upload",
"extraction",
"failed",
"extra data",
"referen",
"include review",
"exclude data",
"summary",
"url age",
"as680",
"se source",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"over",
"ascii text",
"mitre att",
"size",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"node traffic",
"tlsv1",
"search",
"rgba",
"medium",
"read c",
"module load",
"t1129",
"execution",
"next",
"dock",
"write",
"persistence",
"calls",
"apis",
"reads",
"model",
"value",
"getprocaddress",
"show technique",
"ck matrix",
"access type",
"windir",
"regexp",
"open",
"date",
"format",
"virtual disk drive",
"sha256",
"sha1",
"body",
"filehashsha1",
"found",
"unknown",
"stop",
"root",
"form",
"9999",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"bad traffic",
"et info",
"tls handshake",
"failure",
"flag",
"analysis tip",
"openurl c",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"show",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"malicious yara",
"detections none",
"less ip",
"dynamicloader",
"get na",
"c3bhaw",
"high",
"copy",
"guard",
"push",
"Palantir",
"Foundry",
"Whitehouse",
"X.Com",
"Justice.gov",
"Apple",
"AI",
"node traffic"
],
"references": [
"tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net",
"https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022",
"http://truefoundry.prodigaltech.com/",
"git.spywarewatchdog.org",
"marriott-control-prd.accenture.cn",
"marriott-datacenter-prd.accenture.cn",
"accenture.cn",
"c.j.location.host \u2022 videodata.video \u2022 referrer.search",
"target.id \u2022 tostring.call \u2022 title.search",
"https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737",
"https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019",
"http://truefoundry.prodigaltech.com/",
"Attacker being used by several legal entities attacking a target\u2019s family",
"Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render",
"Luxury Apartments and Townhome communities do use Foundry Palantir",
"Some Colorado communities have been taken over by the State Government",
"Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)",
"Denver Justice System. Palantir allegedly moved potato Headquarters to Miami",
"Foundry Foot Soldiers are still in Colorado targeting innocents",
"Foundry Palantir still has a presence in Colorado",
"I need some help.",
"Accurately tipped about air travel safety. In past. Proven true.",
"Tipped of new looming airline threats",
"Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.",
"Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.",
"FBI files opened up on a targeted phone, Iunseel, only in search history.",
"Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /",
"No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!",
"Hours after files were deemed malicious. We powered on targeted Smart TV",
"You have to go through a series of steps to change themes and wallpapers , including powering off TV",
"Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .",
"A man claiming to have the name Sebastian is communicating with targets love one",
"Uses code, no phone calls. Connected via instagram.",
"I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious",
"By remote view of NEW targeys view, all key calls are routed through him.",
"Targets associated warned. Not very open to advice.",
"I would post his public information. It may be unwise.",
"Connects to all NEW targets key contacts main targets contacts.",
"We have foot soldiers. Be aware",
"https://www.justice.gov/opa/pr/departmen.t",
"https://api.manus.im/api/oauth2_callback/apple",
"https://apple.btprmjo.cc/",
"https://creative.miqdigital.com/.well-known/apple-app-site-association",
"internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf",
"http://www.internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf",
"https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~",
"Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Node Traffic",
"display_name": "Node Traffic",
"target": null
}
],
"attack_ids": [
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1055.011",
"name": "Extra Window Memory Injection",
"display_name": "T1055.011 - Extra Window Memory Injection"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1055.004",
"name": "Asynchronous Procedure Call",
"display_name": "T1055.004 - Asynchronous Procedure Call"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1055.014",
"name": "VDSO Hijacking",
"display_name": "T1055.014 - VDSO Hijacking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5643,
"domain": 700,
"hostname": 1918,
"FileHash-SHA256": 1161,
"FileHash-MD5": 235,
"email": 4,
"FileHash-SHA1": 200,
"CVE": 1,
"CIDR": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9873,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69aa019f4509897e354fe029",
"name": "credit Q Vashti Cloned Pulse ",
"description": "",
"modified": "2026-03-29T20:03:36.333000",
"created": "2026-03-05T22:20:15.324000",
"tags": [
"pattern match",
"heuristic match",
"all url",
"files domain",
"pulses otx",
"germany unknown",
"aaaa",
"ip address",
"emails",
"gmt server",
"vary",
"modified",
"accept",
"title",
"present feb",
"present jan",
"united",
"part",
"moved",
"passive dns",
"cname",
"final",
"bill",
"antivm",
"xlsx",
"xlsm",
"urls",
"otx logo",
"all hostname",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"direct",
"february",
"http",
"dfn verein",
"zur foerderung",
"domain",
"page url",
"tags",
"de summary",
"erlangen",
"germany",
"securitytrails",
"de seen",
"general info",
"geo erlangen",
"as as680",
"de note",
"route",
"data upload",
"extraction",
"failed",
"extra data",
"referen",
"include review",
"exclude data",
"summary",
"url age",
"as680",
"se source",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"over",
"ascii text",
"mitre att",
"size",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"node traffic",
"tlsv1",
"search",
"rgba",
"medium",
"read c",
"module load",
"t1129",
"execution",
"next",
"dock",
"write",
"persistence",
"calls",
"apis",
"reads",
"model",
"value",
"getprocaddress",
"show technique",
"ck matrix",
"access type",
"windir",
"regexp",
"open",
"date",
"format",
"virtual disk drive",
"sha256",
"sha1",
"body",
"filehashsha1",
"found",
"unknown",
"stop",
"root",
"form",
"9999",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"bad traffic",
"et info",
"tls handshake",
"failure",
"flag",
"analysis tip",
"openurl c",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"show",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"malicious yara",
"detections none",
"less ip",
"dynamicloader",
"get na",
"c3bhaw",
"high",
"copy",
"guard",
"push",
"Palantir",
"Foundry",
"Whitehouse",
"X.Com",
"Justice.gov",
"Apple",
"AI",
"node traffic"
],
"references": [
"tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net",
"https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022",
"http://truefoundry.prodigaltech.com/",
"git.spywarewatchdog.org",
"marriott-control-prd.accenture.cn",
"marriott-datacenter-prd.accenture.cn",
"accenture.cn",
"c.j.location.host \u2022 videodata.video \u2022 referrer.search",
"target.id \u2022 tostring.call \u2022 title.search",
"https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737",
"https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019",
"http://truefoundry.prodigaltech.com/",
"Attacker being used by several legal entities attacking a target\u2019s family",
"Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render",
"Luxury Apartments and Townhome communities do use Foundry Palantir",
"Some Colorado communities have been taken over by the State Government",
"Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)",
"Denver Justice System. Palantir allegedly moved potato Headquarters to Miami",
"Foundry Foot Soldiers are still in Colorado targeting innocents",
"Foundry Palantir still has a presence in Colorado",
"I need some help.",
"Accurately tipped about air travel safety. In past. Proven true.",
"Tipped of new looming airline threats",
"Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.",
"Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.",
"FBI files opened up on a targeted phone, Iunseel, only in search history.",
"Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /",
"No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!",
"Hours after files were deemed malicious. We powered on targeted Smart TV",
"You have to go through a series of steps to change themes and wallpapers , including powering off TV",
"Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .",
"A man claiming to have the name Sebastian is communicating with targets love one",
"Uses code, no phone calls. Connected via instagram.",
"I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious",
"By remote view of NEW targeys view, all key calls are routed through him.",
"Targets associated warned. Not very open to advice.",
"I would post his public information. It may be unwise.",
"Connects to all NEW targets key contacts main targets contacts.",
"We have foot soldiers. Be aware",
"https://www.justice.gov/opa/pr/departmen.t",
"https://api.manus.im/api/oauth2_callback/apple",
"https://apple.btprmjo.cc/",
"https://creative.miqdigital.com/.well-known/apple-app-site-association",
"internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf",
"http://www.internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf",
"https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~",
"Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Node Traffic",
"display_name": "Node Traffic",
"target": null
}
],
"attack_ids": [
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1055.011",
"name": "Extra Window Memory Injection",
"display_name": "T1055.011 - Extra Window Memory Injection"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1055.004",
"name": "Asynchronous Procedure Call",
"display_name": "T1055.004 - Asynchronous Procedure Call"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1055.014",
"name": "VDSO Hijacking",
"display_name": "T1055.014 - VDSO Hijacking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "69a2127d12dce12538b57d72",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5644,
"domain": 701,
"hostname": 1920,
"FileHash-SHA256": 1161,
"FileHash-MD5": 235,
"email": 4,
"FileHash-SHA1": 200,
"CVE": 1,
"CIDR": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9877,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"Requires further research.",
"marriott-control-prd.accenture.cn",
"Accurately tipped about air travel safety. In past. Proven true.",
"Some Colorado communities have been taken over by the State Government",
"Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .",
"http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf",
"A man claiming to have the name Sebastian is communicating with targets love one",
"https://l.us-1.a.mimecastprotect.com/l",
"Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97",
"http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf",
"https://api.manus.im/api/oauth2_callback/apple",
"Tipped of new looming airline threats",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019",
"Uses code, no phone calls. Connected via instagram.",
"Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /",
"I apologize for the lack of reference.",
"Same legal , and quasi governmental pattern identified",
"Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)",
"It appears there are 5-7 known affected that I was able to find",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"Foundry Palantir still has a presence in Colorado",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9",
"Targets associated warned. Not very open to advice.",
"You have to go through a series of steps to change themes and wallpapers , including powering off TV",
"Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render",
"accenture.cn",
"I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious",
"I need some help.",
"internationalfrontier.com",
"Denver Justice System. Palantir allegedly moved potato Headquarters to Miami",
"Foundry Foot Soldiers are still in Colorado targeting innocents",
"Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.",
"https://creative.miqdigital.com/.well-known/apple-app-site-association",
"I would post his public information. It may be unwise.",
"c.j.location.host \u2022 videodata.video \u2022 referrer.search",
"git.spywarewatchdog.org",
"https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19",
"https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022",
"FBI files opened up on a targeted phone, Iunseel, only in search history.",
"http://truefoundry.prodigaltech.com/",
"Connects to all NEW targets key contacts main targets contacts.",
"https://apple.btprmjo.cc/",
"http://www.internationalfrontier.com",
"tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net",
"Attacker being used by several legal entities attacking a target\u2019s family",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~",
"Hours after files were deemed malicious. We powered on targeted Smart TV",
"target.id \u2022 tostring.call \u2022 title.search",
"By remote view of NEW targeys view, all key calls are routed through him.",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!",
"marriott-datacenter-prd.accenture.cn",
"Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.",
"div>
",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"Luxury Apartments and Townhome communities do use Foundry Palantir",
"https://www.justice.gov/opa/pr/departmen.t",
"https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737",
"We have foot soldiers. Be aware"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Trojan:win32/smkldr.h!mtb",
"#lowfi:lua:dllsuspiciousexport.a",
"Mydoom",
"Icedid",
"Node traffic"
],
"industries": [
"Legal",
"Telecom",
"Technology"
],
"unique_indicators": 22252
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/bbcbook.net",
"whois": "http://whois.domaintools.com/bbcbook.net",
"domain": "bbcbook.net",
"hostname": "ns2.bbcbook.net"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 3,
"pulses": [
{
"id": "69a2127d12dce12538b57d72",
"name": "FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets ~ Apple Jacked Targets",
"description": "Remote Attack - FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets.\n\nChecked search history on a targeted device and found an FBI link apparently delivered via unknown AI technology.\n|| yara detections\nzur foerderung\nA\n+ Add Tag\n\u8840\nCount: 1\nGRO Probability: 1\nText: Suricata Alerts Event\nCategory Description CID\nIND131.188.40.12g otx.alienvault.com\nlocal:49181 (TCP) Misc\nAttack ET TOR Known Tor\nRelay/Router (Not Exit)\n\"A\" | [[Next pulse will list on malware, rats , bats, Trojans used]",
"modified": "2026-03-29T20:03:36.333000",
"created": "2026-02-27T21:54:05.261000",
"tags": [
"pattern match",
"heuristic match",
"all url",
"files domain",
"pulses otx",
"germany unknown",
"aaaa",
"ip address",
"emails",
"gmt server",
"vary",
"modified",
"accept",
"title",
"present feb",
"present jan",
"united",
"part",
"moved",
"passive dns",
"cname",
"final",
"bill",
"antivm",
"xlsx",
"xlsm",
"urls",
"otx logo",
"all hostname",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"direct",
"february",
"http",
"dfn verein",
"zur foerderung",
"domain",
"page url",
"tags",
"de summary",
"erlangen",
"germany",
"securitytrails",
"de seen",
"general info",
"geo erlangen",
"as as680",
"de note",
"route",
"data upload",
"extraction",
"failed",
"extra data",
"referen",
"include review",
"exclude data",
"summary",
"url age",
"as680",
"se source",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"over",
"ascii text",
"mitre att",
"size",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"node traffic",
"tlsv1",
"search",
"rgba",
"medium",
"read c",
"module load",
"t1129",
"execution",
"next",
"dock",
"write",
"persistence",
"calls",
"apis",
"reads",
"model",
"value",
"getprocaddress",
"show technique",
"ck matrix",
"access type",
"windir",
"regexp",
"open",
"date",
"format",
"virtual disk drive",
"sha256",
"sha1",
"body",
"filehashsha1",
"found",
"unknown",
"stop",
"root",
"form",
"9999",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"bad traffic",
"et info",
"tls handshake",
"failure",
"flag",
"analysis tip",
"openurl c",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"show",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"malicious yara",
"detections none",
"less ip",
"dynamicloader",
"get na",
"c3bhaw",
"high",
"copy",
"guard",
"push",
"Palantir",
"Foundry",
"Whitehouse",
"X.Com",
"Justice.gov",
"Apple",
"AI",
"node traffic"
],
"references": [
"tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net",
"https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022",
"http://truefoundry.prodigaltech.com/",
"git.spywarewatchdog.org",
"marriott-control-prd.accenture.cn",
"marriott-datacenter-prd.accenture.cn",
"accenture.cn",
"c.j.location.host \u2022 videodata.video \u2022 referrer.search",
"target.id \u2022 tostring.call \u2022 title.search",
"https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737",
"https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019",
"http://truefoundry.prodigaltech.com/",
"Attacker being used by several legal entities attacking a target\u2019s family",
"Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render",
"Luxury Apartments and Townhome communities do use Foundry Palantir",
"Some Colorado communities have been taken over by the State Government",
"Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)",
"Denver Justice System. Palantir allegedly moved potato Headquarters to Miami",
"Foundry Foot Soldiers are still in Colorado targeting innocents",
"Foundry Palantir still has a presence in Colorado",
"I need some help.",
"Accurately tipped about air travel safety. In past. Proven true.",
"Tipped of new looming airline threats",
"Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.",
"Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.",
"FBI files opened up on a targeted phone, Iunseel, only in search history.",
"Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /",
"No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!",
"Hours after files were deemed malicious. We powered on targeted Smart TV",
"You have to go through a series of steps to change themes and wallpapers , including powering off TV",
"Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .",
"A man claiming to have the name Sebastian is communicating with targets love one",
"Uses code, no phone calls. Connected via instagram.",
"I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious",
"By remote view of NEW targeys view, all key calls are routed through him.",
"Targets associated warned. Not very open to advice.",
"I would post his public information. It may be unwise.",
"Connects to all NEW targets key contacts main targets contacts.",
"We have foot soldiers. Be aware",
"https://www.justice.gov/opa/pr/departmen.t",
"https://api.manus.im/api/oauth2_callback/apple",
"https://apple.btprmjo.cc/",
"https://creative.miqdigital.com/.well-known/apple-app-site-association",
"internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf",
"http://www.internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf",
"https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~",
"Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Node Traffic",
"display_name": "Node Traffic",
"target": null
}
],
"attack_ids": [
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1055.011",
"name": "Extra Window Memory Injection",
"display_name": "T1055.011 - Extra Window Memory Injection"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1055.004",
"name": "Asynchronous Procedure Call",
"display_name": "T1055.004 - Asynchronous Procedure Call"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1055.014",
"name": "VDSO Hijacking",
"display_name": "T1055.014 - VDSO Hijacking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5643,
"domain": 700,
"hostname": 1918,
"FileHash-SHA256": 1161,
"FileHash-MD5": 235,
"email": 4,
"FileHash-SHA1": 200,
"CVE": 1,
"CIDR": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9873,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69aa019f4509897e354fe029",
"name": "credit Q Vashti Cloned Pulse ",
"description": "",
"modified": "2026-03-29T20:03:36.333000",
"created": "2026-03-05T22:20:15.324000",
"tags": [
"pattern match",
"heuristic match",
"all url",
"files domain",
"pulses otx",
"germany unknown",
"aaaa",
"ip address",
"emails",
"gmt server",
"vary",
"modified",
"accept",
"title",
"present feb",
"present jan",
"united",
"part",
"moved",
"passive dns",
"cname",
"final",
"bill",
"antivm",
"xlsx",
"xlsm",
"urls",
"otx logo",
"all hostname",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"direct",
"february",
"http",
"dfn verein",
"zur foerderung",
"domain",
"page url",
"tags",
"de summary",
"erlangen",
"germany",
"securitytrails",
"de seen",
"general info",
"geo erlangen",
"as as680",
"de note",
"route",
"data upload",
"extraction",
"failed",
"extra data",
"referen",
"include review",
"exclude data",
"summary",
"url age",
"as680",
"se source",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"over",
"ascii text",
"mitre att",
"size",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"node traffic",
"tlsv1",
"search",
"rgba",
"medium",
"read c",
"module load",
"t1129",
"execution",
"next",
"dock",
"write",
"persistence",
"calls",
"apis",
"reads",
"model",
"value",
"getprocaddress",
"show technique",
"ck matrix",
"access type",
"windir",
"regexp",
"open",
"date",
"format",
"virtual disk drive",
"sha256",
"sha1",
"body",
"filehashsha1",
"found",
"unknown",
"stop",
"root",
"form",
"9999",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"bad traffic",
"et info",
"tls handshake",
"failure",
"flag",
"analysis tip",
"openurl c",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"show",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"malicious yara",
"detections none",
"less ip",
"dynamicloader",
"get na",
"c3bhaw",
"high",
"copy",
"guard",
"push",
"Palantir",
"Foundry",
"Whitehouse",
"X.Com",
"Justice.gov",
"Apple",
"AI",
"node traffic"
],
"references": [
"tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net",
"https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022",
"http://truefoundry.prodigaltech.com/",
"git.spywarewatchdog.org",
"marriott-control-prd.accenture.cn",
"marriott-datacenter-prd.accenture.cn",
"accenture.cn",
"c.j.location.host \u2022 videodata.video \u2022 referrer.search",
"target.id \u2022 tostring.call \u2022 title.search",
"https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737",
"https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019",
"http://truefoundry.prodigaltech.com/",
"Attacker being used by several legal entities attacking a target\u2019s family",
"Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render",
"Luxury Apartments and Townhome communities do use Foundry Palantir",
"Some Colorado communities have been taken over by the State Government",
"Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)",
"Denver Justice System. Palantir allegedly moved potato Headquarters to Miami",
"Foundry Foot Soldiers are still in Colorado targeting innocents",
"Foundry Palantir still has a presence in Colorado",
"I need some help.",
"Accurately tipped about air travel safety. In past. Proven true.",
"Tipped of new looming airline threats",
"Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.",
"Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.",
"FBI files opened up on a targeted phone, Iunseel, only in search history.",
"Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /",
"No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!",
"Hours after files were deemed malicious. We powered on targeted Smart TV",
"You have to go through a series of steps to change themes and wallpapers , including powering off TV",
"Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .",
"A man claiming to have the name Sebastian is communicating with targets love one",
"Uses code, no phone calls. Connected via instagram.",
"I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious",
"By remote view of NEW targeys view, all key calls are routed through him.",
"Targets associated warned. Not very open to advice.",
"I would post his public information. It may be unwise.",
"Connects to all NEW targets key contacts main targets contacts.",
"We have foot soldiers. Be aware",
"https://www.justice.gov/opa/pr/departmen.t",
"https://api.manus.im/api/oauth2_callback/apple",
"https://apple.btprmjo.cc/",
"https://creative.miqdigital.com/.well-known/apple-app-site-association",
"internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf",
"http://www.internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf",
"https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~",
"Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Node Traffic",
"display_name": "Node Traffic",
"target": null
}
],
"attack_ids": [
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1055.011",
"name": "Extra Window Memory Injection",
"display_name": "T1055.011 - Extra Window Memory Injection"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1055.004",
"name": "Asynchronous Procedure Call",
"display_name": "T1055.004 - Asynchronous Procedure Call"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1055.014",
"name": "VDSO Hijacking",
"display_name": "T1055.014 - VDSO Hijacking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "69a2127d12dce12538b57d72",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5644,
"domain": 701,
"hostname": 1920,
"FileHash-SHA256": 1161,
"FileHash-MD5": 235,
"email": 4,
"FileHash-SHA1": 200,
"CVE": 1,
"CIDR": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9877,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://ns2.bbcbook.net",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://ns2.bbcbook.net",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780235838.2973921
}