{
"type": "URL",
"indicator": "https://ns4.raid.ru/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://ns4.raid.ru/",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4094534157,
"indicator": "https://ns4.raid.ru/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 16,
"pulses": [
{
"id": "69bf261cc4e399447d78776c",
"name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |",
"description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com",
"modified": "2026-04-20T00:26:28.752000",
"created": "2026-03-21T23:13:32.760000",
"tags": [
"sc data",
"data upload",
"please sub",
"include data",
"extraction",
"failed",
"sc pulse",
"idron anv",
"extr please",
"include review",
"exclude sugges",
"stop show",
"typ domain",
"united",
"virtool",
"name servers",
"cryp",
"emails",
"win32",
"ip address",
"worm",
"trojan",
"learn",
"suspicious",
"informative",
"ck id",
"name tactics",
"command",
"adversaries",
"spawns",
"ssl certificate",
"initial access",
"link initial",
"prefetch8",
"mitre att",
"ck matrix",
"flag",
"windows nt",
"win64",
"accept",
"encrypt",
"form",
"hybrid",
"bypass",
"general",
"path",
"iframe",
"click",
"strings",
"anchor https",
"anchor",
"liberal",
"sabey",
"liberal friends",
"meta",
"html internet",
"html document",
"unicode text",
"utf8 text",
"info initial",
"access ta0001",
"compromise",
"t1189 network",
"communication",
"get http",
"artifacts v",
"full reports",
"v get",
"help dns",
"resolutions",
"ip traffic",
"extr data",
"enter sc",
"extra data",
"referen",
"broth",
"passive dns",
"urls",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"none google",
"safe browsing",
"inquest labs",
"lucas acha",
"code integrity",
"checks creation",
"otx logo",
"all hostname",
"files",
"domain",
"protect",
"date",
"title",
"exchange",
"se http",
"present jan",
"present feb",
"present dec",
"backdoor",
"certificate",
"all domain",
"alibaba cloud",
"hichina",
"porkbun llc",
"cloudflare",
"namecheap inc",
"namecheap",
"domains",
"dynadot llc",
"ascio",
"denmark",
"url https",
"filehashsha256",
"url http",
"dopple ai",
"snit",
"iocs",
"otx description",
"information",
"report spam",
"delete service",
"poem",
"hunter",
"malicious",
"porn revenge",
"brian sabeys",
"all report",
"spam delete",
"rl http",
"https",
"expiration http",
"spam brian",
"swipper",
"type indicator",
"role title",
"added active",
"related pulses",
"filehashmd5",
"filehashsha1",
"sha256",
"scan",
"learn more",
"indicators show",
"tbmvid",
"sourcelnms",
"zx1724209326040",
"xxx videos",
"xxxvideohd",
"adversary",
"packing",
"palantir.com",
"discovery",
"victim won case",
"doin it",
"palantirian abuse",
"apple",
"sabey data centers",
"insurance",
"quasi government",
"the brother sabey",
"reimer",
"law enforcement",
"vessel state",
"sabey porn",
"hall evans",
"christopher ahmann",
"defamation",
"google"
],
"references": [
"The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/",
"http://watchhers.net/index.php",
"http://212.33.237.86/images/1/report.php",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://webmail.police.govmm.org/owa/",
"https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl",
"https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215",
"Mark Brian Sabey",
"Melvin Sabey",
"Christopher P \u2018Buzz\u2019 Ahmann",
"Ronda Cordova",
"Unknown Persons impersonating Private Investigators (plural)",
"Quasi Government Case",
"Victim silenced. Struck by Car Driven by male police let walk",
"Denver Police let this attempted murder walk. Cited him as a ghost driver",
"Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora",
"Sexual and Physical Assaulter - Jeffrey Scott Reimer",
"Reimer was a PT. Unknown whereabouts , name or job description",
"Denver Police Department Major Crimes closed investigation",
"Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim",
"I bring up the personal nature of the crime because a delete service has been used",
"More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed",
"All IoC\u2019s originate from sources named. There are some unknown attackers",
"This is a serious crime. I\u2019m certain God WILL pay them.",
"https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com",
"http://palantirwww.sweetheartvideo.com/ (weirdness)",
"http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://207-207-25-201.fwd.datafoundry.com/",
"http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd",
"http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2sdbl.dvr.dn2.n-helix.com/",
"Updated | What\u2019s left after theft",
"207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com",
"207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com",
"https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse",
"https://www.datafoundry.com/category/news/press-releases/",
"207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com",
"209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com",
"www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com",
"http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com",
"http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/",
"https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022",
"https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/",
"https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com",
"Some may may find this content is very disturbing and offensive"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Porn Revenge",
"display_name": "Porn Revenge",
"target": null
},
{
"id": "Tons of Malware",
"display_name": "Tons of Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1495",
"name": "Firmware Corruption",
"display_name": "T1495 - Firmware Corruption"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1586.001",
"name": "Social Media Accounts",
"display_name": "T1586.001 - Social Media Accounts"
},
{
"id": "T1593.001",
"name": "Social Media",
"display_name": "T1593.001 - Social Media"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6034,
"domain": 1422,
"IPv4": 397,
"FileHash-MD5": 274,
"FileHash-SHA1": 252,
"FileHash-SHA256": 3378,
"email": 11,
"hostname": 2753,
"CVE": 1,
"SSLCertFingerprint": 9,
"IPv6": 32
},
"indicator_count": 14563,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "8 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69ded8198b25581a09b90824",
"name": "BearShare \u2022 Solarwinds? \u2022 SearchSuite \u2022 Healthcare Administration",
"description": "",
"modified": "2026-04-15T00:13:13.981000",
"created": "2026-04-15T00:13:13.981000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": "69dab27a0493e0e80a0f35cd",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "5 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69db05f833d3d6d2231fb201",
"name": "CREDIT: Q.Vashti's research: SearchSuite \u2022 Healthcare Administration CREATED 6 HOURS AGO by Q.Vashti",
"description": "",
"modified": "2026-04-12T02:39:52.993000",
"created": "2026-04-12T02:39:52.993000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": "69dab27a0493e0e80a0f35cd",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69dab27a0493e0e80a0f35cd",
"name": "SearchSuite \u2022 Healthcare Administration",
"description": "Embedded in communication between a healthcare system and a client. \n\nThis is just one of countless internal issues causing a gap in communication, malicious adware, spyware, system sweeps, injection, system modification, downloads , call failures.",
"modified": "2026-04-11T20:43:38.695000",
"created": "2026-04-11T20:43:38.695000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "693148dc0eb85adc8edfe1a2",
"name": "BeeLineRouter.Net \u2022 Isolated / Apple Baxkdoor",
"description": "",
"modified": "2026-01-03T07:00:45.529000",
"created": "2025-12-04T08:39:56.180000",
"tags": [
"mitre att",
"network traffic",
"ck id",
"show technique",
"ck matrix",
"threat score",
"december",
"default browser",
"guest system",
"united",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"windir",
"openurl c",
"prefetch2",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"ascii text",
"pattern match",
"show process",
"t1071",
"general",
"local",
"path",
"click",
"beelinerouter",
"access",
"router",
"apple",
"regopenkeyexw",
"regsz",
"process32nextw",
"english",
"post http",
"search",
"observed dns",
"query",
"sinkhole cookie",
"malware",
"possible",
"win32",
"updater",
"write",
"next",
"found",
"ip address",
"domain",
"name servers",
"unknown ns",
"ip whois",
"registrar",
"cloudflare",
"title",
"passive dns",
"urls",
"files",
"location united",
"asn as14618",
"bq dec",
"virtool",
"backdoor",
"checkin",
"ipv4 add",
"trojan",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"unknown",
"show",
"internal",
"encrypt",
"veailmboprd",
"dns query",
"wow64",
"gecko http",
"entries",
"medium",
"ransom",
"khtml",
"gecko",
"delete",
"installer",
"win32cve may",
"america flag",
"overview ip",
"asn as20940",
"expiration",
"url https",
"no expiration",
"url http",
"pulse show",
"type indicator",
"role title",
"related pulses",
"record value",
"domain xn"
],
"references": [
"HTTPS://BeeLineRouter.Net",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"https://appleid.xn--appe-70a.com/",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://vgt.pl/r.n%20-",
"8-25-220-162-static.reverse.queryfoundry.net",
"queryfoundry.net",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"0-209-98-172-static.reverse.queryfoundry.net",
"154-143-182-107-static.reverse.queryfoundry.net",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"167-16-68-38-static.reverse.queryfoundry.net",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"177-231-69-38-static.reverse.queryfoundry.net",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"237-189-251-104-static.reverse.queryfoundry.net",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"181-135-182-107-static.reverse.queryfoundry.net",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"67-228-69-38-static.reverse.queryfoundry.net",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"http://195-214-98-172-static.reverse.queryfoundry.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "GandCrab Ransomware",
"display_name": "GandCrab Ransomware",
"target": null
},
{
"id": "Win.Virus.Expiro",
"display_name": "Win.Virus.Expiro",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1049,
"URL": 5839,
"hostname": 1944,
"FileHash-SHA256": 3634,
"FileHash-MD5": 310,
"FileHash-SHA1": 295,
"CVE": 2,
"email": 15,
"SSLCertFingerprint": 2
},
"indicator_count": 13090,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "107 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69314920e287845f6b36a265",
"name": "BeeLineRouter.Net \u2022 Apple Access",
"description": "",
"modified": "2026-01-03T07:00:45.529000",
"created": "2025-12-04T08:41:04.190000",
"tags": [
"mitre att",
"network traffic",
"ck id",
"show technique",
"ck matrix",
"threat score",
"december",
"default browser",
"guest system",
"united",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"windir",
"openurl c",
"prefetch2",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"ascii text",
"pattern match",
"show process",
"t1071",
"general",
"local",
"path",
"click",
"beelinerouter",
"access",
"router",
"apple",
"regopenkeyexw",
"regsz",
"process32nextw",
"english",
"post http",
"search",
"observed dns",
"query",
"sinkhole cookie",
"malware",
"possible",
"win32",
"updater",
"write",
"next",
"found",
"ip address",
"domain",
"name servers",
"unknown ns",
"ip whois",
"registrar",
"cloudflare",
"title",
"passive dns",
"urls",
"files",
"location united",
"asn as14618",
"bq dec",
"virtool",
"backdoor",
"checkin",
"ipv4 add",
"trojan",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"unknown",
"show",
"internal",
"encrypt",
"veailmboprd",
"dns query",
"wow64",
"gecko http",
"entries",
"medium",
"ransom",
"khtml",
"gecko",
"delete",
"installer",
"win32cve may",
"america flag",
"overview ip",
"asn as20940",
"expiration",
"url https",
"no expiration",
"url http",
"pulse show",
"type indicator",
"role title",
"related pulses",
"record value",
"domain xn"
],
"references": [
"HTTPS://BeeLineRouter.Net",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"https://appleid.xn--appe-70a.com/",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://vgt.pl/r.n%20-",
"8-25-220-162-static.reverse.queryfoundry.net",
"queryfoundry.net",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"0-209-98-172-static.reverse.queryfoundry.net",
"154-143-182-107-static.reverse.queryfoundry.net",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"167-16-68-38-static.reverse.queryfoundry.net",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"177-231-69-38-static.reverse.queryfoundry.net",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"237-189-251-104-static.reverse.queryfoundry.net",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"181-135-182-107-static.reverse.queryfoundry.net",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"67-228-69-38-static.reverse.queryfoundry.net",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"http://195-214-98-172-static.reverse.queryfoundry.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "GandCrab Ransomware",
"display_name": "GandCrab Ransomware",
"target": null
},
{
"id": "Win.Virus.Expiro",
"display_name": "Win.Virus.Expiro",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 310,
"FileHash-SHA1": 295,
"FileHash-SHA256": 3634,
"URL": 5839,
"CVE": 2,
"domain": 1048,
"email": 15,
"hostname": 1944,
"SSLCertFingerprint": 2
},
"indicator_count": 13089,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "107 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69314926519256e3ef0a9358",
"name": "BeeLineRouter.Net \u2022 Apple Access",
"description": "",
"modified": "2026-01-03T07:00:45.529000",
"created": "2025-12-04T08:41:06.657000",
"tags": [
"mitre att",
"network traffic",
"ck id",
"show technique",
"ck matrix",
"threat score",
"december",
"default browser",
"guest system",
"united",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"windir",
"openurl c",
"prefetch2",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"ascii text",
"pattern match",
"show process",
"t1071",
"general",
"local",
"path",
"click",
"beelinerouter",
"access",
"router",
"apple",
"regopenkeyexw",
"regsz",
"process32nextw",
"english",
"post http",
"search",
"observed dns",
"query",
"sinkhole cookie",
"malware",
"possible",
"win32",
"updater",
"write",
"next",
"found",
"ip address",
"domain",
"name servers",
"unknown ns",
"ip whois",
"registrar",
"cloudflare",
"title",
"passive dns",
"urls",
"files",
"location united",
"asn as14618",
"bq dec",
"virtool",
"backdoor",
"checkin",
"ipv4 add",
"trojan",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"unknown",
"show",
"internal",
"encrypt",
"veailmboprd",
"dns query",
"wow64",
"gecko http",
"entries",
"medium",
"ransom",
"khtml",
"gecko",
"delete",
"installer",
"win32cve may",
"america flag",
"overview ip",
"asn as20940",
"expiration",
"url https",
"no expiration",
"url http",
"pulse show",
"type indicator",
"role title",
"related pulses",
"record value",
"domain xn"
],
"references": [
"HTTPS://BeeLineRouter.Net",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"https://appleid.xn--appe-70a.com/",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://vgt.pl/r.n%20-",
"8-25-220-162-static.reverse.queryfoundry.net",
"queryfoundry.net",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"0-209-98-172-static.reverse.queryfoundry.net",
"154-143-182-107-static.reverse.queryfoundry.net",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"167-16-68-38-static.reverse.queryfoundry.net",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"177-231-69-38-static.reverse.queryfoundry.net",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"237-189-251-104-static.reverse.queryfoundry.net",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"181-135-182-107-static.reverse.queryfoundry.net",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"67-228-69-38-static.reverse.queryfoundry.net",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"http://195-214-98-172-static.reverse.queryfoundry.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "GandCrab Ransomware",
"display_name": "GandCrab Ransomware",
"target": null
},
{
"id": "Win.Virus.Expiro",
"display_name": "Win.Virus.Expiro",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 310,
"FileHash-SHA1": 295,
"FileHash-SHA256": 3634,
"URL": 5839,
"CVE": 2,
"domain": 1048,
"email": 15,
"hostname": 1944,
"SSLCertFingerprint": 2
},
"indicator_count": 13089,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "107 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692f23547b713b128b9c8156",
"name": "Indicator Deletion Attack | Chris P. Ahmann Esq still utilizes parking crews to execute cyber attacks",
"description": "Unable to open malware indicators at this time. These attackers use Parking Crews for their exploits, leasing parked domains for the amount of time needed to execute an attack. The attack last predate me ever using Level Blue. I have to review indicators reports more closely but, I do see a the multitude of attacks against target TLB and an intersection of attacks concerning Disable_Duck (Alberta) Chris Ahmann , Colorado government indicated. \n\n[OTX auto populated - Adversaries may use techniques to evade detection in their malware or tools, as well as using techniques such as code signing, encryption, and other techniques for avoiding detection and monitoring of their activities.]",
"modified": "2026-01-01T17:01:48.163000",
"created": "2025-12-02T17:35:15.203000",
"tags": [
"data upload",
"extraction",
"failed",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"development att",
"united",
"flag",
"poland poland",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"show process",
"network traffic",
"t1057",
"general",
"local",
"path",
"encrypt",
"hosts ip",
"details",
"ssl certificate",
"sha256",
"sha1",
"size",
"unicode text",
"crlf",
"utf8",
"lf line",
"server",
"command decode",
"markmonitor",
"amazon",
"ltd dba",
"com laude",
"organization",
"click",
"show technique",
"brand",
"microsoft edge",
"windows nt",
"win64",
"khtml",
"gecko",
"submitted",
"prefetch1",
"name server",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"contacted hosts",
"google",
"pornhub",
"ip address",
"t1480 execution",
"file defense",
"passive dns",
"related nids",
"urls",
"files location",
"flag united"
],
"references": [
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev",
"Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited",
"cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl",
"pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com",
"https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net",
"https://www.milehighmedia.com/legal/2257",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://twitter.com/PORNO_SEXYBABES",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6",
"(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs",
"http://watchhers.net/index.php",
"everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1358,
"FileHash-MD5": 100,
"FileHash-SHA1": 102,
"FileHash-SHA256": 1682,
"URL": 2497,
"CVE": 2,
"domain": 400,
"SSLCertFingerprint": 6,
"email": 3
},
"indicator_count": 6150,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "108 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692cb6dc24da17618e3d9da6",
"name": "Mirai Botnet | HackTool Powershell targets LinkedIn User | 192.168.1.1 \u2022 Remote Inbound Outbound Connection",
"description": "Linux Malware - LinkedIn- True Mirai Botnet (192.168.1.1) (Never Connect) Incredibly powerful attack targeting LinkedIn users. In this instance the target is an ex husband of a target. |\nNDO Group relationships seen. This is a Botnet. \n\nMay be \u2018framing\u2019 attack that was launched in 2014. Attackers sent a clear message to target that she + husband would be arrested and charged with possession of 1000\u2019s of \u2018child pornography\u2019 pictures. \n\nAttack 10/10 malicious. Worked from separate system in separate location. Hackers unlocked a device, zero clicks, removed PSW. Tulach malware seen a profile \u2018Michael Robert\u2019s of Rexxfield\u2019 may be entity (NSA) with a face like Tulach. Uses the most WILD compromises. Government contractors? \n\nSame attackers brought down Prudentials \u2018Assurance\u2019 Medicare system forever.\n ESET hackers only allowing \u2018bad traffic\u2019 .",
"modified": "2025-12-30T19:04:40.430000",
"created": "2025-11-30T21:27:56.239000",
"tags": [
"enter",
"extract",
"enter source",
"urls",
"address",
"remote connect",
"private ip",
"sql",
"inject",
"montserrat",
"script urls",
"germany unknown",
"xml title",
"wiesinger",
"style",
"ip address",
"script domains",
"body doctype",
"encrypt",
"botnet",
"dropper",
"unix",
"resolverror",
"et exploit",
"outbound",
"mirai variant",
"useragent",
"inbound",
"et trojan",
"et webserver",
"scan mirai",
"hello",
"execution",
"mirai",
"malware",
"shell",
"nids",
"ids detections",
"wget command",
"http headers",
"dlink devices",
"home network",
"mvpower dvr",
"shell uce",
"mirai elf",
"linux malware",
"is__elf",
"cnc",
"meta http",
"content",
"gmt server",
"files",
"reverse dns",
"germany",
"ismaning",
"germany asn",
"as5539 spacenet",
"germany https",
"auto generated security (?)",
"redacted for",
"name servers",
"aaaa",
"search",
"for privacy",
"title",
"intel",
"ms windows",
"pe32",
"process32nextw",
"write c",
"mssql port",
"hash",
"beapy",
"bit32bit",
"agent",
"write",
"hacktool",
"win32",
"next",
"suspicious user",
"pybeapy cnc",
"checkin",
"w32beapy cnc",
"beacon",
"module load",
"external ip",
"lookup",
"home assistant",
"intptr",
"uint32",
"type",
"parameter",
"oldprotectflag",
"mandatory",
"throw",
"position",
"lkshkdandl",
"success",
"info",
"powershell",
"null",
"error",
"date hash",
"next yara",
"detections name",
"medium",
"graph tree",
"sample",
"sample hash",
"exec bypass",
"c ipconfig",
"world",
"jaws webserver",
"chmod usage",
"strings",
"extraction",
"data upload",
"extre",
"include data",
"hos hos",
"y se",
"sugges",
"find s",
"typ hos",
"hos data",
"hos hostname",
"hos host",
"extr data",
"tethering",
"tulach",
"114.114.114.114",
"passive dns",
"pulse pulses",
"http",
"related nids",
"files location",
"united",
"flag united",
"files domain",
"next associated",
"ipv4 add",
"delphi",
"read c",
"packing t1045",
"t1045",
"worm",
"code",
"june",
"irc nick command",
"irc",
"meta",
"status",
"record value",
"unknown aaaa",
"expiration",
"url http",
"indicator role",
"pulses url",
"no expiration",
"url https",
"url url",
"o url",
"request review",
"hosting",
"unknown",
"medium security",
"extra data",
"failed",
"linkedin",
"url add",
"ireland flag",
"ireland",
"dublin",
"ireland asn",
"as16509",
"spyware",
"nso",
"nso group",
"pegasus related",
"nso related",
"framing",
"porn",
"python",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"apple",
"192.168.1.1",
"law",
"attorney"
],
"references": [
"192.168.1.1 - WOW! Use your old equipment in a non - residential environment",
"http://xn.com/ \u2022 www.xn--linkedinxn-6u6e.com \u2022 http://www.linkedin-xn.com/ \u2022 www.linkedin-xn.com",
"Powerful Exploit: https://otx.alienvault.com/indicator/file/ba32802bdd1f0b91cf8c667b94426d73ee654ba0",
"Mirai Botnet - *Inbound & Outbound connection",
"IDS Detections: *WGET Command Specifying Output in HTTP Headers",
"IDS Detections: *D-Link Devices Home Network Administration Protocol Command Execution",
"IDS Detections: *JAWS Webserver Unauthenticated Shell Command Execution",
"IDS Detections: *MVPower DVR Shell UCE *Mirai Variant User-Agent (Outbound)",
"Yara : Yara Detections : SUSP_XORed_Mozilla , Linux_MiningSoftware , is__elf",
"Alerts : dead_host nids_exploit_alert nids_malware_alert persistency_initd network_icmp",
"Alerts : tcp_syn_scan nolookup_communication network_cnc_http network_http",
"Alerts : network_http_post nids_alert chmod_syscall writes_to_stdout",
"Other Mitre ATT&CK T1480 T1553.00 T1027.013 T1057 T1069.002 T1071\tT1071.004",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"pornokind.vgt.pl \u2022 https://pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl/",
"pornlynx.com \u2022 www.pornhub.com \u2022 www.anyxxxtube.com",
"https://frostty12ice.info/ \u2022 https://lawhubh.info",
"Needs researching: http://lib.jerusalem.muni.il.il \u2022 https://lib.jerusalem.muni.il.il"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Unix.Dropper.Botnet-6566040-0",
"display_name": "Unix.Dropper.Botnet-6566040-0",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Montserrat",
"display_name": "Montserrat",
"target": null
},
{
"id": "Beapy",
"display_name": "Beapy",
"target": null
},
{
"id": "HackTool:Win32/PowerSploit!rfn",
"display_name": "HackTool:Win32/PowerSploit!rfn",
"target": "/malware/HackTool:Win32/PowerSploit!rfn"
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "Worm:Win32/Mydoom.PB!MTB",
"display_name": "Worm:Win32/Mydoom.PB!MTB",
"target": "/malware/Worm:Win32/Mydoom.PB!MTB"
}
],
"attack_ids": [
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "TA0036",
"name": "Exfiltration",
"display_name": "TA0036 - Exfiltration"
},
{
"id": "TA0039",
"name": "Remote Service Effects",
"display_name": "TA0039 - Remote Service Effects"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1016.001",
"name": "Internet Connection Discovery",
"display_name": "T1016.001 - Internet Connection Discovery"
},
{
"id": "T1583.004",
"name": "Server",
"display_name": "T1583.004 - Server"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553.001",
"name": "Gatekeeper Bypass",
"display_name": "T1553.001 - Gatekeeper Bypass"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1027.002",
"name": "Software Packing",
"display_name": "T1027.002 - Software Packing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1609",
"name": "Container Administration Command",
"display_name": "T1609 - Container Administration Command"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1059.006",
"name": "Python",
"display_name": "T1059.006 - Python"
}
],
"industries": [
"Government",
"Legal",
"Healthcare",
"Insurance",
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4147,
"domain": 871,
"hostname": 2194,
"FileHash-MD5": 279,
"FileHash-SHA1": 257,
"FileHash-SHA256": 2183,
"CVE": 6,
"email": 3,
"SSLCertFingerprint": 1
},
"indicator_count": 9941,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "110 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6928f8d9e4222a6a219d785e",
"name": "ClipBanker Spy & Information stealer | Crazy Frost | MaaS | Chrome & Cloudflare attacks",
"description": "It appears that entity CrazyFrost provides MasS among other things that include major smear campaigns.| Likely quasi government , and Law Firm contractors.. Domestic terrorizing isn\u2019t a stretch.\nClipBanker: A form of banking trojan information stealer and spy that specifically monitors and steals information, likely by modifying the clipboard contents to redirect financial transactions (e.g., changing a copied bank account number to the attacker's).\n\n[OTX populated - HOSTNAME: CloudFlare.com.., a company owned by the US government, has been added to Pulse, an anti-virus database. (Pulses) created by users.]",
"modified": "2025-12-28T00:04:06.179000",
"created": "2025-11-28T01:20:25.401000",
"tags": [
"dynamicloader",
"json",
"ascii text",
"high",
"data",
"x90uxa4xf8",
"cape",
"stream",
"guard",
"write",
"trojan",
"redline",
"malware",
"push",
"local",
"injection_inter_process",
"recon_fingerprint",
"persistence_ads",
"process_creation_suspicious_location",
"infostealer_browser",
"infostealer_cookies",
"stealth_file",
"cape_detected_threat",
"antivm_generic_bios",
"cape_extracted_content",
"united",
"mtb jul",
"a domains",
"aaaa",
"443 ma86400",
"servers",
"win32upatre jul",
"virtool",
"b778b1",
"div div",
"d9e4f4",
"edf2f8",
"present mar",
"fastest privacy",
"first dns",
"win32",
"trojandropper",
"passive dns",
"mtb nov",
"ipv4 add",
"asn as13335",
"dns resolutions",
"domain",
"data upload",
"extraction",
"yara",
"troja yara",
"trojar data",
"virto",
"worn data",
"included iocs",
"manually add",
"resolved ips",
"ta0002",
"evasion ta0005",
"tr shared",
"modules",
"files",
"infor",
"t1027",
"process t1057",
"community score",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"name server",
"date",
"cloudflare",
"data protected",
"misc activity",
"et info",
"dns requests",
"domain address",
"gmt flag",
"techtarget",
"server",
"et policy",
"prefetch2",
"t1179 hooking",
"access windows",
"installs",
"mitre att",
"ck techniques",
"click",
"windir",
"country",
"contacted hosts",
"ip address",
"process details",
"contacted",
"http traffic",
"suricata alerts",
"event category",
"found"
],
"references": [
"Malware : ClipBanker Entity: Crazy Frost",
"www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Services : GoogleChromeElevationService = Delete",
"Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap",
"Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap",
"Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap",
"Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj",
"Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap",
"Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake",
"Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)",
"CS IDS: Matches rule (http_inspect) invalid status line",
"CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.",
"jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube/"
],
"public": 1,
"adversary": "Crazy Frost",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Trojan.Disfa/downloader10",
"display_name": "Trojan.Disfa/downloader10",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Trojan:Win32/Zusy",
"display_name": "Trojan:Win32/Zusy",
"target": "/malware/Trojan:Win32/Zusy"
},
{
"id": "Rozena",
"display_name": "Rozena",
"target": null
}
],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1498",
"name": "Network Denial of Service",
"display_name": "T1498 - Network Denial of Service"
},
{
"id": "T1464",
"name": "Jamming or Denial of Service",
"display_name": "T1464 - Jamming or Denial of Service"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 295,
"FileHash-SHA1": 217,
"FileHash-SHA256": 1887,
"URL": 3263,
"domain": 597,
"hostname": 1085,
"email": 2,
"CVE": 1
},
"indicator_count": 7347,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "113 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68db395368d6c4042517f3f3",
"name": "Target Saver M1 Agent TSA Spy \u2022 Mastadon - Hit Tip! Thanks!",
"description": "Hot Tip! I would love to give a shout out to the person who provided this information, I\u2019m not sure if they want to remain anonymous or not. Thank SO Much!\n\nSpyware and a source for distributing malicious media. Complete foothold\non networks, browsers, phones, search history and everything, massive streaming pornography distributed, members and contributors. \n\nVery important tip. I will analyze and break down into digestible pulse sizes.",
"modified": "2025-12-27T15:01:22.545000",
"created": "2025-09-30T01:58:43.592000",
"tags": [
"http traffic",
"match info",
"http get",
"info performs",
"dns query",
"https http",
"mitre att",
"evasion ta0005",
"creates",
"info",
"oc0006 http",
"wininet c0005",
"resolved ips",
"get http",
"html document",
"unicode text",
"dynamicloader",
"fe ff",
"medium",
"x00bx00",
"uswv",
"k uswv",
"search",
"high",
"delete c",
"yara detections",
"redline",
"guard",
"write",
"united",
"present sep",
"aaaa",
"passive dns",
"urls",
"next associated",
"found",
"x content",
"hacktool",
"trojan",
"error",
"lowfi",
"win32",
"worm",
"ip address",
"mtb apr",
"ransom",
"virtool",
"ain add",
"directui",
"element",
"classinfobase",
"ccbase",
"hwndhost",
"yara rule",
"hpavvalue",
"qaejh",
"name servers",
"cryp",
"emails",
"next related",
"domain related",
"no expiration",
"url http",
"url https",
"indicator role",
"hostname",
"email",
"present jun",
"present aug",
"present jul",
"servers",
"title",
"encrypt",
"altsvc h3",
"date tue",
"acceptranges",
"reportto",
"server",
"gmt expires",
"gmt contenttype",
"script",
"expiresthu",
"maxage63072000",
"pragma",
"google safe",
"unknown ns",
"files",
"location united",
"asn as15169",
"trojandropper",
"susp",
"creation date",
"asn as133618",
"tags",
"related tags",
"indicator facts",
"backdoor",
"ipv4 add",
"click",
"artro",
"target saver",
"trojanspy",
"reverse dns",
"america flag",
"443 ma2592000",
"hostname add",
"verdict",
"present mar",
"present jan",
"present dec",
"present apr",
"ipv4",
"type indicator",
"role title",
"related pulses",
"iocs",
"moved",
"downloads",
"apple",
"microsoft",
"hexagonsystem",
"mastadon",
"status",
"twitter",
"gmt content",
"easyredir cache",
"v4 add",
"redacted for",
"privacy tech",
"privacy admin",
"registrar abuse",
"available from",
"algorithm",
"key identifier",
"x509v3 subject",
"entity",
"code",
"date",
"dnssec",
"showing",
"unknown aaaa",
"sha256",
"sha1",
"ascii text",
"ck id",
"show technique",
"ck matrix",
"meta",
"hybrid",
"general",
"local",
"path",
"strings",
"copy md5",
"copy sha1",
"copy sha256",
"certificate"
],
"references": [
"FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63",
"mastodon.social",
"https://families.google/intl/pt-PT_ALL/familylink/",
"http://service.adultprovide.com/docs/records.htm?site=bigtitsboss",
"slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com",
"https://discuss.ai.google.dev/c/gemma/10",
"https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png",
"https://m.bigwetbutts.com/ tmi",
"Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89",
"Mirai: simswap.in",
"66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com",
"https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com",
"https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"display_name": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"target": null
},
{
"id": "Win.Ransomware.Bitman-9862733-0",
"display_name": "Win.Ransomware.Bitman-9862733-0",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Target Saver",
"display_name": "Target Saver",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Hacktool",
"display_name": "Hacktool",
"target": null
}
],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Media",
"Legal",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2964,
"hostname": 1164,
"URL": 4334,
"domain": 956,
"FileHash-MD5": 476,
"FileHash-SHA1": 451,
"CVE": 1,
"email": 20,
"SSLCertFingerprint": 2
},
"indicator_count": 10368,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "113 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6920c43c3772bb24f26f70cc",
"name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun",
"description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.",
"modified": "2025-12-21T18:01:07.268000",
"created": "2025-11-21T19:57:48.145000",
"tags": [
"dynamicloader",
"write c",
"write",
"high",
"yara rule",
"myapp",
"delphi",
"worm",
"win32",
"error",
"code",
"malware",
"defender",
"medium",
"binary file",
"heavensgate",
"bochs",
"dynamic",
"td td",
"td tr",
"united",
"a td",
"a domains",
"dynamic dns",
"static dns",
"dd wrt",
"twitter",
"trojan",
"trojandropper",
"null",
"enough",
"simple",
"click",
"easy",
"premium",
"associated urls",
"server response",
"google safe",
"results nov",
"avast avg",
"11.21.2025",
"11.20.2025",
"borland delphi",
"pe32",
"intel",
"ms windows",
"inno setup",
"win32 exe",
"pecompact",
"delphi generic",
"pe32 compiler",
"dark comet",
"dark gate",
"glassworm",
"md5 code",
"data",
"porkbun llc",
"windows match",
"getprocaddress",
"peb idrdata",
"match peb",
"t1547",
"t1059 t1112",
"shared modules",
"t1129",
"boot",
"logon autostart",
"execu",
"t1134 boot",
"encoding",
"capture e1113",
"file attributes",
"analysis ob0001",
"b0001 software",
"virtual machine",
"detection b0009",
"analysis ob0002",
"ob0003 screen",
"windows get",
"check",
"encode",
"check internet",
"wininet set",
"clear file",
"enumerate gui",
"get hostname",
"get keyboard",
"set registry",
"find",
"capture",
"url http",
"consolefoundry",
"console foundry",
"foundry",
"malware catalog tree",
"autorun keys",
"modification",
"alexander karp",
"peter theil",
"christoper ahmann",
"christopher pool",
"mercedes",
"apple",
"palantir",
"adversarial",
"adversaries",
"hostile",
"quasi",
"empty hash",
"denver",
"mal_xred_backdoor",
"backdoor",
"xred",
"brian sabey",
"first-send-petikvx",
"stop",
"glassworm",
"elex",
"darkgate",
"dark-comet",
"search",
"entries",
"show",
"yara detections",
"icmp traffic",
"rtf file",
"top source",
"top destination",
"format",
"host",
"copy",
"next",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"access att",
"font",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"ascii text",
"pattern match",
"sha256",
"mitre att",
"title",
"meta",
"hybrid",
"local",
"path",
"strings",
"body",
"contact",
"trace",
"form",
"bitcoin",
"core",
"jeffrey reimer",
"exe infection",
"cve",
"porn"
],
"references": [
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns",
"Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep",
"Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading",
"Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn",
"Alerts: packer_unknown",
"Malicious IP Contacted: 69.42.215.252",
"Abused Domains Contacted: xred.mooo.com freedns.afraid.org",
"IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org",
"IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com",
"IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com",
"Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry",
"Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below",
"by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"http://freedns.afraid.org/images/apple.gif",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://www.mumuplayer.com/redirect/customerservice/_wig",
"https://www.mumuplayer.com/redirect/customerservice/fB)y",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth",
"https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"http://consolefoundry.date/one/gate.php",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453",
"display_name": "Win.Trojan.Emotet-9850453",
"target": null
},
{
"id": "Win.Trojan.BlackNetRAT-7838854-0",
"display_name": "Win.Trojan.BlackNetRAT-7838854-0",
"target": null
},
{
"id": "Win.Dropper.Nanocore-10021490-0",
"display_name": "Win.Dropper.Nanocore-10021490-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win.Packed.Remcos-10024510-0",
"display_name": "Win.Packed.Remcos-10024510-0",
"target": null
},
{
"id": "Code Overlap",
"display_name": "Code Overlap",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "PSW:Win32/VB.CU",
"display_name": "PSW:Win32/VB.CU",
"target": "/malware/PSW:Win32/VB.CU"
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1541",
"name": "Foreground Persistence",
"display_name": "T1541 - Foreground Persistence"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 460,
"FileHash-SHA1": 437,
"FileHash-SHA256": 4483,
"SSLCertFingerprint": 2,
"URL": 6487,
"hostname": 1772,
"domain": 652,
"CVE": 3,
"email": 5
},
"indicator_count": 14301,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "119 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68ff6bf46f5d8662048ca7a1",
"name": "symcd.com \u2022 Netify.ai",
"description": "Seen in multiple attacks including CrowdStrike\nincident that was truly a breach found and reported prior to outage. SYCMD..com\nis consistently removed / deleted from pulses.\n\nI have nothing to say. OTX will pulse this let\u2019s see if anything happens..\n#rootkit? #ai #netify #malware #running_webserver #ottowa #elf #agent #malware #known #network_icmp #nolookup_communication\nantivm_generic_disk #dead host\n#dumped_buffer\n#network_cnc_http\n#network_http\n#allocates_rwx\n#av_detect_china_key #m\n[ELF:Agent-VW\\ [Trj]]\nIDS Detections :\n*GoBrut Service Bruter CnC Activity \n*GoBrut Service Bruter CnC Checkin \n*Generic.Go.Bruteforcer CnC Beacon\neval String.fromCharCode String Which May Be #malicious\nYara Detections:\ncompromised_site_redirector_fromcharcode\nfromCharCode | Yara Detections:\nKnownMaliciousObfuscationPattern\n[External IP Address Lookup via api .ip138 .com]\n[Win.Malware.Softcnapp-6932830-0]\nMultiple malware attack.",
"modified": "2025-11-26T12:00:39.551000",
"created": "2025-10-27T12:56:20.090000",
"tags": [
"present may",
"present jun",
"name servers",
"united",
"status",
"present aug",
"present oct",
"present jul",
"present mar",
"present nov",
"date",
"digicert",
"whois",
"forums",
"symantec",
"comcast",
"levelblue",
"open threat",
"pulse",
"urls",
"as13335",
"info",
"server",
"domain status",
"registrar abuse",
"registrar",
"dnssec",
"domain name",
"us registrant",
"email",
"contact email",
"host name",
"handle",
"rdap database",
"iana registrar",
"present sep",
"canada unknown",
"moved",
"ip address",
"search",
"title",
"encrypt",
"ubuntu",
"linux x8664",
"gobrut service",
"bruter cnc",
"entries",
"show",
"activity",
"stca",
"unknown",
"malware",
"copy",
"next",
"team",
"script urls",
"a domains",
"passive dns",
"gmt server",
"content type",
"body",
"meta",
"for privacy",
"creation date",
"name redacted",
"expiration date",
"servers",
"hostname add",
"pulse pulses",
"13371",
"qq v",
"process32nextw",
"regopenkeyexw",
"medium",
"langchinese",
"get na",
"rticon",
"security",
"high",
"win32",
"write",
"dynamicloader",
"checks",
"alerts",
"bios",
"dynamic",
"total",
"read",
"delete",
"name strings",
"south korea"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Bulgaria",
"Germany",
"Netherlands"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3301,
"email": 9,
"hostname": 1202,
"FileHash-SHA256": 1967,
"domain": 1885,
"FileHash-MD5": 153,
"FileHash-SHA1": 151,
"CVE": 1,
"SSLCertFingerprint": 82,
"FilePath": 1
},
"indicator_count": 8752,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6879093e8658df9f35683846",
"name": "Worm:Win32/Benjamin continues to impact network",
"description": "Worm:Win32/Benjamin continues to impact network operations of a little known, limited national cybers space organization. P2P-Worm.\n*IDS Detections: \n\u2022 Win32.Worm.Benjamin.A CnC Checkin Alerts\n\u2022 nids_malware_alert\n\u2022 network_icmp\n\u2022 network_irc\n\u2022 persistence_autorun\n| Multiple network issues from outages, stolen password keychains, credentials dumping, impressive espionage attacks. Likely goes unnoticed to many. Widely regarded/reported as an outage that is really an unpatched, ongoing cyber attack.",
"modified": "2025-08-16T14:00:26.166000",
"created": "2025-07-17T14:31:26.824000",
"tags": [
"include review",
"data upload",
"extraction",
"read c",
"search",
"medium",
"show",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"entries",
"dock",
"write",
"execution",
"capture",
"next",
"copy",
"date",
"aaaa",
"present may",
"present nov",
"passive dns",
"ip address",
"domain",
"status",
"next associated",
"delete",
"iocs",
"failed",
"sc data",
"type",
"extr data",
"included",
"review iocs",
"memcommit",
"user execution",
"module load",
"t1129",
"icmp traffic",
"high",
"collection",
"cmd c",
"t1055",
"enter",
"extract",
"enter sc",
"drop or",
"browse t",
"oprop",
"extraction data",
"enter source",
"url or",
"texorag",
"browse",
"urls",
"dnssec",
"hostname add",
"pulse pulses",
"files",
"files ip",
"domainadmin",
"showing",
"ttl value",
"thumbprint",
"onlv",
"find",
"extri data",
"dran anu",
"extr",
"manually add",
"review exclude",
"sugges",
"find s",
"typ hos",
"se data",
"include data",
"review locs",
"exclude",
"suggested es",
"intel",
"ms windows",
"write c",
"pe32",
"pe32 executable",
"copy c",
"worm",
"win32",
"benjamin",
"june",
"delphi",
"malware",
"nids",
"icmp delphi",
"yara detections",
"malware traffic",
"checkin",
"code",
"name servers",
"servers",
"pulses",
"expiration date",
"united",
"body",
"cookie",
"related tags",
"file type",
"pe packer",
"pm size",
"sha1 sha256",
"imphash pehash",
"virustotal api",
"screenshots",
"comments"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 50,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 536,
"FileHash-SHA1": 465,
"FileHash-SHA256": 1836,
"domain": 766,
"hostname": 960,
"URL": 2879,
"CVE": 1,
"email": 4
},
"indicator_count": 7447,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "246 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"pornlynx.com \u2022 www.pornhub.com \u2022 www.anyxxxtube.com",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"euw-serp-dev-testing19.duck.ai",
"everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com",
"Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep",
"Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access",
"https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com",
"Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"https://es.pornhat.com/models/the-sex-creator/",
"http://195-214-98-172-static.reverse.queryfoundry.net/",
"Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"BearShare Install File Version 12.0.0.135802",
"xn--cloud-4sa.com",
"iamrobert.com Y.A.S.",
"167-16-68-38-static.reverse.queryfoundry.net",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"Mirai: simswap.in",
"Denver Police Department Major Crimes closed investigation",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354",
"This is a serious crime. I\u2019m certain God WILL pay them.",
"Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"IDS Detections: *MVPower DVR Shell UCE *Mirai Variant User-Agent (Outbound)",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"http://foundry2sdbl.dvr.dn2.n-helix.com/",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"Yara : Yara Detections : SUSP_XORed_Mozilla , Linux_MiningSoftware , is__elf",
"https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com",
"Musiclab, LLC",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io",
"https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/",
"http://xn.com/ \u2022 www.xn--linkedinxn-6u6e.com \u2022 http://www.linkedin-xn.com/ \u2022 www.linkedin-xn.com",
"https://frostty12ice.info/ \u2022 https://lawhubh.info",
"Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]",
"cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl",
"Updated | What\u2019s left after theft",
"http://watchhers.net/index.php",
"https://families.google/intl/pt-PT_ALL/familylink/",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"http://www.anyxxxtube/",
"Yara Detections: Tofsee",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed",
"Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn",
"https://207-207-25-201.fwd.datafoundry.com/",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"http://vgt.pl/r.n%20-",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://m.bigwetbutts.com/ tmi",
"209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com",
"IDS Detections: *D-Link Devices Home Network Administration Protocol Command Execution",
"Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"http://foundry2-lbl.dvr.dn2.n-helix.com/",
"Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora",
"www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"HTTPS://BeeLineRouter.Net",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth",
"Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"Malware : ClipBanker Entity: Crazy Frost",
"https://www.datafoundry.com/data-center-contamination-control/",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"IDS Detections: *WGET Command Specifying Output in HTTP Headers",
"If someone is believed to be a threat they have right to due process.",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"Sexual and Physical Assaulter - Jeffrey Scott Reimer",
"Reimer was a PT. Unknown whereabouts , name or job description",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"https://rdweb.datafoundry.com/",
"Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap",
"https://www.datafoundry.com/category/news/press-releases/",
"queryfoundry.net",
"Services : GoogleChromeElevationService = Delete",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"account-apple.com",
"I bring up the personal nature of the crime because a delete service has been used",
"http://service.adultprovide.com/docs/records.htm?site=bigtitsboss",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"CS IDS: Matches rule (http_inspect) invalid status line",
"Can the DoD no questions asked target a SA victim",
"http://console.applemarketingtools.com/",
"http://212.33.237.86/images/1/report.php",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"africa.konnect.com",
"http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"237-189-251-104-static.reverse.queryfoundry.net",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"https://www.mumuplayer.com/redirect/customerservice/_wig",
"181-135-182-107-static.reverse.queryfoundry.net",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"https://www.milehighmedia.com/legal/2257",
"Alerts: packer_unknown",
"I am very upset. Whoever is doing this is sick.",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"0-209-98-172-static.reverse.queryfoundry.net",
"177-231-69-38-static.reverse.queryfoundry.net",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost",
"https://twitter.com/PORNO_SEXYBABES",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/",
"Denver Police let this attempted murder walk. Cited him as a ghost driver",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"There is fear in silence or speaking out",
"pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com",
"67-228-69-38-static.reverse.queryfoundry.net",
"Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap",
"Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap",
"Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215",
"Mirai Botnet - *Inbound & Outbound connection",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"Quasi Government Case",
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com",
"mastodon.social",
"Alerts : dead_host nids_exploit_alert nids_malware_alert persistency_initd network_icmp",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"154-143-182-107-static.reverse.queryfoundry.net",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"https://appleid.xn--appe-70a.com/",
"Alerts : tcp_syn_scan nolookup_communication network_cnc_http network_http",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html",
"http://consolefoundry.date/one/gate.php",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://webmail.police.govmm.org/owa/",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"https://www.mumuplayer.com/redirect/customerservice/fB)y",
"https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx",
"Other Mitre ATT&CK T1480 T1553.00 T1027.013 T1057 T1069.002 T1071\tT1071.004",
"Mark Brian Sabey",
"http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com",
"CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89",
"Melvin Sabey",
"http://cab.applemarketingtools.com",
"http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png",
"IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org",
"Needs researching: http://lib.jerusalem.muni.il.il \u2022 https://lib.jerusalem.muni.il.il",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse",
"Christopher P \u2018Buzz\u2019 Ahmann",
"pornokind.vgt.pl \u2022 https://pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl/",
"(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs",
"Unknown Persons impersonating Private Investigators (plural)",
"Malicious IP Contacted: 69.42.215.252",
"Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim",
"http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6",
"https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com",
"IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com",
"ids-apple.com \u2022 itunes.org",
"https://meumundogay-com.sexogratis.page/locker",
"FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63",
"http://freedns.afraid.org/images/apple.gif",
"Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited",
"Victim silenced. Struck by Car Driven by male police let walk",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl",
"All IoC\u2019s originate from sources named. There are some unknown attackers",
"http://palantirwww.sweetheartvideo.com/ (weirdness)",
"Alerts : network_http_post nids_alert chmod_syscall writes_to_stdout",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"https://discuss.ai.google.dev/c/gemma/10",
"8-25-220-162-static.reverse.queryfoundry.net",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"IDS Detections: *JAWS Webserver Unauthenticated Shell Command Execution",
"Target agreed and complied with all lie detector measures.",
"http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"Some may may find this content is very disturbing and offensive",
"Ronda Cordova",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"192.168.1.1 - WOW! Use your old equipment in a non - residential environment",
"Powerful Exploit: https://otx.alienvault.com/indicator/file/ba32802bdd1f0b91cf8c667b94426d73ee654ba0",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022",
"https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com",
"Abused Domains Contacted: xred.mooo.com freedns.afraid.org",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"http://0-209-98-172-static.reverse.queryfoundry.net/"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"Crazy Frost"
],
"malware_families": [
"Cve-2023-22518",
"Tulach",
"Trojanspy",
"Win.trojan.blacknetrat-7838854-0",
"Worm:win32/autorun!atmn",
"Hacktool:win32/powersploit!rfn",
"Win.ransomware.bitman-9862733-0",
"Win.packed.remcos-10024510-0",
"Artro",
"Win.packed.bandook-9882274-1",
"Rozena",
"Win.trojan.emotet-9850453",
"Simda",
"Win.virus.expiro",
"Win.trojan.tofsee-7102058-0",
"Mydoom",
"Worm:win32/mydoom.pb!mtb",
"Trojan.disfa/downloader10",
"Unix.dropper.botnet-6566040-0",
"Psw:win32/vb.cu",
"Code overlap",
"Beapy",
"Win32/searchsuite",
"Montserrat",
"Exploit:win32/cve-2017-0147",
"Win.dropper.nanocore-10021490-0",
"Trojan:win32/zusy",
"Trojandownloader:win32/cutwail",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Tons of malware",
"Mirai",
"Nids",
"Hacktool",
"#virtool:win32/obfuscator.adb",
"Malware",
"Gandcrab ransomware",
"Apnic",
"#lowfi:hstr:virtool:win32/gendecnryptalgo.s02",
"Backdoor:win32/tofsee.t",
"Other malware",
"Target saver",
"Porn revenge",
"Win32.application.bearshare.a"
],
"industries": [
"Technology",
"Healthcare",
"Insurance",
"Legal",
"Telecommunications",
"Media",
"Government",
"Civil society"
],
"unique_indicators": 115906
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/raid.ru",
"whois": "http://whois.domaintools.com/raid.ru",
"domain": "raid.ru",
"hostname": "ns4.raid.ru"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 16,
"pulses": [
{
"id": "69bf261cc4e399447d78776c",
"name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |",
"description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com",
"modified": "2026-04-20T00:26:28.752000",
"created": "2026-03-21T23:13:32.760000",
"tags": [
"sc data",
"data upload",
"please sub",
"include data",
"extraction",
"failed",
"sc pulse",
"idron anv",
"extr please",
"include review",
"exclude sugges",
"stop show",
"typ domain",
"united",
"virtool",
"name servers",
"cryp",
"emails",
"win32",
"ip address",
"worm",
"trojan",
"learn",
"suspicious",
"informative",
"ck id",
"name tactics",
"command",
"adversaries",
"spawns",
"ssl certificate",
"initial access",
"link initial",
"prefetch8",
"mitre att",
"ck matrix",
"flag",
"windows nt",
"win64",
"accept",
"encrypt",
"form",
"hybrid",
"bypass",
"general",
"path",
"iframe",
"click",
"strings",
"anchor https",
"anchor",
"liberal",
"sabey",
"liberal friends",
"meta",
"html internet",
"html document",
"unicode text",
"utf8 text",
"info initial",
"access ta0001",
"compromise",
"t1189 network",
"communication",
"get http",
"artifacts v",
"full reports",
"v get",
"help dns",
"resolutions",
"ip traffic",
"extr data",
"enter sc",
"extra data",
"referen",
"broth",
"passive dns",
"urls",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"none google",
"safe browsing",
"inquest labs",
"lucas acha",
"code integrity",
"checks creation",
"otx logo",
"all hostname",
"files",
"domain",
"protect",
"date",
"title",
"exchange",
"se http",
"present jan",
"present feb",
"present dec",
"backdoor",
"certificate",
"all domain",
"alibaba cloud",
"hichina",
"porkbun llc",
"cloudflare",
"namecheap inc",
"namecheap",
"domains",
"dynadot llc",
"ascio",
"denmark",
"url https",
"filehashsha256",
"url http",
"dopple ai",
"snit",
"iocs",
"otx description",
"information",
"report spam",
"delete service",
"poem",
"hunter",
"malicious",
"porn revenge",
"brian sabeys",
"all report",
"spam delete",
"rl http",
"https",
"expiration http",
"spam brian",
"swipper",
"type indicator",
"role title",
"added active",
"related pulses",
"filehashmd5",
"filehashsha1",
"sha256",
"scan",
"learn more",
"indicators show",
"tbmvid",
"sourcelnms",
"zx1724209326040",
"xxx videos",
"xxxvideohd",
"adversary",
"packing",
"palantir.com",
"discovery",
"victim won case",
"doin it",
"palantirian abuse",
"apple",
"sabey data centers",
"insurance",
"quasi government",
"the brother sabey",
"reimer",
"law enforcement",
"vessel state",
"sabey porn",
"hall evans",
"christopher ahmann",
"defamation",
"google"
],
"references": [
"The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/",
"http://watchhers.net/index.php",
"http://212.33.237.86/images/1/report.php",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://webmail.police.govmm.org/owa/",
"https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl",
"https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215",
"Mark Brian Sabey",
"Melvin Sabey",
"Christopher P \u2018Buzz\u2019 Ahmann",
"Ronda Cordova",
"Unknown Persons impersonating Private Investigators (plural)",
"Quasi Government Case",
"Victim silenced. Struck by Car Driven by male police let walk",
"Denver Police let this attempted murder walk. Cited him as a ghost driver",
"Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora",
"Sexual and Physical Assaulter - Jeffrey Scott Reimer",
"Reimer was a PT. Unknown whereabouts , name or job description",
"Denver Police Department Major Crimes closed investigation",
"Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim",
"I bring up the personal nature of the crime because a delete service has been used",
"More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed",
"All IoC\u2019s originate from sources named. There are some unknown attackers",
"This is a serious crime. I\u2019m certain God WILL pay them.",
"https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com",
"http://palantirwww.sweetheartvideo.com/ (weirdness)",
"http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://207-207-25-201.fwd.datafoundry.com/",
"http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd",
"http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2sdbl.dvr.dn2.n-helix.com/",
"Updated | What\u2019s left after theft",
"207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com",
"207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com",
"https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse",
"https://www.datafoundry.com/category/news/press-releases/",
"207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com",
"209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com",
"www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com",
"http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com",
"http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/",
"https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022",
"https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/",
"https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com",
"Some may may find this content is very disturbing and offensive"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Porn Revenge",
"display_name": "Porn Revenge",
"target": null
},
{
"id": "Tons of Malware",
"display_name": "Tons of Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1495",
"name": "Firmware Corruption",
"display_name": "T1495 - Firmware Corruption"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1586.001",
"name": "Social Media Accounts",
"display_name": "T1586.001 - Social Media Accounts"
},
{
"id": "T1593.001",
"name": "Social Media",
"display_name": "T1593.001 - Social Media"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6034,
"domain": 1422,
"IPv4": 397,
"FileHash-MD5": 274,
"FileHash-SHA1": 252,
"FileHash-SHA256": 3378,
"email": 11,
"hostname": 2753,
"CVE": 1,
"SSLCertFingerprint": 9,
"IPv6": 32
},
"indicator_count": 14563,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "8 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69ded8198b25581a09b90824",
"name": "BearShare \u2022 Solarwinds? \u2022 SearchSuite \u2022 Healthcare Administration",
"description": "",
"modified": "2026-04-15T00:13:13.981000",
"created": "2026-04-15T00:13:13.981000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": "69dab27a0493e0e80a0f35cd",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "5 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69db05f833d3d6d2231fb201",
"name": "CREDIT: Q.Vashti's research: SearchSuite \u2022 Healthcare Administration CREATED 6 HOURS AGO by Q.Vashti",
"description": "",
"modified": "2026-04-12T02:39:52.993000",
"created": "2026-04-12T02:39:52.993000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": "69dab27a0493e0e80a0f35cd",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69dab27a0493e0e80a0f35cd",
"name": "SearchSuite \u2022 Healthcare Administration",
"description": "Embedded in communication between a healthcare system and a client. \n\nThis is just one of countless internal issues causing a gap in communication, malicious adware, spyware, system sweeps, injection, system modification, downloads , call failures.",
"modified": "2026-04-11T20:43:38.695000",
"created": "2026-04-11T20:43:38.695000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "693148dc0eb85adc8edfe1a2",
"name": "BeeLineRouter.Net \u2022 Isolated / Apple Baxkdoor",
"description": "",
"modified": "2026-01-03T07:00:45.529000",
"created": "2025-12-04T08:39:56.180000",
"tags": [
"mitre att",
"network traffic",
"ck id",
"show technique",
"ck matrix",
"threat score",
"december",
"default browser",
"guest system",
"united",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"windir",
"openurl c",
"prefetch2",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"ascii text",
"pattern match",
"show process",
"t1071",
"general",
"local",
"path",
"click",
"beelinerouter",
"access",
"router",
"apple",
"regopenkeyexw",
"regsz",
"process32nextw",
"english",
"post http",
"search",
"observed dns",
"query",
"sinkhole cookie",
"malware",
"possible",
"win32",
"updater",
"write",
"next",
"found",
"ip address",
"domain",
"name servers",
"unknown ns",
"ip whois",
"registrar",
"cloudflare",
"title",
"passive dns",
"urls",
"files",
"location united",
"asn as14618",
"bq dec",
"virtool",
"backdoor",
"checkin",
"ipv4 add",
"trojan",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"unknown",
"show",
"internal",
"encrypt",
"veailmboprd",
"dns query",
"wow64",
"gecko http",
"entries",
"medium",
"ransom",
"khtml",
"gecko",
"delete",
"installer",
"win32cve may",
"america flag",
"overview ip",
"asn as20940",
"expiration",
"url https",
"no expiration",
"url http",
"pulse show",
"type indicator",
"role title",
"related pulses",
"record value",
"domain xn"
],
"references": [
"HTTPS://BeeLineRouter.Net",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"https://appleid.xn--appe-70a.com/",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://vgt.pl/r.n%20-",
"8-25-220-162-static.reverse.queryfoundry.net",
"queryfoundry.net",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"0-209-98-172-static.reverse.queryfoundry.net",
"154-143-182-107-static.reverse.queryfoundry.net",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"167-16-68-38-static.reverse.queryfoundry.net",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"177-231-69-38-static.reverse.queryfoundry.net",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"237-189-251-104-static.reverse.queryfoundry.net",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"181-135-182-107-static.reverse.queryfoundry.net",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"67-228-69-38-static.reverse.queryfoundry.net",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"http://195-214-98-172-static.reverse.queryfoundry.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "GandCrab Ransomware",
"display_name": "GandCrab Ransomware",
"target": null
},
{
"id": "Win.Virus.Expiro",
"display_name": "Win.Virus.Expiro",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1049,
"URL": 5839,
"hostname": 1944,
"FileHash-SHA256": 3634,
"FileHash-MD5": 310,
"FileHash-SHA1": 295,
"CVE": 2,
"email": 15,
"SSLCertFingerprint": 2
},
"indicator_count": 13090,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "107 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69314920e287845f6b36a265",
"name": "BeeLineRouter.Net \u2022 Apple Access",
"description": "",
"modified": "2026-01-03T07:00:45.529000",
"created": "2025-12-04T08:41:04.190000",
"tags": [
"mitre att",
"network traffic",
"ck id",
"show technique",
"ck matrix",
"threat score",
"december",
"default browser",
"guest system",
"united",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"windir",
"openurl c",
"prefetch2",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"ascii text",
"pattern match",
"show process",
"t1071",
"general",
"local",
"path",
"click",
"beelinerouter",
"access",
"router",
"apple",
"regopenkeyexw",
"regsz",
"process32nextw",
"english",
"post http",
"search",
"observed dns",
"query",
"sinkhole cookie",
"malware",
"possible",
"win32",
"updater",
"write",
"next",
"found",
"ip address",
"domain",
"name servers",
"unknown ns",
"ip whois",
"registrar",
"cloudflare",
"title",
"passive dns",
"urls",
"files",
"location united",
"asn as14618",
"bq dec",
"virtool",
"backdoor",
"checkin",
"ipv4 add",
"trojan",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"unknown",
"show",
"internal",
"encrypt",
"veailmboprd",
"dns query",
"wow64",
"gecko http",
"entries",
"medium",
"ransom",
"khtml",
"gecko",
"delete",
"installer",
"win32cve may",
"america flag",
"overview ip",
"asn as20940",
"expiration",
"url https",
"no expiration",
"url http",
"pulse show",
"type indicator",
"role title",
"related pulses",
"record value",
"domain xn"
],
"references": [
"HTTPS://BeeLineRouter.Net",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"https://appleid.xn--appe-70a.com/",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://vgt.pl/r.n%20-",
"8-25-220-162-static.reverse.queryfoundry.net",
"queryfoundry.net",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"0-209-98-172-static.reverse.queryfoundry.net",
"154-143-182-107-static.reverse.queryfoundry.net",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"167-16-68-38-static.reverse.queryfoundry.net",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"177-231-69-38-static.reverse.queryfoundry.net",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"237-189-251-104-static.reverse.queryfoundry.net",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"181-135-182-107-static.reverse.queryfoundry.net",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"67-228-69-38-static.reverse.queryfoundry.net",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"http://195-214-98-172-static.reverse.queryfoundry.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "GandCrab Ransomware",
"display_name": "GandCrab Ransomware",
"target": null
},
{
"id": "Win.Virus.Expiro",
"display_name": "Win.Virus.Expiro",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 310,
"FileHash-SHA1": 295,
"FileHash-SHA256": 3634,
"URL": 5839,
"CVE": 2,
"domain": 1048,
"email": 15,
"hostname": 1944,
"SSLCertFingerprint": 2
},
"indicator_count": 13089,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "107 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69314926519256e3ef0a9358",
"name": "BeeLineRouter.Net \u2022 Apple Access",
"description": "",
"modified": "2026-01-03T07:00:45.529000",
"created": "2025-12-04T08:41:06.657000",
"tags": [
"mitre att",
"network traffic",
"ck id",
"show technique",
"ck matrix",
"threat score",
"december",
"default browser",
"guest system",
"united",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"windir",
"openurl c",
"prefetch2",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"ascii text",
"pattern match",
"show process",
"t1071",
"general",
"local",
"path",
"click",
"beelinerouter",
"access",
"router",
"apple",
"regopenkeyexw",
"regsz",
"process32nextw",
"english",
"post http",
"search",
"observed dns",
"query",
"sinkhole cookie",
"malware",
"possible",
"win32",
"updater",
"write",
"next",
"found",
"ip address",
"domain",
"name servers",
"unknown ns",
"ip whois",
"registrar",
"cloudflare",
"title",
"passive dns",
"urls",
"files",
"location united",
"asn as14618",
"bq dec",
"virtool",
"backdoor",
"checkin",
"ipv4 add",
"trojan",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"unknown",
"show",
"internal",
"encrypt",
"veailmboprd",
"dns query",
"wow64",
"gecko http",
"entries",
"medium",
"ransom",
"khtml",
"gecko",
"delete",
"installer",
"win32cve may",
"america flag",
"overview ip",
"asn as20940",
"expiration",
"url https",
"no expiration",
"url http",
"pulse show",
"type indicator",
"role title",
"related pulses",
"record value",
"domain xn"
],
"references": [
"HTTPS://BeeLineRouter.Net",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"https://appleid.xn--appe-70a.com/",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://vgt.pl/r.n%20-",
"8-25-220-162-static.reverse.queryfoundry.net",
"queryfoundry.net",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"0-209-98-172-static.reverse.queryfoundry.net",
"154-143-182-107-static.reverse.queryfoundry.net",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"167-16-68-38-static.reverse.queryfoundry.net",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"177-231-69-38-static.reverse.queryfoundry.net",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"237-189-251-104-static.reverse.queryfoundry.net",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"181-135-182-107-static.reverse.queryfoundry.net",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"67-228-69-38-static.reverse.queryfoundry.net",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"http://195-214-98-172-static.reverse.queryfoundry.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "GandCrab Ransomware",
"display_name": "GandCrab Ransomware",
"target": null
},
{
"id": "Win.Virus.Expiro",
"display_name": "Win.Virus.Expiro",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 310,
"FileHash-SHA1": 295,
"FileHash-SHA256": 3634,
"URL": 5839,
"CVE": 2,
"domain": 1048,
"email": 15,
"hostname": 1944,
"SSLCertFingerprint": 2
},
"indicator_count": 13089,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "107 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692f23547b713b128b9c8156",
"name": "Indicator Deletion Attack | Chris P. Ahmann Esq still utilizes parking crews to execute cyber attacks",
"description": "Unable to open malware indicators at this time. These attackers use Parking Crews for their exploits, leasing parked domains for the amount of time needed to execute an attack. The attack last predate me ever using Level Blue. I have to review indicators reports more closely but, I do see a the multitude of attacks against target TLB and an intersection of attacks concerning Disable_Duck (Alberta) Chris Ahmann , Colorado government indicated. \n\n[OTX auto populated - Adversaries may use techniques to evade detection in their malware or tools, as well as using techniques such as code signing, encryption, and other techniques for avoiding detection and monitoring of their activities.]",
"modified": "2026-01-01T17:01:48.163000",
"created": "2025-12-02T17:35:15.203000",
"tags": [
"data upload",
"extraction",
"failed",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"development att",
"united",
"flag",
"poland poland",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"show process",
"network traffic",
"t1057",
"general",
"local",
"path",
"encrypt",
"hosts ip",
"details",
"ssl certificate",
"sha256",
"sha1",
"size",
"unicode text",
"crlf",
"utf8",
"lf line",
"server",
"command decode",
"markmonitor",
"amazon",
"ltd dba",
"com laude",
"organization",
"click",
"show technique",
"brand",
"microsoft edge",
"windows nt",
"win64",
"khtml",
"gecko",
"submitted",
"prefetch1",
"name server",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"contacted hosts",
"google",
"pornhub",
"ip address",
"t1480 execution",
"file defense",
"passive dns",
"related nids",
"urls",
"files location",
"flag united"
],
"references": [
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev",
"Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited",
"cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl",
"pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com",
"https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net",
"https://www.milehighmedia.com/legal/2257",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://twitter.com/PORNO_SEXYBABES",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6",
"(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs",
"http://watchhers.net/index.php",
"everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1358,
"FileHash-MD5": 100,
"FileHash-SHA1": 102,
"FileHash-SHA256": 1682,
"URL": 2497,
"CVE": 2,
"domain": 400,
"SSLCertFingerprint": 6,
"email": 3
},
"indicator_count": 6150,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "108 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://ns4.raid.ru/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://ns4.raid.ru/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776674331.6138186
}