{ "type": "URL", "indicator": "https://oaey.win", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://oaey.win", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2880311346, "indicator": "https://oaey.win", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69d3532c76eb3bf5edd9609b", "name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek", "description": "", "modified": "2026-04-06T06:31:08.181000", "created": "2026-04-06T06:31:08.181000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65bbb998c3b7662e5059b6c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d3532a6537880f6e2c68dc", "name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek", "description": "", "modified": "2026-04-06T06:31:06.730000", "created": "2026-04-06T06:31:06.730000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65bbb998c3b7662e5059b6c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf8e2663d5480917ddb699", "name": "Pegasus - https://house.mo.gov/ | Brian Sabey HallRender [i cloned OctoSeek] T8", "description": "", "modified": "2026-03-22T08:35:26.266000", "created": "2026-03-22T06:37:26.233000", "tags": [ "united", "as393601 state", "a domains", "passive dns", "as397241", "certificate", "urls", "search", "showing", "entries", "algorithm", "full name", "data", "v3 serial", "number", "cus cndigicert", "global g2", "tls rsa", "sha256", "ca1 odigicert", "info", "record type", "ttl value", "all txt", "ssl certificate", "whois record", "contacted", "referrer", "resolutions", "historical ssl", "communicating", "problems", "parent domain", "njrat", "ransomware", "startpage", "historical", "malware", "execution", "threat roundup", "april", "september", "remcos rat", "august", "june", "qakbot", "push", "service", "privateloader", "amadey", "powershell", "qbot", "cobalt strike", "core", "hacktool", "november", "october", "roundup", "threat network", "cellbrite", "february", "emotet", "maze", "metro", "dark", "malicious", "team", "critical", "copy", "awful", "parallax rat", "banker", "keylogger", "dns replication", "date", "csc corporate", "domains", "code", "server", "registrar abuse", "registrar iana", "registry domain", "registrar url", "registrar", "contact phone", "apple ios", "quasar", "remcos", "ursnif", "chaos", "ransomexx", "azorult", "agent tesla", "evilnum", "asyncrat", "win32 exe", "wininit", "beta version", "cmstp", "taskscheduler", "ieudinit", "nat32", "certsentry", "type name", "wc3 rpg", "pegasus", "unknown", "domain", "servers", "germany unknown", "name servers", "status", "next", "as29066 host", "as133618", "cname", "as47846", "scan endpoints", "all octoseek", "pulse pulses", "encrypt", "china unknown", "as38365 beijing", "as134175 unit", "707713", "hong kong", "virgin islands", "as6461 zayo", "ransom", "exploit", "ipv4", "pulse submit", "url analysis", "trojan", "body", "click", "creation date", "emails", "expiration date", "domain privacy", "hostname", "dynamicloader", "state", "medium", "msie", "windows nt", "wow64", "show", "slcc2", "media center", "error", "delphi", "guard", "write", "win32", "target", "redir", "facebook", "dcom", "local", "delete", "utf8", "unicode text", "crlf line", "rgba", "yara detections", "default", "asnone", "get na", "dns lookup", "probe ms17010", "eternalblue", "playgame", "high", "related pulses", "yara rule", "anomalous file", "dynamic", "malware infection", "cnc", "procmem_yara", "antivm_generic_disk", "modify_proxy infostealer_cookies", "network_http", "anomalous_deletefile", "antidebug_guardpages", "powershell_request", "powershell_download", "as63949 linode", "mtb feb", "open ports", "backdoor", "gmt content", "trojandropper", "simda", "lockbit", "win.trojan", "midia-4", "floxif", "cryptowall", "brontok", "check in", "record value", "files", "location united", "america asn", "as16509", "download", "threat", "paste", "iocs", "analyze", "hostnames", "urls http", "samples", "tsara brashears", "2nd corintnthians 4:8-9", "injection_inter_process", "injection_create_remote_thread", "persistence_autorun", "bypass_firewall", "disables_windowsupdate", "dynamic_function_loading", "http_request", "query", "delete c", "activity dns", "components", "file execution", "observed dns", "as4837 china", "nxdomain", "a nxdomain", "wannacry", "missouri", "safebae", "hallrender", "house.mo.gov", "typosquatting", "tactics", "google", "win64", "khtml", "gecko", "veryhigh", "aes256gcm", "dalles", "cookie", "urls https", "xpcegvo2adsnq", "mhkz", "mvi2", "keepaliveyes", "fexp24007246", "nsyt", "eva reimer", "daisy coleman", "brian sabey", "https://lawlink.com/documents/10935/blackbag-technologies-announ" ], "references": [ "https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov", "dns.msftncsi.com", "NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184", "Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "23.216.147.64", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]", "http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]", "alohatube.xyz [BotNetwork]", "facebooksunglassshop.com", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4", "oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev", "http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/", "government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org", "https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html", "remote.utorrent.com [remote router logins]", "Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com", "http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online", "http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com", "http://tvm77.fashiongup.in/tracking/track-open", "https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg", "http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/", "hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com", "http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208", "https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com", "safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/", "https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com", "https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4", "Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js", "Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]", "Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store", "https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]", "http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt", "sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "China", "Australia", "Hong Kong" ], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "EVILNUM", "display_name": "EVILNUM", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "Parallax RAT", "display_name": "Parallax RAT", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Remcos RAT", "display_name": "Remcos RAT", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Win.Trojan.Agent-336074", "display_name": "Win.Trojan.Agent-336074", "target": null }, { "id": "Arid.Viper_CnC", "display_name": "Arid.Viper_CnC", "target": null }, { "id": "WininiCrypt", "display_name": "WininiCrypt", "target": null }, { "id": "PWS:Win32/QQpass.CI", "display_name": "PWS:Win32/QQpass.CI", "target": "/malware/PWS:Win32/QQpass.CI" }, { "id": "Win.Trojan.Midia-4", "display_name": "Win.Trojan.Midia-4", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Win32/SocStealer!rfn", "display_name": "Win32/SocStealer!rfn", "target": null }, { "id": "Backdoor.Win32.Shiz.ufj", "display_name": "Backdoor.Win32.Shiz.ufj", "target": null }, { "id": "Email-Worm.Win32.Brontok.n", "display_name": "Email-Worm.Win32.Brontok.n", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": "65c91f2b7c03b480379ae4d1", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2668, "FileHash-SHA1": 2469, "FileHash-SHA256": 8054, "URL": 6185, "domain": 2421, "hostname": 3042, "CVE": 5, "email": 15, "CIDR": 1, "IPv4": 18 }, "indicator_count": 24878, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b49ad5dd40a24d83cd6a72", "name": "Chris P. Ahmann \u2022 PRIVATE PROPERTY Colorado State Fixer!", "description": "", "modified": "2026-03-13T23:16:37.716000", "created": "2026-03-13T23:16:37.716000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "69631fbd16e306ee2b76c4da", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b496396ca4987e95ad37d1", "name": "Chris Buzz by QVashni (wow)", "description": "", "modified": "2026-03-13T22:56:57.314000", "created": "2026-03-13T22:56:57.314000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "69482caa00d327da8f0a87bc", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b49587dd104e342dda1628", "name": "C Ahman Attorney Clone by Top Tier, Q.Vashti", "description": "", "modified": "2026-03-13T22:53:59.112000", "created": "2026-03-13T22:53:59.112000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "691f4d4ef0a2a570b8b21cd2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b92a27c47d4e28927364", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:24:26.110000", "created": "2026-03-12T13:01:30.067000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 51, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b9295603a6100edfa8c8", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:24:25.387000", "created": "2026-03-12T13:01:29.284000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b927aa7f10e82639d204", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:27.872000", "created": "2026-03-12T13:01:27.872000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b927c086397130c5d114", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:27.275000", "created": "2026-03-12T13:01:27.275000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b926871746ed8a1bc324", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:26.440000", "created": "2026-03-12T13:01:26.440000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b925e85c948d4dd608cc", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:25.852000", "created": "2026-03-12T13:01:25.852000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8e974189d2c41f07ed8", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:25.910000", "created": "2026-03-12T13:00:25.910000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8e74d2b3effd55f88c3", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:23.173000", "created": "2026-03-12T13:00:23.173000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8dfbf8426a7a1d0146d", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:15.427000", "created": "2026-03-12T13:00:15.427000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8d7123610591625b8fb", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:07.354000", "created": "2026-03-12T13:00:07.354000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8d61e3f64a8f1f169b6", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:06.214000", "created": "2026-03-12T13:00:06.214000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8d24eeb4200bdb1d702", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:02.096000", "created": "2026-03-12T13:00:02.096000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a9e7c572b8411d126215a6", "name": "@scoreblue callback clone", "description": "", "modified": "2026-03-06T05:11:18.020000", "created": "2026-03-05T20:29:57.169000", "tags": [ "acceptencoding", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers xcache", "wp engine", "threat", "paste", "iocs", "urls https", "samples", "contacted", "apple", "ssl certificate", "whois record", "contacted", "historical ssl", "referrer", "execution", "tsara brashears", "apple ios", "historical", "communicating", "copy", "attack", "njrat", "ransomware", "hacktool", "metro", "malicious", "crypto", "installer", "awful", "startpage", "callback phishing", "safebae", "catherine daisy coleman", "pegasus", "nso", "kb font", "january", "http", "resource path", "size", "type mimetype", "primary request", "kb document", "general full", "url http", "low risk", "sucuri firewall", "malware found", "site", "unknown", "low security", "risk", "website malware", "security no", "protect", "html internet", "html document", "unicode text", "utf8 text", "no data", "tag count", "sample summary", "sample", "detection list", "blacklist", "count blacklist", "tag tag", "anchor hrefs", "wordpress", "html info", "title safebae", "anyone else", "meta tags", "wpbakery page", "builder", "slider plugin", "script tags", "passive dns", "urls", "a nxdomain", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "files", "domain", "files ip", "united", "status", "as13768 aptum", "date", "moved", "creation date", "search", "record value", "body", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "false", "as30148 sucuri", "a domains", "gmt content", "ipv4", "win64", "back", "linux mint", "hacking", "brian sabey", "tracking", "hallrender", "staging", "dns", "network", "control", "bazar" ], "references": [ "https://safebae.org/", "www.hallrender.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "9.6.zip - SQLi", "dns.trackgroup.net", "nr-data.net [Apple Private Data Collection]", "scripting-sandbox-dns.bunny.net", "http://www.01tracks.com/happy-customers", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "deadlyexploits.com | deadlysymbol.com |", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Callback Phishing", "display_name": "Callback Phishing", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "BazarCall", "display_name": "BazarCall", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b8a052c4160dbd76054f8a", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2802, "URL": 3267, "domain": 1459, "hostname": 1268, "FileHash-MD5": 227, "FileHash-SHA1": 144, "CVE": 2, "email": 1, "SSLCertFingerprint": 2 }, "indicator_count": 9172, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691f4d4ef0a2a570b8b21cd2", "name": "Chris P. Ahmann Colorado State Criminal Defense Attorney", "description": "Chris P. Ahmann Colorado State Criminal Defense attorney hired by quasi government Workers Compensation to completely destroy Tsara Brashears literally to death. None of her spinal cord injuries , and other assault injuries discussed or compensated for in rushed settlement case. Her awful racist attorney refused to represent plaintiffs in hearing. Never met with in person for no good reason. Tsara represented herself. Less that 24 hour notice. No briefings, no awareness or mention that Ahmann was representing Jeffrey Scott Reimer for assault\n case. Brashears required 24 hour care by end of life. Received 0 workers compsarion payments. But if this doesn\u2019t prove Reimer\u2019s guilt what does? Continued harassment of associated. \n\nNotice the outages? You\u2019ve cost BILLIONS? Stop threatening everyone.", "modified": "2026-01-20T17:02:02.650000", "created": "2025-11-20T17:18:06.929000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69482caa00d327da8f0a87bc", "name": "Chris P.\u2019 Buzz\u2019 Ahmann Colorado State Criminal Defense Attorney (22.20.2025)", "description": "", "modified": "2026-01-20T17:02:02.650000", "created": "2025-12-21T17:21:46.434000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "691f4d4ef0a2a570b8b21cd2", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695557ee134b978b00883c29", "name": "Chris P. Ahmann \u2022 Stay out of PRIVATE PROPERTY HITMAN! Colorado State", "description": "", "modified": "2026-01-20T17:02:02.650000", "created": "2025-12-31T17:05:50.134000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "691f4d4ef0a2a570b8b21cd2", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69631fbd16e306ee2b76c4da", "name": "Chris P. Ahmann \u2022 STAY Away!f PRIVATE PROPERTY Colorado State Fixer!", "description": "", "modified": "2026-01-20T17:02:02.650000", "created": "2026-01-11T03:57:49.242000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "695557ee134b978b00883c29", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687992eceac6f12e9cebd65f", "name": "Operation Endgame | ThreatIntelligence | Pegasus | Mirai | Berbew | Emotet", "description": "Operation Endgame - Mass spying on civilians suspected of involvement in illegal activity. This spying can last for years. Law enforcement and intelligence agencies use infrastructures from Google, Bing, Apple, Amazon, Coudflare, Microsoft, among other companies. Traffic can be masked in DNS and encrypted connections to go undetected. It is recommended to abandon closed-source services and software and opt for fully open-source software and install a powerful firewall. The use of a secure VPN is recommended. \nThere may be repeated indicators and some false positives due to the nature of the threats. We are working to eliminate duplicate entries and false positives. Check the comment box for important notifications. Follow our Telegram channel: @PrivacyNotACrime", "modified": "2025-12-28T19:04:27.449000", "created": "2025-07-18T00:18:50.968000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": null, "export_count": 375, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 121, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6905d40f781d7d58d4021a20", "name": "Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts by PT.", "description": "- with a primary focus on criminal defense. In both positions, he successfully defended his clients against claims running the gamut of the criminal justice system, from DUI\nand misdemeanors to felony indictments. In his criminal practice, Mr. Ahmann defends clients charged with both misdemeanor and felony cases. Mr. Ahmann continues his criminal practice as he believes that his clients deserve someone on their side to assure their voice is heard in the criminal process as well. He is dedicated to each of his clients and is always\nstriving for the best possible outcome in their individual cases. Mr. Ahmann also specializes in defense of employers in workers' compensation claims. He also assists TAM clients whose liability defense touches criminal prosecution, regularly providing effective criminal counsel in catastrophic injury common carrier matters, as well as criminal prosecution stemming from\nemployment and official acts.", "modified": "2025-12-20T06:00:23.758000", "created": "2025-11-01T09:34:07.323000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8332, "domain": 4819, "hostname": 2165, "FileHash-SHA256": 7369, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 23637, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6906c12b1dd6a64ab1beaa55", "name": "SpyNoon \u2022Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-02T02:25:47.431000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69137ee5d76d486d65396af0", "name": "Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts committed by Jeffrey S. Reimer DPT \u2022 Treece Alfrey Musat P.C., ", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-11T18:22:29.976000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bbb31f6d91989d7fcd9592", "name": "Who is Argus Health Systems in relation to United Healthcare", "description": "Strange. Person/s handling a monitored targeted past accounts was contacted to have old bills paid. Told individual had Argus Health Insurance that wouldn\u2019t pay.\n\nIssues: \u2022 Individual wasn\u2019t a client of vendor in 2024\n\u2022 Was never an Argus client.\n\u2022 Social engineering type call. Angry employee demanding copy of front and back of Health Care Insurance card for UH payments for items purchased after approved prior authorization for in past purchases. \n\u2022 Gave an incredible amount of PHI over phone w/o appropriate new (or former) HIPPA standard verification. \u2022 Angrily refused to provide billing # or requesters name.\n*United Health Care has paid ZERO bills. \n* \n(Auto populated - Anel arauchealth cam) | https://www.argushealth.com. Argus Health Systems is a healthcare technology company based in Kansas City, MO. Specializing in pharmacy benefit management ...", "modified": "2025-10-06T03:04:31.707000", "created": "2025-09-06T04:05:50.955000", "tags": [ "server", "date", "registrar abuse", "csc corporate", "domains", "algorithm", "key identifier", "x509v3 subject", "country", "postal code", "code", "united", "showing", "entries", "ip address", "search", "name servers", "unknown aaaa", "domain add", "pulse submit", "passive dns", "content type", "type content", "all ipv4", "url analysis", "urls", "files", "title", "meta", "certificate", "creation date", "record value", "hostname add", "domain", "unknown ns", "china unknown", "body", "please", "x msedge", "pulse pulses", "present aug", "hong kong", "extraction", "data upload", "levelbluelabs", "search otx", "pcap", "stix", "url or", "texdr", "failedto", "drop", "aaaa", "record type", "ttl value", "historical ssl", "certificates", "thumbprint", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "present jun", "moved", "gmt content", "a domains", "next http", "scans show", "error", "present sep", "present may", "present jul", "present mar", "present apr" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2091, "domain": 817, "URL": 7939, "email": 5, "FileHash-SHA256": 2960, "FileHash-SHA1": 240, "FileHash-MD5": 227 }, "indicator_count": 14279, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6824aa10fa32899c33abc3be", "name": "tp://adorno.pl and http://vgt.pl INVESTIGATION requstor user Axelo", "description": "https://t.co/zTZNBTe8GV", "modified": "2025-06-14T00:00:30.956000", "created": "2025-05-14T14:34:56.497000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 426, "FileHash-SHA1": 455, "FileHash-SHA256": 5596, "URL": 15206, "IPv4": 409, "domain": 2473, "hostname": 5059, "CVE": 3 }, "indicator_count": 29627, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "309 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "414 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e6547f22d43d6d149cac7a", "name": "RedCap Abuse | The 1st Pulse was deleted from OTX . AlienVault", "description": "Another example of target working with a hacker impersonating some7he.sje was not. The hackers had the perfect opportunity to stay attached to Dropbox, photos. microphone and highlighted heavily targets location. || Target was suspicious about several issues related to pair. Hacker has only one piece of equipment for project. Target basically had to give him all , tips, cues and direction for project. If this Pulse is deleted I don't know what to think.", "modified": "2024-10-15T02:02:53.504000", "created": "2024-09-15T03:29:03.699000", "tags": [ "urls", "passive dns", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "process32nextw", "intel", "ms windows", "united", "pe32", "search", "module load", "t1129", "read c", "default", "path", "write", "malware", "copy", "win32", "suspicious", "unknown", "united kingdom", "set cookie", "as43350 nforce", "script urls", "as55286", "status", "cookie", "trojan", "template", "showing", "entries", "body", "ransom", "meta", "a div", "div div", "ipv4", "script script", "as16276", "france unknown", "link", "span a", "span span", "span", "class", "pragma", "servers", "creation date", "emails", "domain", "expiration date", "cname", "aaaa", "certificate", "lowfitrojan", "hstr", "jsauto25 jun", "pm lowfitrojan", "related pulses", "file samples", "files matching", "show", "endpoints all", "trojan features", "date hash", "as15169 google", "as44273 host", "september", "de indicators", "domains", "hashes", "dynamicloader", "yara detections", "enigmaprotector", "high", "bios", "dynamic", "filehash", "yaxpax", "yapaxi", "zp6axi0", "cuckoo", "name servers", "domains ii", "for privacy", "redacted for", "next", "domain address", "alienvault name", "server", "flag", "contacted hosts", "process details", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "exit node", "traffic group", "suricata", "overview ip", "address", "files location", "flag united", "hostname", "files domain", "months ago", "created", "email", "modified", "filehashsha1", "filehashsha256", "white cve", "cyber", "xamzexpires300", "twitter", "xor ddos", "xorddos", "hacktool", "bazaarloader", "redcap", "formbook", "locky", "lockbit", "ransomware", "target", "ebury", "virustotal", "crypter", "shadowpad", "corrupt", "cryptor", "android", "xrat", "xtrat", "malicious", "honeypot", "fraud", "already", "behav", "ragnar locker", "swipper", "n\u2205 ip", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "execution", "dock", "persistence", "august", "asnone bulgaria", "sales", "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "whois lookups", "dnssec", "domain name", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "date", "dns replication", "record type", "ttl value", "msms33388520", "data", "cus starizona", "cngo daddy", "authority", "g2 validity" ], "references": [ "TrojanSpy:Win32/Nivdort.DE", "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn: FileHash-SHA256 00018d13f451300fb839123dfbf2d8607da0e7b1c89ae1bfbb9946ac79c1663c", "IDS Detections: Win32/Unruy Rogue Search Host Observed 1", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts: nids_malware_alert network_icmp persistence_autorun" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "ALF:Trojan:Win32/Cassini_ade36583", "display_name": "ALF:Trojan:Win32/Cassini_ade36583", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn", "target": null }, { "id": "Ransom:Win32/Wannaren", "display_name": "Ransom:Win32/Wannaren", "target": "/malware/Ransom:Win32/Wannaren" }, { "id": "#LowfiTrojan:JS/Auto25", "display_name": "#LowfiTrojan:JS/Auto25", "target": "/malware/#LowfiTrojan:JS/Auto25" }, { "id": "Trojan:Win32/Startpage", "display_name": "Trojan:Win32/Startpage", "target": "/malware/Trojan:Win32/Startpage" }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Win.Packed.XtremeRAT-9837419-0", "display_name": "Win.Packed.XtremeRAT-9837419-0", "target": null }, { "id": "Win.Packed.Kelios-10023944-0", "display_name": "Win.Packed.Kelios-10023944-0", "target": null }, { "id": "Win.Trojan.Unruy-5885", "display_name": "Win.Trojan.Unruy-5885", "target": null }, { "id": "Ebury", "display_name": "Ebury", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Swipper", "display_name": "Swipper", "target": null }, { "id": "N\u2205 IP", "display_name": "N\u2205 IP", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4315, "FileHash-MD5": 573, "FileHash-SHA1": 550, "FileHash-SHA256": 4114, "domain": 4757, "hostname": 2075, "SSLCertFingerprint": 5, "email": 14, "CIDR": 1 }, "indicator_count": 16404, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85e73efe2e053366ed972", "name": "https://www.hallrender.com/attorney/brian-sabey/", "description": "", "modified": "2024-09-05T06:21:34.047000", "created": "2024-01-30T02:26:59.218000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "658b74ee93a0b0dc9c960cee", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6145, "URL": 14252, "hostname": 4778, "domain": 6809, "CVE": 3 }, "indicator_count": 32339, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66844266b18b359a3a385cf4", "name": "Alberta NDP", "description": "This pulse takes a peak into the Alberta NDP party and their current breach situation. The (original) purpose of this pulse was to further identify and characterize issues relating to the (still) ongoing UAlberta breach and to see if the Alberta NDP were impacted. Prepared this pulse to present to them as a component of it's relevancy to their own infrastructure (e.g. highlighting the privacy, safety, security implications for their party) as it was 2 months ago. Was told my contacts would be on vacation until September. It now seems during that waiting time much of the party and it's leaders have been breached/affected by similar malware & infostealers. Still waiting?", "modified": "2024-09-04T19:53:22.824000", "created": "2024-07-02T18:09:42.084000", "tags": [ "Hacked", "" ], "references": [ "https://www.virustotal.com/graph/embed/gc3d0a481dd64463a889ad9f206727d9d87db106da3c34deb922a2ce7837d6577?theme=dark", "https://www.virustotal.com/graph/embed/g99d61feda7554cba94972ae4110efe8acacfea236d6943d0bdc93dcbc7e9b60f?theme=dark", "https://www.virustotal.com/graph/embed/ga26f4bba58834344a271a36d59827ec2154f655df6324f939f674b0d49e1290a?theme=dark", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/summary", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/iocs", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/graph", "https://www.virustotal.com/gui/collection/e49552b5297eb28f2ec7245429e50fb363823c4683606ddb61c1d014b2238a6e", "type,id 000d161246615fb8d5b30411c753420f82a881a9d7750639bbace67e1bb270a0 001155a72482c2ddd750b1e9c28633a7e13228e4e2b05f0ba585a395ac852b49 0014425cb6011c2086b6aeca5eee11368431356a68d173c2ff7ffef327c0ba86 0018686a02600f7da1a3f0981ce78bb6982480b14130a0cc2b8c8401bc1b8449 003bfd323f6366ac283b9f922d942d7c8f6070a2f2b919a719af7fc8e7c77995 00434aa911043b208854236a41c8e7a284185710ff67b52eea9f538f4151fa28 0063c0019a4ec47bc251753be3aca37c0d84699d34a99df83963364fe640c795 00651f483b685736596ebc95817b01c34382a4691b81701cc", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984", "https://www.virustotal.com/gui/collection/4b0d82fda81972be3f9373edf863a3bcf426aafc9a53927eedc0b694554de33f", "https://viz.greynoise.io/analysis/52a90c2d-0774-46cd-bb66-79cb82c903fe - 07.03.24", "https://www.ipvoid.com/whois/", "https://leakix.net/search?scope=leak&q=alberta.ca", "https://intelx.io/?s=albertandp.ca", "http://ci-www.threatcrowd.org/domain.php?domain=albertandp.ca", "https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fsites.google.com%2Fstudent.concordia.ab.ca%2Fcybersecuritybriefi%2Fhome&followup=https%3A%2F%2Fsites.google.com%2Fstudent.concordia.ab.ca%2Fcybersecuritybriefi%2Fhome&ifkv=AdF4I74DbXz0axIgI_8-2HKe5uTaiHcEn5GDXdTMvWumG7pqQExSEV6IUvXUJDoG9Ra0ZgbhrlrC&osid=1&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1391668132%3A1721034538211512&ddm=0", "" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Healthcare", "Education", "Technology", "Hospitality", "Finance", "Manufacturing", "Retail" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 10030, "FileHash-MD5": 719, "FileHash-SHA1": 719, "FileHash-SHA256": 14832, "URL": 12538, "hostname": 10238, "CVE": 35, "email": 2, "CIDR": 847 }, "indicator_count": 49960, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669e42fea462f0c8f8db32a1", "name": "Worm:Win32/Ganelp.A - Malicious IP: 148.163.152.21", "description": "Malicious IP found in disastrous attack against a mid level media marketing firm that the healthcare, travel, corporate event industry. \nEmployee phones are 'zombies' some laptops likely impacted by the Crowd Strike issue, (blue screen). Excessive tracking, monitoring, active botnets, power outage, and more. Research of IP and other IoC's found. Unfortunately, many of the clients are also sucked into issue. It appears that the issue has persisted for several years. The outage just made us work every angle. The attack goes beyond the CS 'update' outage, as the seemingly well cyber manged firm was under a very targeted, ongoing cyber attack that has kept company from rebounding. Red Team behavior seen.", "modified": "2024-08-21T11:03:59.106000", "created": "2024-07-22T11:31:10.391000", "tags": [ "historical ssl", "referrer", "fancy bear", "scan endpoints", "all search", "otx scoreblue", "ipv4", "pulse submit", "url analysis", "passive dns", "urls", "files", "reverse dns", "open", "status", "name servers", "creation date", "search", "proofpoint", "expiration date", "div div", "date", "accept", "next", "united", "cname", "asnone united", "a nxdomain", "domain", "united kingdom", "servers", "showing", "nxdomain", "dname", "whitelisted", "aaaa", "script urls", "costa rica", "script domains", "msie", "chrome", "unknown", "body", "gmt content", "all scoreblue", "pulse pulses", "entries", "as8987 amazon", "as20940", "hostname", "gartner", "crowdstrike", "business value", "magic quadrant", "customer", "realized", "assessment", "economic impact", "complete", "february", "utc na", "ver2", "msclkidn", "html info", "meta tags", "mobileoptimized", "adobe dynamic", "tag management", "utc bing", "cobalt strike", "communications", "android device", "neutral", "win32 exe", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "sections", "rticon neutral", "ico rtgroupicon", "xml rtmanifest", "overlay", "threat roundup", "pandas", "attacks against", "southeast", "wannacry kill", "switch dns", "query", "high level", "hackers", "unknown win", "core", "ascii text", "sha256", "sha1", "size", "pattern match", "suricata stream", "command decode", "utf8 text", "mitre att", "path", "hybrid", "starfield", "meta", "general", "target", "local", "click", "strings", "trident", "legacy", "main", "contact", "flow t1574", "dll sideloading", "create", "modify system", "process t1543", "windows service", "t1055 system", "pe file", "t1497 query", "may sleep", "allocate rwx", "get file", "access", "windows event", "allocate", "link function", "windows link", "contains pdb", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls tcp", "hashes", "user", "file system", "written c", "samplepath", "files dropped", "userprofile", "registry keys", "registry", "set registrya", "conhost", "comspec", "created", "temp", "windows", "displayname", "process", "commands", "signals mutexes", "mutexes", "full name", "data", "v3 serial", "number", "cus cndigicert", "tls rsa", "ca1 odigicert", "inc validity", "subject public", "certificate", "whois lookup", "netrange", "nethandle", "net148", "net1480000", "as16509", "as22843", "as13916", "form", "server", "registrar abuse", "email", "request email", "verisign", "icann whois", "tech", "first", "project skynet", "cyber army", "dynamicloader", "high", "delete c", "show", "username", "medium", "default", "yara detections", "worm", "copy", "write", "duptwux", "malware", "x82xd4", "kx81xdbx0f", "x86xd3", "xa1xf1", "xe8xc2x14", "wx99xcdx11", "regsetvalueexa", "regbinary", "xe8xc6x13", "hx88x9ax1e", "stream", "win32", "persistence", "execution", "av detections", "ids detections", "alerts", "analysis date", "file score", "ftp username", "contacted", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "severity", "null", "refresh", "span", "error", "tools", "look", "verify", "restart", "robtex", "apple ios", "apple", "domains", "co number", "virtual mobile", "logistics", "cyber defense", "twitter", "read c", "artemis", "intel", "steals", "virustotal", "python", "panda", "falcon sandbox", "analysis", "hybrid analysis", "submission name", "av detection", "multi scan", "highest", "ability", "execute", "upgrade", "intelligence", "learn", "reports", "logo analysis", "size17kib type", "command", "found", "layer protocol", "osi application", "ip address", "t1105 ingress", "tool transfer", "problems", "threat network", "infrastructure", "domains part", "domain tracker", "roundup", "new problems", "startpage", "e1203 windows", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "ob0007 system", "e1082 file", "e1083 impact", "data manipulation", "remote system", "discovery", "t1059 accept", "modules t1129", "enumerate", "as2914 ntt", "access denied", "as16625 akamai", "germany unknown", "csccorpdomains", "as31109", "invalid url", "mirai", "port", "destination", "bad login", "suspicious path", "nids", "tcp syn", "root account", "cve20185723", "as8068", "please", "x msedge", "embeddedwb", "windows nt", "tofsee", "push", "as54113", "as396982 google", "as31898 oracle", "moved", "encrypt" ], "references": [ "148.163.152.21 AS 22843 (PROOFPOINT-ASN-US-EAST) US | www.robtex.com | www.spf-record.com |", "Crowdsourced Sigma Rules: Suspicious New Service Creation by Nasreddine Bencherchali (Nextron Systems)", "Crowdsourced Sigma Rules: Matches rule Suspicious Svchost Process by Florian Roth (Nextron Systems)", "Crowdsourced Sigma Rules: Matches rule Suspect Svchost Activity by David Burkett, @signalblur", "Crowdsourced Sigma Rules: Matches rule Suspicious Outbound SMTP Connections by frack113", "Crowdsourced Sigma Rules: Matches rule Creation of an Executable by an Executable by frack113", "https://www.virustotal.com/gui/file/dcd0812ed0b280cee38a3f8a68e5fde900f0a9f832ca53167d38d96f105eb9b9/detection", "Antivirus Detections Win.Trojan.Sality-1047 , Worm:Win32/Ganelp.A IDS Detections W32.Duptwux/Ganelp FTP Username - onthelinux Yara Detections InstallShield2000 Alerts persistence_autorun_tasks cape_detected_threat bypass_firewall suricata_alert dynamic_function_loading dropper injection_rwx IP\u2019s Contacted 209.202.252.54", "ELF:Mirai-GH\\ [Trj] 91b62309447ba8db2a456b546d02cee07f1fd1027a0dd23b0ad87bec18b5acee", "https://hybrid-analysis.com/sample/b31067b40534bc4a9d68ac2f13f6090956d171d23c3d3f7a8c92a8745aed4db3", "https://otx.alienvault.com/indicator/file/00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "trojan.shellrunner/emailworm: FileHash-SHA256 f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67", "https://www.virustotal.com/gui/file/f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67/detection", "Trojan.Agent.FRYX: http://email.bidayati.com/c/eJwkkc1ygjoYQJ8Gd3TClwTIwgUR0Aq12BbBbu5EfuQnioVQwKe_03v3Z-bMnJOvbUwtS6yKtWEZjNmMULyq1oAMYto2zZhd2IbIGb6UBdiYCqMoC", "Worm:Win32/Ganelp.A: FileHash-SHA256 00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "Worm:Win32/Ganelp.A: FileHash-SHA1 0eed684aef678aeffb43866bd2c975876e82eeab", "Worm:Win32/Ganelp.A: FileHash-MD5 b5e26ac3b7518b77631ab7bcefae10fe", "Trojan.Crypted-6 | infostealer_browser : https://otx.alienvault.com/indicator/file/29971e4a9ce229d79fae4cbdff1b32d2", "Falcon-FileVantage.exe | trojan.redcap/python: FileHash-SHA256 06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328", "https://www.virustotal.com/gui/file/06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328/detection", "apple-carry-relay.cloudflare.com | apple-dns.net | emails.redvue.com | https://arduboy.com/bad-apple-demo-is-good | 67.199.248.12", "https://tools.totaleconomicimpact.com/go/apple/TEI/docs/TEI-of-Mac-in-Enterprise.pdf | 79appleway.com | technoapple.com", "http://image.nationwide-service.co.uk/lib/fe9515737163077971/m/1/spacer_ApplePay.gif bum?id=326459173&s=143441 | mails.redvue.com", "http://www.rvrb.me/fan_reach/pt?eid=A429942_17490857_19605431_lnk1018&url=http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewAl", "Antivirus Detections ELF:Mirai-GH\\ [Trj]", "IDS Detections Master IP CAM 01 Hardcoded Password for Root Account (CVE-2018-5723) Juniper ScreenOS telnet Backdoor Default Password Attempt SUSPICIOUS Path to BusyBox Possible Linux.Mirai Login Attempt (meinsm) Actiontec C1000A backdoor account M2", "IDS Detections Win32/Tofsee.AX google.com connectivity check External IP Lookup www.trackip.net Possible", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian - is this a must?", "http://images.contact.acams.org/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Trojan.Agent.FRYX", "display_name": "Trojan.Agent.FRYX", "target": null }, { "id": "Win32:AceCrypter-B [Cryp]", "display_name": "Win32:AceCrypter-B [Cryp]", "target": null }, { "id": "Mal_Tofsee", "display_name": "Mal_Tofsee", "target": null }, { "id": "Ransom.StopcryptPMF.", "display_name": "Ransom.StopcryptPMF.", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Worm:Win32/Ganelp.A", "display_name": "Worm:Win32/Ganelp.A", "target": "/malware/Worm:Win32/Ganelp.A" }, { "id": "trojan.shellrunner/emailworm", "display_name": "trojan.shellrunner/emailworm", "target": null }, { "id": "trojan.redcap/python", "display_name": "trojan.redcap/python", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [ "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 890, "FileHash-SHA1": 853, "FileHash-SHA256": 7215, "domain": 2771, "hostname": 5544, "URL": 13393, "email": 12, "SSLCertFingerprint": 15, "CIDR": 1, "CVE": 3 }, "indicator_count": 30697, "is_author": false, "is_subscribing": null, "subscriber_count": 237, "modified_text": "606 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66994bda3e150656cd5ac9dd", "name": "Browser Session Hijacking Various MyChart Phishing Scams", "description": "Ongoing issues with medical information hijacking. Various medical corporations affected. Tracking, medical, injection process, records retrieval, botnets.", "modified": "2024-08-17T16:01:11.866000", "created": "2024-07-18T17:07:38.719000", "tags": [ "historical ssl", "referrer", "domains", "august", "phishingscams", "domains part", "domain tracker", "roundup", "new problems", "privacy badger", "startpage", "self", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "pragma", "mychartlocale", "urls", "ip detections", "country", "contacted", "files", "file type", "name file", "gmbh", "cloudflare", "tucows", "ii llc", "alibaba cloud", "computing", "sample", "media t1091", "t1497 may", "mitre att", "access ta0001", "replication", "ta0004 process", "injection t1055", "defense evasion", "http requests", "get http", "request", "host", "dns resolutions", "ip traffic", "hashes", "tsara brashears", "red team", "hackers", "highly targeted", "critical risk", "cyberstalking", "apple", "apple ios", "logistics", "cyber defense", "guloader", "hacktool", "emotet", "phishing", "facebook", "malware", "hiddentear", "maze", "server", "domain status", "date", "algorithm", "google llc", "registrar abuse", "registrar", "record type", "ttl value", "aaaa", "whois lookup", "admin country", "ca creation", "dnssec", "markmonitor", "siblings", "whois lookups", "expiration date", "registrar iana", "creation date", "first", "united", "as15169 google", "cname", "status", "virtool", "cryp", "as396982 google", "search", "name servers", "win32", "remote" ], "references": [ "MyChart Phishing Scams", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64-Trojan/Pakes.Exp", "display_name": "Win64-Trojan/Pakes.Exp", "target": null }, { "id": "Win64:RansomX-gen", "display_name": "Win64:RansomX-gen", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 33, "FileHash-SHA256": 3473, "domain": 693, "URL": 4384, "hostname": 1610, "CVE": 2, "email": 3 }, "indicator_count": 10235, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "610 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666de04fd3531dc0896346a1", "name": "Skynet | Emotet | Nivdort | WhiteSky Communications_SPOOFED | Denver, Co", "description": "ISP of targets very close associate is spoofed. Ad. Full CnC . It's all there. Pulse better NOT be modified. Jeffrey Scott Reimer DPT who allegedly SA'd target hasn't been put under ANY scrutiny, a weakly written police report exists. A very healthy very fit woman who went to physical therapy left with a spinal cord injury, ACM, TBI, central nervous system injuries, separated hips & SI joints due to the great force of 'SA'. A letter from an MD demanded investigation as to how target ended up with injuries she didn't arrive with. Minor injury. Placed at MMI by 1st PT. It was insisted she to go to Reimer. She has a power wheelchair now. Now victim is a suspect needing to be surveilled. PT is now victim of unnamed crime against this 6'3 brut. Hacker Brian Sabey states Reimer hired him. Surveillance, bold confrontations, physically, verbally & cyber attacks need to stop. Countless SA victims probably go through something, but this? Shhhh. Silence please. Reimer needs to live his life.", "modified": "2024-08-14T06:01:01.267000", "created": "2024-06-15T18:41:19.343000", "tags": [ "historical ssl", "referrer", "project skynet", "cyber army", "page dow", "poser", "scammer", "security", "bitfender", "parked", "read c", "search", "show", "high", "unknown", "united", "pe32", "intel", "ms windows", "entries", "copy", "hupigon", "upatre", "explorer", "write", "win32", "malware", "defender", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "urls", "files", "get na", "possible", "sinkhole cookie", "value snkz", "medium", "nivdort", "service", "next", "arbor networks", "pulse pulses", "body", "contact", "date", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "span", "june", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "ip address", "domain", "ip related", "as55293 a2", "status", "as8068", "creation date", "otx telemetry", "emails", "expiration date", "name servers", "america asn", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "win32 exe", "identifier", "info", "dns replication", "technology", "passive", "user", "downloads", "text", "internet files", "storage", "firefox c", "pings c", "written c", "files deleted", "destination ip", "threat roundup", "april", "september", "october", "december", "january", "august", "hr rtd", "bot networks", "listen", "awful", "skynet", "ptls7", "clng", "cdate", "ygjpaufscontext", "flashpix", "bhja", "error resume", "voun2hd", "odx3x33jk9w3", "false", "template", "crash", "emotet", "project", "pe32 executable", "win16 ne", "os2 executable", "generic windos", "executable", "vs2008", "data rticon", "kyrgyz default", "default", "rticon kyrgyz", "info compiler", "products", "vs2005", "header intel", "name md5", "domains", "csc corporate", "com laude", "registrarsafe", "namecheap inc", "psiusa", "domain robot", "ii llc", "hetzner online", "gmbh", "type name", "file type", "kb file", "ip detections", "country", "contacted", "hashes", "file system", "pegasus", "targets sa", "survivor", "matches rule", "virus network", "comcast", "hiddentear", "critical", "installer", "targets tsara brashears", "trojan evader", "trojan malware", "npzk765", "content type", "a domains", "as16276", "body doctype", "public w3cdtd", "xhtml", "xmlns http", "gmt server", "accept", "graph", "http requests", "connect", "dns resolutions", "ip traffic", "remote debian spy", "search debian available space", "hacking", "targeting", "indostealer", "law firm", "showing", "x00x00", "trustinfo", "registry", "external ip", "observed", "administrator", "persistence", "execution", "hallrender", "west domains", "trojan", "memcommit", "pe section", "low software", "packing t1045", "t1045", "pe resource", "jeffrey scott reimer" ], "references": [ "https://whiteskycommunications.com/_Spoofed", "https://otx.alienvault.com/indicator/file/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031", "213.91.128.133 CnC AS 8866 (Vivacom Bulgaria EAD) BG - Miner", "0039ca3853af262af65326399713d4e45340eec4c3ea789be19335f06f090993", "Matches rule PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority Matches rule ET POLICY Cryptocurrency Miner Checkin Matches rule PUA-OTHER Cryptocurrency Miner outbound connection attempt", "https://twitter.com/PORNO_SEXYBABES", "IDS Detections: Win32/Emotet CnC Activity (POST) M9 GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1", "https://otx.alienvault.com/indicator/file/0274c7ffe81ebc6310a2857348a6653d0abbfca780238a854992b7b786bb1d72", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html - scrubbed and for sale.", "https://mypornsnap.top/photos/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears thousands of sites surfaced online", "It has taken years to slow the constant malicious DGA domains , they still keep smearing target only.", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "http://www.metanetworks.org/tsara-lynn-brashears-dead", "hxxps://onlyindianporn.net/videos/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Infostealer/Win.SmokeLoader.R439087", "display_name": "Infostealer/Win.SmokeLoader.R439087", "target": null }, { "id": "Alibaba Ransom:Win32/StopCrypt", "display_name": "Alibaba Ransom:Win32/StopCrypt", "target": "/malware/Alibaba Ransom:Win32/StopCrypt" }, { "id": "W32.AIDetect.malware2", "display_name": "W32.AIDetect.malware2", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ALF:TrojanSpy:Nivdort", "display_name": "ALF:TrojanSpy:Nivdort", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.RQ!MSR", "display_name": "Trojan:Win32/Glupteba.RQ!MSR", "target": "/malware/Trojan:Win32/Glupteba.RQ!MSR" }, { "id": "Win.Dropper.Tofsee-9799489-0", "display_name": "Win.Dropper.Tofsee-9799489-0", "target": null }, { "id": "Win32:DropperX-gen\\ [Drp]", "display_name": "Win32:DropperX-gen\\ [Drp]", "target": null } ], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 334, "FileHash-SHA1": 332, "FileHash-SHA256": 2760, "URL": 3080, "domain": 2294, "hostname": 1436, "CVE": 1, "email": 7, "CIDR": 1, "SSLCertFingerprint": 2 }, "indicator_count": 10247, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "613 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cd05cd3c9d0cc0b9ed215f", "name": "Emotet - https://www.gambinospizza.com | Brian Sabey \u2022 HallRender", "description": "\u2022Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.\n\n\u2022Scammer 'Attorney' Brian Sabey | HallRender associated ; utilizes every form of social engineering to gain full access to phone numbers, email, banking, network, relatives, contacts, PHI, PII, modifies services.\n.", "modified": "2024-04-15T08:03:32.381000", "created": "2024-02-14T18:26:21.427000", "tags": [ "united", "unknown", "status", "sec ch", "as44273 host", "search", "aaaa", "showing", "ch ua", "record value", "ssl certificate", "threat roundup", "contacted", "communicating", "historical ssl", "referrer", "resolutions", "http", "execution", "gopher", "pattern match", "breakpoint", "command decode", "desktop", "base", "gambino", "pizza", "suricata ipv4", "mitre att", "date", "meta", "footer", "february", "general", "model", "comspec", "click", "strings", "main", "brian sabey", "hallrender", "trojan", "worm", "frankfurt", "germany", "asn15169", "google", "asn16509", "amazon02", "asn396982", "kansas city", "franchise url", "gmbh version", "status page", "service privacy", "legal", "impressum", "reverse dns", "general full", "url https", "resource", "hash", "protocol h2", "asn13335", "cloudflarenet", "software", "domains", "hashes", "learn", "issues tab", "value", "variables", "typeof function", "topropertykey", "bricksintersect", "bricksfunction", "domainpath name", "request chain", "chain", "nl page", "url history", "javascript", "page url", "redirected", "poweshell", "bruschettab", "mobsterstageda", "calzonec", "threat analyzer", "threat", "paste", "iocs", "hostnames", "beefpizzac", "superitaliansub", "cname", "msie", "chrome", "asnone united", "as6336 turn", "nxdomain", "whitelisted", "creation date", "turn", "body", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "registrar abuse", "iana id", "registrar url", "registrar whois", "contact email", "registry domain", "contact phone", "dnssec", "code", "type name", "win32 exe", "recreation", "whois record", "infected", "page dow", "poser", "scammer", "security", "malvertizing", "betting", "illegal activity", "linux", "teen porn", "child exploitation", "script urls", "a domains", "as10796 charter", "find your", "next franchise", "x content", "backend", "as13768 aptum", "moved", "passive dns", "urls", "as2635", "as14061", "scan endpoints", "all octoseek", "url http", "pulse pulses", "ip address", "related nids", "files location", "date hash", "avast avg", "nastya", "entries", "emotet", "windows nt", "show", "etpro trojan", "channel", "artemis", "medium", "delete", "copy", "virustotal", "trojan", "write", "trojanproxy", "vipre", "panda", "malware", "malware infection", "dga", "algorithm generated domains", "command and control", "pe32 executable", "tag", "tagging", "porn tagging", "as3356 level", "tahoma arial", "servers", "as1136 kpn", "next", "et", "remote", "confirm http", "sectrack", "openssl", "fulldisc", "secunia", "confirm https", "openssl tls", "multiple", "remote", "misc https", "impact", "heartbleed", "external source", "name hyperlink", "hp hpsbmu02998", "hp hpsbmu03019", "hp hpsbmu03030", "hp hpsbmu03018", "title", "lowfi", "title error", "body doctype", "html public", "w3cdtd html", "html head", "mozilla", "720.282.2025", "masquerading", "ninite feb", "mtb feb", "telper", "trojandropper", "ninite", "create c", "read c", "default", "create", "unicode", "dock", "xport" ], "references": [ "www.gambinospizza.com", "0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com", "https://play.google.com/store/apps/details?id=com.e9117073d4e0.www", "targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd", "https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu", "http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu", "theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com", "https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site", "http://porn.toplistcreator.eu/in.php", "ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63", "Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10", "https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110", "http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD", "CVE-2014-0160 \u2022 CVE-2017-11882", "a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com", "animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "XLS:Nastya\\ [Trj]", "display_name": "XLS:Nastya\\ [Trj]", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Crypt4.YGM", "display_name": "Crypt4.YGM", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Heartbleed Bug", "display_name": "Heartbleed Bug", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 118, "FileHash-SHA1": 106, "domain": 3271, "hostname": 2451, "URL": 8652, "email": 8, "FileHash-SHA256": 3153, "CVE": 4 }, "indicator_count": 17763, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f4ba867ec44a4dc0e6fc96", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com", "description": "Jiuxiu Live - High-quality beauty online video interactive community - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -porn dump. Performed tiny DNS test on affected target. \nDNS stuffing pornography. DNSpionage , custom browser, DNS tunneling encoding data, programs, protocols, DNS queries, responses, amplification attack; perform (DDoS) on server, flood attack, spoofing. Attack. Miles IT & affiliated logging inas target. Pitfall of being compromised for some; you won't speak to legitimate business unless you know & recognize voice. \nSome notations in references.", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-15T21:15:50.802000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980ad16123b5d52f5f76f", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com [Report originated from octoseek]", "description": "", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-19T12:10:21.291000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": "65f4ba867ec44a4dc0e6fc96", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea56ae1992b02a25aa5c51", "name": "TrojanSpy:Win32/Nivdort | Affected OTX accounts | Yotta Network", "description": "Part II -Some users OTX accounts connected to the following | Unexpected revelation | A group of hackers masquerading as attorneys, government officials, advocates, fake nsa, security professional, help desk, etc. I don't know the association with otx.alienvault. Unauthorized logins OTX users. accounts. Deleted and modified pulses, etc. Needs further research for me to fully understand.", "modified": "2024-04-06T23:03:19.046000", "created": "2024-03-08T00:07:10.521000", "tags": [ "methodpost", "threat", "iocs", "urls http", "samples", "cnc", "phishing", "ransom", "emotet", "fraud services", "command _and_control", "trojan", "scanning host", "active threat", "malicious", "date hash", "avast avg", "susp", "win32", "paste", "hostnames", "http response", "final url", "ip address", "status code", "body length", "b body", "headers date", "connection", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "ovh sas", "export", "summary iocs", "graph community", "limited", "yotta network", "gvb gelimed", "kb microsoft", "indonesia", "kyriazhs1975", "vj79", "bc https", "rexxfield", "brian sabey", "as21342", "united", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "urls", "msie", "chrome", "creation date", "search", "dnssec", "entries", "body", "date", "as63949 linode", "mtb feb", "checkin m1", "gmt content", "type", "encrypt", "trojan", "artro", "moved", "pulse pulses", "yotta data", "yotta", "private limited", "india", "limited yotta", "number", "as140641", "network", "facebook", "info", "cisco umbrella", "site", "alexa top", "site top", "million", "safe site", "million alexa", "site safe", "cobalt strike", "malicious url", "blacknet rat", "union", "vidar", "malware", "stealer", "bank", "alexa", "deepscan", "phishing", "team", "super", "blacknet", "babar", "detection list", "blacklist http", "sample", "submission", "history first", "analysis", "utc http", "response final", "url http", "kb body", "path", "as396982 google", "bq mar", "win32cve mar", "exploit", "virtool", "status", "name servers", "emails", "servers", "next", "files", "as44273 host", "germany unknown", "expiration date", "showing", "win32upatre mar", "milehighmedia", "ids detections", "possible fake", "av checkin", "initial checkin", "checkin", "utah data", "center", "june", "data center", "responsible", "nsa utah", "march", "closeup view", "july", "view", "february", "prism", "cascade", "darpa", "twitter", "as20940", "aaaa", "as16625 akamai", "nxdomain", "whitelisted", "domain", "as54113", "msil", "cryp", "files show", "entries related", "domains", "as15169 google", "gmt cache", "sameorigin", "trojandropper", "asnone united", "title error", "porkbun", "mtb mar", "trojanspy", "installer", "loader", "hijacker", "targeting", "as30456", "sec ch", "for privacy", "ch ua", "hash avast", "avg clamav", "msdefender mar", "lowfi", "dns replication", "ip detections", "country", "contacted", "graph", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "file size", "open threat", "learn", "html info", "exchange meta", "tags twitter", "alienvault", "script tags", "iframe tags", "google tag", "manager anchor", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "google", "amazon ec2", "email", "city", "server", "amazon data", "amazon", "code", "form", "po box", "tech", "show", "description ype", "collections", "partru", "execution", "fake host" ], "references": [ "Part II -Some users OTX accounts connected to the following | Unexpected revelation |", "Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/", "go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...", "https://www.milehighmedia.com/legal/2257", "http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://schoolcare.dyndns.org/soap/ISCKeyUpdater", "http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |", "hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/", "http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg", "CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212", "Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO", "https://nsa.gov1.info/utah-data-center", "https://softwaremill.com/grpc-vs-rest/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Arab Emirates" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "#Lowfi:LUA:AutoItV3CraftedOverlay", "display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay", "target": null }, { "id": "Crypt3.BWVY", "display_name": "Crypt3.BWVY", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Dropper.Generic_r.EC", "display_name": "Dropper.Generic_r.EC", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "ALF:Trojan:Win32/Zbot", "display_name": "ALF:Trojan:Win32/Zbot", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1605", "name": "Command-Line Interface", "display_name": "T1605 - Command-Line Interface" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6765, "FileHash-MD5": 688, "FileHash-SHA1": 422, "FileHash-SHA256": 3169, "domain": 2171, "hostname": 1714, "email": 11, "CVE": 2, "CIDR": 2 }, "indicator_count": 14944, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "742 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eadaae65b9123721198d08", "name": "Nivdort | Affected OTX accounts | Yotta Network (Cloned OTX user)", "description": "", "modified": "2024-04-06T23:03:19.046000", "created": "2024-03-08T09:30:22.295000", "tags": [ "methodpost", "threat", "iocs", "urls http", "samples", "cnc", "phishing", "ransom", "emotet", "fraud services", "command _and_control", "trojan", "scanning host", "active threat", "malicious", "date hash", "avast avg", "susp", "win32", "paste", "hostnames", "http response", "final url", "ip address", "status code", "body length", "b body", "headers date", "connection", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "ovh sas", "export", "summary iocs", "graph community", "limited", "yotta network", "gvb gelimed", "kb microsoft", "indonesia", "kyriazhs1975", "vj79", "bc https", "rexxfield", "brian sabey", "as21342", "united", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "urls", "msie", "chrome", "creation date", "search", "dnssec", "entries", "body", "date", "as63949 linode", "mtb feb", "checkin m1", "gmt content", "type", "encrypt", "trojan", "artro", "moved", "pulse pulses", "yotta data", "yotta", "private limited", "india", "limited yotta", "number", "as140641", "network", "facebook", "info", "cisco umbrella", "site", "alexa top", "site top", "million", "safe site", "million alexa", "site safe", "cobalt strike", "malicious url", "blacknet rat", "union", "vidar", "malware", "stealer", "bank", "alexa", "deepscan", "phishing", "team", "super", "blacknet", "babar", "detection list", "blacklist http", "sample", "submission", "history first", "analysis", "utc http", "response final", "url http", "kb body", "path", "as396982 google", "bq mar", "win32cve mar", "exploit", "virtool", "status", "name servers", "emails", "servers", "next", "files", "as44273 host", "germany unknown", "expiration date", "showing", "win32upatre mar", "milehighmedia", "ids detections", "possible fake", "av checkin", "initial checkin", "checkin", "utah data", "center", "june", "data center", "responsible", "nsa utah", "march", "closeup view", "july", "view", "february", "prism", "cascade", "darpa", "twitter", "as20940", "aaaa", "as16625 akamai", "nxdomain", "whitelisted", "domain", "as54113", "msil", "cryp", "files show", "entries related", "domains", "as15169 google", "gmt cache", "sameorigin", "trojandropper", "asnone united", "title error", "porkbun", "mtb mar", "trojanspy", "installer", "loader", "hijacker", "targeting", "as30456", "sec ch", "for privacy", "ch ua", "hash avast", "avg clamav", "msdefender mar", "lowfi", "dns replication", "ip detections", "country", "contacted", "graph", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "file size", "open threat", "learn", "html info", "exchange meta", "tags twitter", "alienvault", "script tags", "iframe tags", "google tag", "manager anchor", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "google", "amazon ec2", "email", "city", "server", "amazon data", "amazon", "code", "form", "po box", "tech", "show", "description ype", "collections", "partru", "execution", "fake host" ], "references": [ "Part II -Some users OTX accounts connected to the following | Unexpected revelation |", "Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/", "go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...", "https://www.milehighmedia.com/legal/2257", "http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://schoolcare.dyndns.org/soap/ISCKeyUpdater", "http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |", "hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/", "http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg", "CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212", "Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO", "https://nsa.gov1.info/utah-data-center", "https://softwaremill.com/grpc-vs-rest/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Arab Emirates" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "#Lowfi:LUA:AutoItV3CraftedOverlay", "display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay", "target": null }, { "id": "Crypt3.BWVY", "display_name": "Crypt3.BWVY", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Dropper.Generic_r.EC", "display_name": "Dropper.Generic_r.EC", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "ALF:Trojan:Win32/Zbot", "display_name": "ALF:Trojan:Win32/Zbot", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1605", "name": "Command-Line Interface", "display_name": "T1605 - Command-Line Interface" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology", "Financial" ], "TLP": "white", "cloned_from": "65ea56ae1992b02a25aa5c51", "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6765, "FileHash-MD5": 688, "FileHash-SHA1": 422, "FileHash-SHA256": 3169, "domain": 2171, "hostname": 1714, "email": 11, "CVE": 2, "CIDR": 2 }, "indicator_count": 14944, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "742 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5c5ebba25ca46fc5b36bc", "name": "NSO Group Pegasus spyware found attack a US citizen. Silencing", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\n\u2022NSO Group develops best-in-class technology to help government agencies detect and prevent terrorism and crime.\n\u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. \nNon terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:11:39.752000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "msie", "chrome", "certificate", "hostname", "url analysis", "http response", "final url", "status code", "body length", "b body", "sha256", "headers date", "connection", "date sat", "html info", "forbidden", "google tag", "utc aw741566034", "utc redirection", "asnone united", "as54113", "cname", "script urls", "as19527 google", "as35280 acorus", "encrypt", "reverse dns", "location dublin", "domain name", "emails", "as23724", "as4812 china", "china", "win32mydoom jan", "ransom", "worm", "as4808 china", "browse scan", "endpoints all", "login", "sign up", "tulach", "c-67-181-73-197.hsd1.ca.comcast.net", "social engineering", "contact made by mark brian sabey", "contact made by o'dea", "benjamin c" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4655, "URL": 9981, "FileHash-MD5": 219, "FileHash-SHA1": 213, "FileHash-SHA256": 6722, "hostname": 4341, "CVE": 2, "email": 12, "BitcoinAddress": 3 }, "indicator_count": 26148, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "753 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5cbadc21b9891c459b9d2", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:13.975000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9995, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25999, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "753 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5cbbbcb7a479db222f053", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:27.745000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9996, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 26000, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "753 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a39f005c7f0a1c1eb33125", "name": "Formbook", "description": "FormBook is a data stealer that is being distributed as a MaaS. FormBook is available in the dark web market as a Malware-as-Service.\n I n known situations targets were contacted by bad actors via social media accounts Twitter & Facebook.", "modified": "2024-03-21T10:00:24.070000", "created": "2024-01-14T08:44:48.297000", "tags": [ "ssl certificate", "contacted", "execution", "ah6itbtgl", "whois record", "historical ssl", "referrer", "subdomains", "resolutions", "formbook", "threat roundup", "malware", "metro", "social engineering", "jansky", "script urls", "a domains", "united", "search", "date", "script domains", "creation date", "record value", "showing", "unknown", "meta", "body", "encrypt", "as63949 linode", "as41357", "united kingdom", "scan endpoints", "all octoseek", "domain", "pulse submit", "url analysis", "server", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "email", "registry domain", "win32 exe", "javascript", "eqsray", "zip blaze", "ms excel", "detections type", "name", "text", "csv order", "files", "microsoft", "dns replication", "bt6lcuigydc9yc", "jxaavf4jnzza0", "submission", "community score", "no security", "graph api", "status", "content type", "xcitium verdict", "cloud marketing", "history first", "thebrotherssabey", "passive dns", "gmt content", "plesklin", "ipv4", "pulse pulses", "urls", "vbs", "data center", "reverse dns", "first", "utc submissions", "submitters", "bbonline uk", "namecheap inc", "summary iocs", "graph community", "ionos se", "keysystems gmbh", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "sabey", "all search", "otx octoseek", "url http", "http", "hostname", "files domain", "msie", "chrome", "expiration date", "next", "whois lookup", "dnssec", "domain name", "abuse contact", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "cname", "as44273 host", "ip address" ], "references": [ "appleremote.net", "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111", "FormBook", "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc", "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1708, "hostname": 1920, "domain": 2221, "URL": 4822, "FileHash-MD5": 100, "FileHash-SHA1": 119, "email": 2, "CIDR": 1 }, "indicator_count": 10893, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "759 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cae8b43072d177d592feb0", "name": "Astaroth Trojan found in: https://house.mo.gov link", "description": "Impact of the Astaroth Trojan\nOnce the campaign has successfully infiltrated, it will log the users keystrokes, intercept their operating system calls, and gather any information saved to the clipboard continuously. With these methods, it uncovers significant amounts of personal information from the user bank accounts and business accounts. Additionally, in conjunction with NetPass, it gathers user login passwords across the board undetected, including any of their remote computers on LAN, mail account passwords, Messenger accounts, Internet Explorer passwords, and others.", "modified": "2024-03-14T03:01:16.126000", "created": "2024-02-13T03:57:40.057000", "tags": [ "ssl certificate", "whois record", "contacted", "bundled", "january", "communicating", "execution", "phishing page", "cyberstalking", "apple ios", "february", "phishing", "crat", "metro", "life", "core", "hacktool", "bitrat", "malicious", "mallox", "lolkek", "emotet", "pe resource", "threat roundup", "roundup", "astaroth", "august", "tsara brashears", "workers", "aaaa", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cngts", "ogoogle trust", "llc validity", "subject public", "key info", "key algorithm", "data redacted", "redacted for", "domain status", "code", "privacy billing", "privacy tech", "privacy admin", "postal code", "city", "date", "dns replication", "siblings", "server", "pty ltd", "registrar abuse", "wholesale pty", "tpp wholesale", "registry domain", "registrar url", "malvertizing", "pega related attack", "mo", "gov", "msie", "chrome", "status", "search", "passive dns", "urls", "record value", "name servers", "unknown", "body", "next", "trojan", "scanning host", "exploit source", "cnc", "command and control", "united", "domain", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "files", "hallgrand", "brian sabey", "hello", "reinsurance", "remote", "rat", "cyber threat", "targeting" ], "references": [ "Pulse of: hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev", "Found in: http://house.mo.gov/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing & apple collection]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple iOS unlocker password decryption]", "nr-data.net [Apple Private Data Collection]", "30597972.bhclick.com", "http://ns2.hallgrandsale.ru/", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [AIG- data collection]", "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Astaroth", "display_name": "Astaroth", "target": null }, { "id": "BitRAT", "display_name": "BitRAT", "target": null }, { "id": "CRAT", "display_name": "CRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Mallox", "display_name": "Mallox", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [ "Government", "Media", "Civil Society", "Technology", "Telecommunications", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1230, "URL": 4748, "FileHash-MD5": 161, "FileHash-SHA1": 161, "FileHash-SHA256": 2548, "domain": 1261, "CVE": 1, "email": 7 }, "indicator_count": 10117, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65caca061fbb7674de86ec7b", "name": "Invicta Stealer", "description": "Invicta Stealer is equipped to steal data from most locations of a system which makes it a dangerous threat.\nLink found in https://house.mo.com", "modified": "2024-03-14T01:01:47.115000", "created": "2024-02-13T01:46:46.969000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "resolutions", "communicating", "whois whois", "subdomains", "referrer", "problems", "core", "startpage", "june", "passive dns", "urls", "domain", "otx telemetry", "body", "gmt content", "x adblock", "scan endpoints", "all octoseek", "hostname", "date", "encrypt", "threat roundup", "october", "november", "march", "february", "apple ios", "april", "tsara brashears", "copy", "hacktool", "phishing", "metro", "crypto", "installer", "awful", "united", "unknown", "germany unknown", "search", "servers", "registrar", "name servers", "status", "next", "moved", "address", "creation date", "showing", "ipv4", "pulse submit", "url analysis", "accept", "aaaa", "record type", "ttl value", "html document", "ascii text", "anchor hrefs", "hrefs", "anchor", "anchor href", "threat", "paste", "iocs", "analyze", "hostnames", "url https", "sample", "server", "code", "registry domain", "dnssec", "registrar url", "registrar whois", "iana id", "registrar abuse", "tech email", "fake update", "utilizes new", "idat loader", "stealc", "urls http", "isadultno", "adposbottom", "adformatplain", "adnetworks", "quasar rat", "ip detections", "country", "cellbrite", "execution", "pegasus", "malware", "agent tesla", "attack", "ukraine", "silent", "invicta stealer", "redline stealer", "orcus rat", "files", "germany asn", "as196763", "a domains", "redacted for", "record value", "for privacy", "emails", "name", "contacted urls", "bundled", "de indicators", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "impressum", "pulse pulses", "location united", "open", "cookie", "customer", "0 report", "sea alt", "certificate", "#targeting", "#discordwallets", "house.mo.gov" ], "references": [ "https://www.facebooksunglassshop.com/", "CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518", "https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf", "Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==", "apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]", "http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]", "all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb", "http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20", "Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com", "Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote", "https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev", "edgedl.me.gvt1.com", "Link found in https://house.mo.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Invicta Stealer", "display_name": "Invicta Stealer", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Orcus RAT", "display_name": "Orcus RAT", "target": null }, { "id": "Silent", "display_name": "Silent", "target": null } ], "attack_ids": [], "industries": [ "Government", "Civil Society", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 145, "FileHash-SHA256": 3848, "CVE": 3, "URL": 8291, "domain": 2541, "hostname": 3034, "email": 13 }, "indicator_count": 18028, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c91f2b7c03b480379ae4d1", "name": "Pegasus - https://house.mo.gov/ | Brian Sabey HallRender", "description": "1st time researching https://house.mo.gov/ & house.mo.gov. False arrest records of a target originated from Missouri. A glitch delete pulses & references in bulk.\nPegasus is the should be illegal. Destroying evidence of a truth that would be believed if heard. Spying for dirt to discredit. Target heavily deterred by cyber warfare, healthcare fraud, injuries, financial difficulties due to hacked away businesses, strange shadowy government abused, in person stalking, threats and physical attacks, denied disability with a spinal cord injury?\nhttps://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "modified": "2024-03-12T15:03:06.954000", "created": "2024-02-11T19:25:31.451000", "tags": [ "united", "as393601 state", "a domains", "passive dns", "as397241", "certificate", "urls", "search", "showing", "entries", "algorithm", "full name", "data", "v3 serial", "number", "cus cndigicert", "global g2", "tls rsa", "sha256", "ca1 odigicert", "info", "record type", "ttl value", "all txt", "ssl certificate", "whois record", "contacted", "referrer", "resolutions", "historical ssl", "communicating", "problems", "parent domain", "njrat", "ransomware", "startpage", "historical", "malware", "execution", "threat roundup", "april", "september", "remcos rat", "august", "june", "qakbot", "push", "service", "privateloader", "amadey", "powershell", "qbot", "cobalt strike", "core", "hacktool", "november", "october", "roundup", "threat network", "cellbrite", "february", "emotet", "maze", "metro", "dark", "malicious", "team", "critical", "copy", "awful", "parallax rat", "banker", "keylogger", "dns replication", "date", "csc corporate", "domains", "code", "server", "registrar abuse", "registrar iana", "registry domain", "registrar url", "registrar", "contact phone", "apple ios", "quasar", "remcos", "ursnif", "chaos", "ransomexx", "azorult", "agent tesla", "evilnum", "asyncrat", "win32 exe", "wininit", "beta version", "cmstp", "taskscheduler", "ieudinit", "nat32", "certsentry", "type name", "wc3 rpg", "pegasus", "unknown", "domain", "servers", "germany unknown", "name servers", "status", "next", "as29066 host", "as133618", "cname", "as47846", "scan endpoints", "all octoseek", "pulse pulses", "encrypt", "china unknown", "as38365 beijing", "as134175 unit", "707713", "hong kong", "virgin islands", "as6461 zayo", "ransom", "exploit", "ipv4", "pulse submit", "url analysis", "trojan", "body", "click", "creation date", "emails", "expiration date", "domain privacy", "hostname", "dynamicloader", "state", "medium", "msie", "windows nt", "wow64", "show", "slcc2", "media center", "error", "delphi", "guard", "write", "win32", "target", "redir", "facebook", "dcom", "local", "delete", "utf8", "unicode text", "crlf line", "rgba", "yara detections", "default", "asnone", "get na", "dns lookup", "probe ms17010", "eternalblue", "playgame", "high", "related pulses", "yara rule", "anomalous file", "dynamic", "malware infection", "cnc", "procmem_yara", "antivm_generic_disk", "modify_proxy infostealer_cookies", "network_http", "anomalous_deletefile", "antidebug_guardpages", "powershell_request", "powershell_download", "as63949 linode", "mtb feb", "open ports", "backdoor", "gmt content", "trojandropper", "simda", "lockbit", "win.trojan", "midia-4", "floxif", "cryptowall", "brontok", "check in", "record value", "files", "location united", "america asn", "as16509", "download", "threat", "paste", "iocs", "analyze", "hostnames", "urls http", "samples", "tsara brashears", "2nd corintnthians 4:8-9", "injection_inter_process", "injection_create_remote_thread", "persistence_autorun", "bypass_firewall", "disables_windowsupdate", "dynamic_function_loading", "http_request", "query", "delete c", "activity dns", "components", "file execution", "observed dns", "as4837 china", "nxdomain", "a nxdomain", "wannacry", "missouri", "safebae", "hallrender", "house.mo.gov", "typosquatting", "tactics", "google", "win64", "khtml", "gecko", "veryhigh", "aes256gcm", "dalles", "cookie", "urls https", "xpcegvo2adsnq", "mhkz", "mvi2", "keepaliveyes", "fexp24007246", "nsyt", "eva reimer", "daisy coleman", "brian sabey", "https://lawlink.com/documents/10935/blackbag-technologies-announ" ], "references": [ "https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov", "dns.msftncsi.com", "NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184", "Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "23.216.147.64", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]", "http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]", "alohatube.xyz [BotNetwork]", "facebooksunglassshop.com", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4", "oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev", "http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/", "government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org", "https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html", "remote.utorrent.com [remote router logins]", "Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com", "http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online", "http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com", "http://tvm77.fashiongup.in/tracking/track-open", "https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg", "http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/", "hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com", "http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208", "https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com", "safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/", "https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com", "https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4", "Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js", "Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]", "Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store", "https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]", "http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt", "sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "China", "Australia", "Hong Kong" ], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "EVILNUM", "display_name": "EVILNUM", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "Parallax RAT", "display_name": "Parallax RAT", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Remcos RAT", "display_name": "Remcos RAT", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Win.Trojan.Agent-336074", "display_name": "Win.Trojan.Agent-336074", "target": null }, { "id": "Arid.Viper_CnC", "display_name": "Arid.Viper_CnC", "target": null }, { "id": "WininiCrypt", "display_name": "WininiCrypt", "target": null }, { "id": "PWS:Win32/QQpass.CI", "display_name": "PWS:Win32/QQpass.CI", "target": "/malware/PWS:Win32/QQpass.CI" }, { "id": "Win.Trojan.Midia-4", "display_name": "Win.Trojan.Midia-4", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Win32/SocStealer!rfn", "display_name": "Win32/SocStealer!rfn", "target": null }, { "id": "Backdoor.Win32.Shiz.ufj", "display_name": "Backdoor.Win32.Shiz.ufj", "target": null }, { "id": "Email-Worm.Win32.Brontok.n", "display_name": "Email-Worm.Win32.Brontok.n", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 148, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1373, "FileHash-SHA1": 1174, "FileHash-SHA256": 6417, "URL": 4264, "domain": 2304, "hostname": 2413, "CVE": 4, "email": 15, "CIDR": 1 }, "indicator_count": 17965, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "768 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c5e50dda752af9eab50933", "name": "Side 3 Studios Pegasus Attack Denver, Co \u2022 SkyNet BotNetwork", "description": "Pegasus abuse by an alleged legal team with the malware hosting DGA domain https://hallrender.com. Related to an ongoing attack by a M.Brian Sabey who has fixated on a non criminal target. It's frightening to see the carelessness of the Cellebrite tool at work. \nAccording to all written accounts Side 3 provides services to Grammy award winning, nominated and aspiring artists. If you're heard of them , they've recorded there. There is evidence of music file transfers possibly, illegally sold to well known artist. This may have been done without knowledge of studio representatives. More likely by a hacker who boldly informed.", "modified": "2024-03-10T08:03:07.690000", "created": "2024-02-09T08:40:45.976000", "tags": [ "malware", "pegasus", "cellbrite", "targets sa", "survivor", "referrer", "contacted urls", "contacted", "whois record", "hr rtd", "execution", "ssl certificate", "communicating", "skynet", "malicious", "csc corporate", "domains", "code", "t services", "date", "saint louis", "server", "registrar abuse", "whois lookups", "tech email", "threat roundup", "july", "march", "june", "files", "august", "phishing", "service", "amadey", "blacknet rat", "roundup", "magecart", "powershell", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "gmt vary", "gmt connection", "link", "studio", "side", "studios", "downtown denver", "colorado", "studios og", "html info", "title denver", "studios meta", "tags og", "hallrender", "mark brian sabey", "tulach", "passive dns", "urls", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "domain", "files ip", "united", "as36646 oath", "unknown", "body doctype", "yahoo title", "x ua", "ieedge chrome1", "possible", "as19137 epsilon", "ipv4", "pulse pulses", "body", "headers nel", "contentencoding", "connection", "access control", "search", "address", "domain robot", "record value", "next", "parking crew", "tracking", "tsara brashears", "targeting", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "as6185 apple", "creation date", "trojan", "virtool", "worm", "servers", "expiration date", "moved", "certificate", "showing", "entries" ], "references": [ "adsl-074-168-130-217.sip.pns.bellsouth.net", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://www.cibc.ca/en/personal-banking/bank-accounts/savings-accounts/bonus-savings.htm", "http://iv-u15.com/category/uncensored-leaked [ BitDefender: Porn \u2022 Xcitium: Verdict Cloud illegal software \u2022 Forcepoint: ThreatSeeker adult content]", "Found in: https://side3.com/ \u2022 https://side3.com/wp-json/ \u2022 https://side3.com/wp-json/wp/v2/pages/9 \u2022 https://side3.com/xmlrpc.php \u2022 side3.com \u2022 https://side3.com/wp-content/uploads/2015/07/favicon.ico.gif \u2022 https://www.facebook.com/side3studios", "CnC IP's: 20.103.85.33 \u2022 213.91.128.13 \u2022 74.6.143.25 \u2022 74.6.143.26 \u2022 74.6.231.20 \u2022 74.6.231.21", "https://otx.alienvault.com/indicator/ip/74.6.231.21", "nr-data.net [Apple Private Data Collection]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Tracking. Transactional agreement]", "mail.secure2.store.apple.com [vprsecure.com \u2022 Worm:Win32/Mydoom]" ], "public": 1, "adversary": "NSO GROUP", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3263, "FileHash-MD5": 133, "FileHash-SHA1": 125, "FileHash-SHA256": 2596, "domain": 1168, "hostname": 1877, "CVE": 2, "email": 6 }, "indicator_count": 9170, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "770 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be56d257bb241c4fa3f68d", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:02.291000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "https://whiteskycommunications.com/_Spoofed", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [AIG- data collection]", "xhamster.comyouporn.com", "https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "support.apple.com [nefarious]", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "Crowdsourced Sigma Rules: Suspicious New Service Creation by Nasreddine Bencherchali (Nextron Systems)", "https://www.rallypoint.com/command-post/veterans-benefits-banking-program-integrates-with-vetcents-to-improve-veterans-financial-health?utm_source=dept_of_va&utm_medium=email&utm_campaign=vavetcents", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Twitter porno]", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "remote.utorrent.com | pornhub.dev | lp.rallypoint.com", "government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "https://intelx.io/?s=albertandp.ca", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "CnC IP's: 20.103.85.33 \u2022 213.91.128.13 \u2022 74.6.143.25 \u2022 74.6.143.26 \u2022 74.6.231.20 \u2022 74.6.231.21", "amail.linuxmint.com | api1-live.linuxmint.com | Hostname apipackages.linuxmint.com | apollo-extra.linuxmint.com | apps.linuxmint.com | arc.linuxmint.com | archive.linuxmint.com | betaforums1.linuxmint.com Hostname blogs.linuxmint.com", "TrojanSpy:Win32/Nivdort.DE", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "https://www.virustotal.com/graph/embed/gc3d0a481dd64463a889ad9f206727d9d87db106da3c34deb922a2ce7837d6577?theme=dark", "Worm:Win32/Ganelp.A: FileHash-MD5 b5e26ac3b7518b77631ab7bcefae10fe", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "All - EnterpriseAppsList.csv", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "http://medlineplus.gov.https.sci-hub.st", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/", "Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://mypornsnap.top/photos/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears thousands of sites surfaced online", "https://leakix.net/search?scope=leak&q=alberta.ca", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]", "dropboxpayments.com", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "cbi.com", "http://tvm77.fashiongup.in/tracking/track-open", "CVE-2014-0160 \u2022 CVE-2017-11882", "https://applemusic-spotlight.myunidays.com/US/en-US? [potential Apple pegasus media entrance]", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "https://www.cibc.ca/en/personal-banking/bank-accounts/savings-accounts/bonus-savings.htm", "Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://viz.greynoise.io/analysis/52a90c2d-0774-46cd-bb66-79cb82c903fe - 07.03.24", "Crowdsourced Sigma Rules: Matches rule Suspicious Outbound SMTP Connections by frack113", "cdn.pornsocket.com", "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.facebooksunglassshop.com/", "https://severeporn-com.pornproxy.page/", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "https://mylegalbid.com/malwarebytes", "Trojan.Crypted-6 | infostealer_browser : https://otx.alienvault.com/indicator/file/29971e4a9ce229d79fae4cbdff1b32d2", "go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...", "http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com", "http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://otx.alienvault.com/indicator/ip/74.6.231.21", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4", "http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "http://45.159.189.105/bot/regex", "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php", "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "appleremote.net", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.hallrender.com/attorney/brian-sabey/Accept [Weird - defended Jeffrey Scott Reimer Tsara Brashears alleged assaulter[", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "https://urlscan.io/search/#ualberta.ca", "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "https://tria.ge/240517-vc7c1shc62/behavioral1", "targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "http://intel.net/.about.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "pirateproxy.cc", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com", "Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com", "http://mail.thyrsus.com/ [phishing]", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "https://www.virustotal.com/gui/file/06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328/detection", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote", "https://www.journaldev.com/41403/regex", "https://www.virustotal.com/gui/collection/e49552b5297eb28f2ec7245429e50fb363823c4683606ddb61c1d014b2238a6e", "apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]", "213.91.128.133 CnC AS 8866 (Vivacom Bulgaria EAD) BG - Miner", "www.hallrender.com", "https://safebae.org/", "Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S", "safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "caselaw.lawlink.com", "Crowdsourced Sigma Rules: Matches rule Suspicious Svchost Process by Florian Roth (Nextron Systems)", "static-push-preprod.porndig.com", "dns.trackgroup.net", "'https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption| password unlocker]", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "https://otx.alienvault.com/indicator/file/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "MyChart Phishing Scams", "https://www.vgt.pl/favicon.ico", "https://tulach.cc/ [malware engineering | phishing]", "adsl-074-168-130-217.sip.pns.bellsouth.net", "http://www.01tracks.com/happy-customers", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn: FileHash-SHA256 00018d13f451300fb839123dfbf2d8607da0e7b1c89ae1bfbb9946ac79c1663c", "Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==", "Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "campaign-manager.sharecare.com", "https://www.ipvoid.com/whois/", "Tracking: 8.8.4.4 [ NOT a false.positive]", "http://schoolcare.dyndns.org/soap/ISCKeyUpdater", "https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov", "http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg", "training001.blackbagtech.com [opportunity?]", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "https://tools.totaleconomicimpact.com/go/apple/TEI/docs/TEI-of-Mac-in-Enterprise.pdf | 79appleway.com | technoapple.com", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20", "Worm:Win32/Ganelp.A: FileHash-SHA256 00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "http://files.geoffreyobrian.com/uploads/1/3/2/8/132814305/3473236.pdf", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "imp.fusioninstall.com", "NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184", "https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov", "https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL", "ppa.launchpad.net [Apple open use]", "https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fsites.google.com%2Fstudent.concordia.ab.ca%2Fcybersecuritybriefi%2Fhome&followup=https%3A%2F%2Fsites.google.com%2Fstudent.concordia.ab.ca%2Fcybersecuritybriefi%2Fhome&ifkv=AdF4I74DbXz0axIgI_8-2HKe5uTaiHcEn5GDXdTMvWumG7pqQExSEV6IUvXUJDoG9Ra0ZgbhrlrC&osid=1&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1391668132%3A1721034538211512&ddm=0", "scripting-sandbox-dns.bunny.net", "Doing any evil thing for mone does not compute for me.", "Falcon-FileVantage.exe | trojan.redcap/python: FileHash-SHA256 06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing/ links to Brashears browser Google.com.uy/clk malicious, links for collection", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "30597972.bhclick.com", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://otx.alienvault.com/indicator/file/0274c7ffe81ebc6310a2857348a6653d0abbfca780238a854992b7b786bb1d72", "AppRegistrationList.csv", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022", "wallpapers-nature.com", "mobileaccess.intel.com", "a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://ns2.hallgrandsale.ru/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/", "https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net", "http://iv-u15.com/category/uncensored-leaked [ BitDefender: Porn \u2022 Xcitium: Verdict Cloud illegal software \u2022 Forcepoint: ThreatSeeker adult content]", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "cams4all.com", "http://www.metanetworks.org/tsara-lynn-brashears-dead", "oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev", "http://image.nationwide-service.co.uk/lib/fe9515737163077971/m/1/spacer_ApplePay.gif bum?id=326459173&s=143441 | mails.redvue.com", "http://yabs.yandex.uz/count/DbMMoEMwcAa508C2CI72BLq00000EEu2G0980c2y26W2SBYTbz06W06CXPm9Y06nyBJ1CP01mldXrZ6O0S3OwEyok06sjOF85S01NDW1uiI14E01zEhV3-W1Q9W2bk3S1A02jCW1s082y0AM-kpb2_W2aF62vgN6kDNb0O03iD_Kq0-80-cvf8mEc0EweogW0mIe0mQm0mIm106u1Fy1w0J-jHRu1D660uW5qOO3a0MGuWkW1PPtg0MeOx05g6Eu1VN-0i05bP0Lo0N0hmNW1GNm1G6O1eBGhFCEe0Q-eG6e1jW2oGPlwQdYVheAOD46Rn4LqN-w2c3P1W000C2z0000gGTjZOZwJYhCDx07W82ODD070k07XWhn1wbhSBFKCwp6W0WAq0Y0WeI1nP20Xe01u0YQP80A0S4A00000000y3_O2WBW2e29UlWAWBKOgWiGasxIrMsD000sz7Ltouq50DaBROs8-aug", "www.redtube.comyouporn.com", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/summary", "http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208", "Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "ELF:Mirai-GH\\ [Trj] 91b62309447ba8db2a456b546d02cee07f1fd1027a0dd23b0ad87bec18b5acee", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/graph", "ww16.porn-community.porn25.com", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984", "message.htm.com [ message stealer]", "http://alive.overit.com/~schoolbu/badmood3.exe", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://tria.ge/240521-q4s79agb25/static1", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "https://tria.ge/240517-vqxezaaa33/behavioral1", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Traceback- Man with signal jammer/ deauther working around her today.", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "weconnect.com", "jimgaffigan.com", "deadlyexploits.com | deadlysymbol.com |", "http://ci-www.threatcrowd.org/domain.php?domain=albertandp.ca", "https://nsa.gov1.info/utah-data-center", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "http://secure.indianpornpass.com/track/hotpornstuff", "Alerts: nids_malware_alert network_icmp persistence_autorun", "hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com", "Antivirus Detections Win.Trojan.Sality-1047 , Worm:Win32/Ganelp.A IDS Detections W32.Duptwux/Ganelp FTP Username - onthelinux Yara Detections InstallShield2000 Alerts persistence_autorun_tasks cape_detected_threat bypass_firewall suricata_alert dynamic_function_loading dropper injection_rwx IP\u2019s Contacted 209.202.252.54", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "838114.parkingcrew.net", "CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com", "https://www.virustotal.com/graph/embed/ga26f4bba58834344a271a36d59827ec2154f655df6324f939f674b0d49e1290a?theme=dark", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "FormBook", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "Thor Scan: S-I9VvMTB6cZU", "Crowdsourced Sigma Rules: Matches rule Creation of an Executable by an Executable by frack113", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html - scrubbed and for sale.", "Pulse of: hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev", "http://xred.mooo.com", "business-support.intel.com", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List", "https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "ns2.abovedomains.com", "9.6.zip - SQLi", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://hybrid-analysis.com/sample/b31067b40534bc4a9d68ac2f13f6090956d171d23c3d3f7a8c92a8745aed4db3", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Tracking. Transactional agreement]", "On same block with HalkRender. Has close working relationship. All Palantir legal enities", "23.216.147.64", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://twitter.com/PORNO_SEXYBABES", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/iocs", "mail.secure2.store.apple.com [vprsecure.com \u2022 Worm:Win32/Mydoom]", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store", "Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10", "mwilliams.dev@gmail.com | piratepages.com", "http://pl.gov-zaloguj.info", "https://sexgalaxy.net/tag/rodneymoore/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple iOS unlocker password decryption]", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "yoursexy.porn | indianyouporn.com", "s3.amazonaws.com [ metro T-Mobile spyware porn]", "dns.msftncsi.com", "Crowdsourced Sigma Rules: Matches rule Suspect Svchost Activity by David Burkett, @signalblur", "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Matches rule PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority Matches rule ET POLICY Cryptocurrency Miner Checkin Matches rule PUA-OTHER Cryptocurrency Miner outbound connection attempt", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "Link found in https://house.mo.com", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Found in: https://side3.com/ \u2022 https://side3.com/wp-json/ \u2022 https://side3.com/wp-json/wp/v2/pages/9 \u2022 https://side3.com/xmlrpc.php \u2022 side3.com \u2022 https://side3.com/wp-content/uploads/2015/07/favicon.ico.gif \u2022 https://www.facebook.com/side3studios", "https://www.nsogroup.com", "Part II -Some users OTX accounts connected to the following | Unexpected revelation |", "hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/", "https://www.hallrender.com/attorney/brian-sabey/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/", "artificial-legal-intelligence.com", "https://www.virustotal.com/gui/file/f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67/detection", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "IDS Detections Master IP CAM 01 Hardcoded Password for Root Account (CVE-2018-5723) Juniper ScreenOS telnet Backdoor Default Password Attempt SUSPICIOUS Path to BusyBox Possible Linux.Mirai Login Attempt (meinsm) Actiontec C1000A backdoor account M2", "qbot.zip", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "https://www.virustotal.com/gui/file/dcd0812ed0b280cee38a3f8a68e5fde900f0a9f832ca53167d38d96f105eb9b9/detection", "192.185.223.216 | 192.168.56.1 [malware]", "qa.companycam.com", "https://otx.alienvault.com/indicator/file/00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "remotewd.com device local", "http://porn.toplistcreator.eu/in.php", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "www.gambinospizza.com", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://play.google.com/store/apps/details?id=com.e9117073d4e0.www", "He must be very scary like Peter Theil because every attorney took case then backed off.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb", "youramateuporn.com", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]", "https://totallyspies.1000hentai.com/tag/clover-porn/", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.sweetheartvideo.com/scenes?models=63710", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "https://www.virustotal.com/gui/collection/4b0d82fda81972be3f9373edf863a3bcf426aafc9a53927eedc0b694554de33f", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "IDS Detections Win32/Tofsee.AX google.com connectivity check External IP Lookup www.trackip.net Possible", "https://www.vgt.pl/94.152.152.233/images/logo.png", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "It has taken years to slow the constant malicious DGA domains , they still keep smearing target only.", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "nr-data.net [Apple Private Data Collection]", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.hudsonrock.com/search?domain=ualberta.ca", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png [offered Brashears settlement that month]", "Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com", "https://www.sweetheartvideo.com/model/63710/brandi-love", "Trojan.Agent.FRYX: http://email.bidayati.com/c/eJwkkc1ygjoYQJ8Gd3TClwTIwgUR0Aq12BbBbu5EfuQnioVQwKe_03v3Z-bMnJOvbUwtS6yKtWEZjNmMULyq1oAMYto2zZhd2IbIGb6UBdiYCqMoC", "Self whitelisting tool, domains moved within nginx.", "IDS Detections: Win32/Unruy Rogue Search Host Observed 1", "http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "deviceinbox.com [malware hosting]", "https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4", "http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]", "pornhub-e.com \u2022 www.pornhub.com \u2022", "edgedl.me.gvt1.com", "enterprise.cellebrite.com [ digitalclues.com]", "IDS Detections: Win32/Emotet CnC Activity (POST) M9 GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1", "1click-uninstaller.informer.com [Apple - access PE]", "http://www.rvrb.me/fan_reach/pt?eid=A429942_17490857_19605431_lnk1018&url=http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewAl", "https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://timersys.com/ [ phishing | deb opera.com]", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com", "CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "Found in: http://house.mo.gov/", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "0039ca3853af262af65326399713d4e45340eec4c3ea789be19335f06f090993", "type,id 000d161246615fb8d5b30411c753420f82a881a9d7750639bbace67e1bb270a0 001155a72482c2ddd750b1e9c28633a7e13228e4e2b05f0ba585a395ac852b49 0014425cb6011c2086b6aeca5eee11368431356a68d173c2ff7ffef327c0ba86 0018686a02600f7da1a3f0981ce78bb6982480b14130a0cc2b8c8401bc1b8449 003bfd323f6366ac283b9f922d942d7c8f6070a2f2b919a719af7fc8e7c77995 00434aa911043b208854236a41c8e7a284185710ff67b52eea9f538f4151fa28 0063c0019a4ec47bc251753be3aca37c0d84699d34a99df83963364fe640c795 00651f483b685736596ebc95817b01c34382a4691b81701cc", "http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "trojan.shellrunner/emailworm: FileHash-SHA256 f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67", "24-70mm.camera", "www.anyxxxtube.net", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]", "facebooksunglassshop.com", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "https://softwaremill.com/grpc-vs-rest/", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "hxxps://onlyindianporn.net/videos/tsara-brashears/", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "http://images.contact.acams.org/", "hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev", "deviceinbox.com", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "http://watchhers.net/index.php", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06", "148.163.152.21 AS 22843 (PROOFPOINT-ASN-US-EAST) US | www.robtex.com | www.spf-record.com |", "Antivirus Detections ELF:Mirai-GH\\ [Trj]", "alohatube.xyz [BotNetwork]", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "Worm:Win32/Ganelp.A: FileHash-SHA1 0eed684aef678aeffb43866bd2c975876e82eeab", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing & apple collection]", "watchhers.net", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "apple-carry-relay.cloudflare.com | apple-dns.net | emails.redvue.com | https://arduboy.com/bad-apple-demo-is-good | 67.199.248.12", "https://www.virustotal.com/graph/embed/g99d61feda7554cba94972ae4110efe8acacfea236d6943d0bdc93dcbc7e9b60f?theme=dark", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "00000000000.cloudfront.net", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian - is this a must?", "https://tria.ge/240517-vdwb5shc71/behavioral1", "remote.utorrent.com [remote router logins]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO GROUP", "NSO Group", "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others" ], "malware_families": [ "Win64:ransomx-gen", "Mirai (windows)", "Worm:win32/ganelp.a", "Astaroth", "Invicta stealer", "Parallax rat", "Gopher", "Maltiverse", "Arid.viper_cnc", "Zbot", "Paragon (pegasus variant)", "#lowfi:lua:autoitv3craftedoverlay", "Blacknet", "#lowfi:exploit:java/cve-2012-0507", "Bulz", "Alf:trojan:win32/cassini_ade36583", "#virtool:win32/obfuscator.adb", "Ransom:win32/makop", "Trojan:win32/comspec", "Pegasus for mac", "Quasar rat", "#lowfi:siga:trojandownloader:msil/genmaldow", "Bitrat", "Win.trojan.midia-4", "Pegasus for ios - s0289", "Backdoor:linux/mirai", "Alf:html/phishing", "Trojanspy:win32/nivdort.de", "Babar", "Redline stealer", "Alf:trojan:win32/zbot", "Ebury", "Alf:trojan:powershell/dynamicloader", "Ransomware", "Win32:acecrypter-b [cryp]", "Asyncrat", "Trojandownloader:linux/mirai", "Formbook", "Win32:dropperx-gen\\ [drp]", "Trojan:win32/startpage", "Trojanspy", "Win32/socstealer!rfn", "Win.malware.unsafe", "Qbot", "Pws:win32/qqpass.ci", "Trojanspy:win32/nivdort.cw", "Dark", "Sabey", "Alf:backdoor:java/webshell", "Ransomexx", "Zeroaccess - s0027", "Expiro", "Trojan.agent.fryx", "Nids", "Backdoor:win32/mydoom", "Xls:nastya\\ [trj]", "Malware", "Crypt4.ygm", "#lowfitrojan:html/iframe", "Makop", "Other", "Azorult", "Skynet", "#lowfitrojan:js/auto25", "Starfighter (javascript)", "Wininicrypt", "Pegasus rdp module for windows", "Et", "Trojan:win32/glupteba.rq!msr", "Mallox", "Trojan:win32/generic", "Xloader for ios - s0490", "Graphite (pegasus variant)", "Alf:backdoor:powershell/reverseshell", "Swipper", "Agent tesla", "Trojan.shellrunner/emailworm", "Alf:trojan:win32/formbook", "Trojan.redcap/python", "Ransom:win32/haperlock", "Backdoor:win32/tofsee.t", "Ransomexx (elf)", "N\u2205 ip", "Html smuggling", "#lowfi:hstr:win32/mediadownloader", "Silent", "Trojan:win32/mydoom", "Possible", "Alf:heraklezeval:trojandownloader:win32/unruy", "Pws:win32/xport", "Tulach", "#hstr:hacktool:win32/remoteshell", "Trojanspy:win32/nivdort", "Ursnif", "Win.trojan.agent-336074", "Hacktool", "Backdoor.win32.shiz.ufj", "Wannacry", "Win64-trojan/pakes.exp", "Alibaba ransom:win32/stopcrypt", "Tofsee", "Heartbleed bug", "Amadey", "Lockbit", "Mal_tofsee", "Trojan:win32/floxif.e", "Crypt3.bwvy", "Virtool:win32/injector.gen!bq", "Win.packed.kelios-10023944-0", "Email-worm.win32.brontok.n", "Lolkek", "Ransom:win32/wannaren", "Maze", "Hallrender", "Win.trojan.unruy-5885", "Alf:heraklezeval:trojandownloader:win32/unruy!rfn", "Blacknet rat", "Fragtor", "Quasar", "Trojan:win32/qshell", "Mirai", "Win32:malware-gen", "Artro", "Cobalt strike", "Njrat", "Pegasus for android - mob-s0032", "Evilnum", "Win.malware.qshell-9875653-0", "Ransom.stopcryptpmf.", "Alf:trojanspy:nivdort", "Androidoverlaymalware - mob-s0012", "Locky", "Virtool", "Dropper.generic_r.ec", "Pegasus", "Remcos rat", "Emotet", "Careto", "Crat", "Win.packed.xtremerat-9837419-0", "Azorult cnc", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Callback phishing", "Eternalblue", "Infostealer/win.smokeloader.r439087", "Chaos", "Worm:win32/mofksys.rnd!mtb", "Ascii exploit", "Keylogger", "Orcus rat", "Adware affiliate", "Lumma stealer", "Juko", "Worm:win32/autorun", "Jaik", "Bazarcall", "Qakbot", "Trojan:js/berbew", "Dark power", "W32.aidetect.malware2", "Worm:win32/bloored.e", "Win.dropper.tofsee-9799489-0" ], "industries": [ "Civil", "Civil society", "Healthcare", "People", "Hospitality", "Civilians", "Finance", "Telecommunications", "Manufacturing", "Media", "Retail", "Legal", "Government", "Technology", "Education", "Financial" ], "unique_indicators": 650973 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/oaey.win", "whois": "http://whois.domaintools.com/oaey.win", "domain": "oaey.win", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69d3532c76eb3bf5edd9609b", "name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek", "description": "", "modified": "2026-04-06T06:31:08.181000", "created": "2026-04-06T06:31:08.181000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65bbb998c3b7662e5059b6c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d3532a6537880f6e2c68dc", "name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek", "description": "", "modified": "2026-04-06T06:31:06.730000", "created": "2026-04-06T06:31:06.730000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65bbb998c3b7662e5059b6c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf8e2663d5480917ddb699", "name": "Pegasus - https://house.mo.gov/ | Brian Sabey HallRender [i cloned OctoSeek] T8", "description": "", "modified": "2026-03-22T08:35:26.266000", "created": "2026-03-22T06:37:26.233000", "tags": [ "united", "as393601 state", "a domains", "passive dns", "as397241", "certificate", "urls", "search", "showing", "entries", "algorithm", "full name", "data", "v3 serial", "number", "cus cndigicert", "global g2", "tls rsa", "sha256", "ca1 odigicert", "info", "record type", "ttl value", "all txt", "ssl certificate", "whois record", "contacted", "referrer", "resolutions", "historical ssl", "communicating", "problems", "parent domain", "njrat", "ransomware", "startpage", "historical", "malware", "execution", "threat roundup", "april", "september", "remcos rat", "august", "june", "qakbot", "push", "service", "privateloader", "amadey", "powershell", "qbot", "cobalt strike", "core", "hacktool", "november", "october", "roundup", "threat network", "cellbrite", "february", "emotet", "maze", "metro", "dark", "malicious", "team", "critical", "copy", "awful", "parallax rat", "banker", "keylogger", "dns replication", "date", "csc corporate", "domains", "code", "server", "registrar abuse", "registrar iana", "registry domain", "registrar url", "registrar", "contact phone", "apple ios", "quasar", "remcos", "ursnif", "chaos", "ransomexx", "azorult", "agent tesla", "evilnum", "asyncrat", "win32 exe", "wininit", "beta version", "cmstp", "taskscheduler", "ieudinit", "nat32", "certsentry", "type name", "wc3 rpg", "pegasus", "unknown", "domain", "servers", "germany unknown", "name servers", "status", "next", "as29066 host", "as133618", "cname", "as47846", "scan endpoints", "all octoseek", "pulse pulses", "encrypt", "china unknown", "as38365 beijing", "as134175 unit", "707713", "hong kong", "virgin islands", "as6461 zayo", "ransom", "exploit", "ipv4", "pulse submit", "url analysis", "trojan", "body", "click", "creation date", "emails", "expiration date", "domain privacy", "hostname", "dynamicloader", "state", "medium", "msie", "windows nt", "wow64", "show", "slcc2", "media center", "error", "delphi", "guard", "write", "win32", "target", "redir", "facebook", "dcom", "local", "delete", "utf8", "unicode text", "crlf line", "rgba", "yara detections", "default", "asnone", "get na", "dns lookup", "probe ms17010", "eternalblue", "playgame", "high", "related pulses", "yara rule", "anomalous file", "dynamic", "malware infection", "cnc", "procmem_yara", "antivm_generic_disk", "modify_proxy infostealer_cookies", "network_http", "anomalous_deletefile", "antidebug_guardpages", "powershell_request", "powershell_download", "as63949 linode", "mtb feb", "open ports", "backdoor", "gmt content", "trojandropper", "simda", "lockbit", "win.trojan", "midia-4", "floxif", "cryptowall", "brontok", "check in", "record value", "files", "location united", "america asn", "as16509", "download", "threat", "paste", "iocs", "analyze", "hostnames", "urls http", "samples", "tsara brashears", "2nd corintnthians 4:8-9", "injection_inter_process", "injection_create_remote_thread", "persistence_autorun", "bypass_firewall", "disables_windowsupdate", "dynamic_function_loading", "http_request", "query", "delete c", "activity dns", "components", "file execution", "observed dns", "as4837 china", "nxdomain", "a nxdomain", "wannacry", "missouri", "safebae", "hallrender", "house.mo.gov", "typosquatting", "tactics", "google", "win64", "khtml", "gecko", "veryhigh", "aes256gcm", "dalles", "cookie", "urls https", "xpcegvo2adsnq", "mhkz", "mvi2", "keepaliveyes", "fexp24007246", "nsyt", "eva reimer", "daisy coleman", "brian sabey", "https://lawlink.com/documents/10935/blackbag-technologies-announ" ], "references": [ "https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov", "dns.msftncsi.com", "NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184", "Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "23.216.147.64", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]", "http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]", "alohatube.xyz [BotNetwork]", "facebooksunglassshop.com", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4", "oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev", "http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/", "government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org", "https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html", "remote.utorrent.com [remote router logins]", "Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com", "http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online", "http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com", "http://tvm77.fashiongup.in/tracking/track-open", "https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg", "http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/", "hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com", "http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208", "https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com", "safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/", "https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com", "https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4", "Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js", "Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]", "Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store", "https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]", "http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt", "sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "China", "Australia", "Hong Kong" ], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "EVILNUM", "display_name": "EVILNUM", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "Parallax RAT", "display_name": "Parallax RAT", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Remcos RAT", "display_name": "Remcos RAT", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Win.Trojan.Agent-336074", "display_name": "Win.Trojan.Agent-336074", "target": null }, { "id": "Arid.Viper_CnC", "display_name": "Arid.Viper_CnC", "target": null }, { "id": "WininiCrypt", "display_name": "WininiCrypt", "target": null }, { "id": "PWS:Win32/QQpass.CI", "display_name": "PWS:Win32/QQpass.CI", "target": "/malware/PWS:Win32/QQpass.CI" }, { "id": "Win.Trojan.Midia-4", "display_name": "Win.Trojan.Midia-4", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Win32/SocStealer!rfn", "display_name": "Win32/SocStealer!rfn", "target": null }, { "id": "Backdoor.Win32.Shiz.ufj", "display_name": "Backdoor.Win32.Shiz.ufj", "target": null }, { "id": "Email-Worm.Win32.Brontok.n", "display_name": "Email-Worm.Win32.Brontok.n", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": "65c91f2b7c03b480379ae4d1", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2668, "FileHash-SHA1": 2469, "FileHash-SHA256": 8054, "URL": 6185, "domain": 2421, "hostname": 3042, "CVE": 5, "email": 15, "CIDR": 1, "IPv4": 18 }, "indicator_count": 24878, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b49ad5dd40a24d83cd6a72", "name": "Chris P. Ahmann \u2022 PRIVATE PROPERTY Colorado State Fixer!", "description": "", "modified": "2026-03-13T23:16:37.716000", "created": "2026-03-13T23:16:37.716000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "69631fbd16e306ee2b76c4da", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b496396ca4987e95ad37d1", "name": "Chris Buzz by QVashni (wow)", "description": "", "modified": "2026-03-13T22:56:57.314000", "created": "2026-03-13T22:56:57.314000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "69482caa00d327da8f0a87bc", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b49587dd104e342dda1628", "name": "C Ahman Attorney Clone by Top Tier, Q.Vashti", "description": "", "modified": "2026-03-13T22:53:59.112000", "created": "2026-03-13T22:53:59.112000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "691f4d4ef0a2a570b8b21cd2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b92a27c47d4e28927364", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:24:26.110000", "created": "2026-03-12T13:01:30.067000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 51, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b9295603a6100edfa8c8", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:24:25.387000", "created": "2026-03-12T13:01:29.284000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b927aa7f10e82639d204", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:27.872000", "created": "2026-03-12T13:01:27.872000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b927c086397130c5d114", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:27.275000", "created": "2026-03-12T13:01:27.275000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://oaey.win", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://oaey.win", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776616675.0394113 }