{
"type": "URL",
"indicator": "https://one.one.one.one/dns-queryoint.initialized.clear.",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://one.one.one.one/dns-queryoint.initialized.clear.",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4185466243,
"indicator": "https://one.one.one.one/dns-queryoint.initialized.clear.",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 7,
"pulses": [
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-05-17T15:52:35.396000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 28000,
"FileHash-SHA256": 48374,
"FileHash-MD5": 42596,
"FileHash-SHA1": 23243,
"hostname": 35654,
"URL": 75758,
"SSLCertFingerprint": 30,
"CVE": 7585,
"email": 316,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"URI": 5,
"IPv4": 574,
"Mutex": 1
},
"indicator_count": 288350,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 92,
"modified_text": "13 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64e1d5e06aa6207f78de",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:21.863000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 149,
"modified_text": "65 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64eccb5d39a90a3c391e",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:32.565000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 152,
"modified_text": "65 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698037098c99c37cb91037c2",
"name": "Busy Box MITM Attacks via Drive-by-Compromise | Facebook | Apple",
"description": "Busy Box - MITM Attack\n\nDrive-by-Compromise | Facebook | Jamie Oliver Recipes | My sister-in-law made this once and I couldn\u2019t stop eating it. \nAdversarial Facebook pop up posts. .\n\n|| Pykspa.C Check in. \"Pykspa is a type of Remote Access Trojan (RAT). A powerful a worm that spreads via social media or via DGA algorithms. Parking crews are fond of these types of attacks. Christopher Ahmann",
"modified": "2026-03-04T04:07:14.513000",
"created": "2026-02-02T05:32:57.303000",
"tags": [
"no expiration",
"filehashsha256",
"ipv4",
"url http",
"domain",
"hostname",
"filehashmd5",
"filehashsha1",
"iocs",
"url https",
"search",
"type indicator",
"review iocs",
"role title",
"create new",
"pulse use",
"pdf report",
"pcap",
"extraction",
"sc data",
"extre data",
"include review",
"exclude sugges",
"data upload",
"failed",
"find s",
"oo data",
"enter source",
"url or",
"text drag",
"expiration",
"showing",
"entries",
"protect",
"pulse show",
"email abuse",
"related pulses",
"indicator role",
"returnurl no",
"drop",
"pulse provide",
"public tlp",
"green",
"adversary tags",
"buzz",
"x8664",
"add tag",
"groups add",
"add industry",
"trojan",
"tags"
],
"references": [
"https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9",
"www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250",
"Antivirus Detections: Trojan:Win32/Dorv.A",
"IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)",
"IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup",
"IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check",
"IDS Detections: Domain (whatismyipaddress .com in HTTP Host)",
"Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key",
"Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location",
"Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert",
"Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile",
"Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed",
"Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http",
"IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80",
"IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75",
"Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca",
"Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com",
"Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org",
"Antivirus Detections: Win.Malware.Pits-10035540-0",
"Yara: Detections Delphi",
"Alerts: infostealer_cookies antiav_detectfile",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022",
"http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/",
"http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe",
"http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/",
"http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt",
"output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]",
"https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary",
"https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a",
"https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf",
"https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423",
"https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9",
"apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022",
"https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022",
"http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022",
"https://cpcontacts.apple4you.it",
"AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference",
"adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com",
"https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest",
"https://fs25.mygamesteam.com/download/underground-parking/",
"http://spiritzuridgerunelahubcloudgusparkx.rest/",
"127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies",
"9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB",
"ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB",
"IDS Detections: Suspicious Activity potential UPnProxy",
"Yara Detections: is__elf , ECHOBOT",
"Alerts: dead_host network_icmp tcp_by",
"Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT",
"TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169",
"TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335",
"TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown",
"TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud",
"TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks",
"TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination",
"TAGS: detection detections detections name development att direct dirty dns resolutions domain",
"TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att",
"TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip",
"TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide",
"TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv",
"TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections",
"TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan",
"TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver",
"TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey",
"TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec",
"TAGS: mtb yara name servers name tactics network traffic new browser next associated next",
"TAGS: yara niggercat none file null object os x outbound passive dns path pattern match",
"TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push",
"TAGS: pyspark python python initiated quic ransom recipes record value redacted for",
"TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner",
"TAGS: sample analysis se domains search security quic add source level span spawns spy",
"TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation",
"TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater",
"TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Hungary"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "DDos:Linux/Gafgyt.YA!MTB",
"display_name": "DDos:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDos:Linux/Gafgyt.YA!MTB"
},
{
"id": "ELF:DDoS-S\\ [Trj]",
"display_name": "ELF:DDoS-S\\ [Trj]",
"target": null
},
{
"id": "Pykspa.C",
"display_name": "Pykspa.C",
"target": null
},
{
"id": "Trojan:Win32/Dorv.A",
"display_name": "Trojan:Win32/Dorv.A",
"target": "/malware/Trojan:Win32/Dorv.A"
},
{
"id": "Unix.Trojan.Gafgyt-698115",
"display_name": "Unix.Trojan.Gafgyt-698115",
"target": null
},
{
"id": "4-0 Win.Malware.Pits-10035540-0",
"display_name": "4-0 Win.Malware.Pits-10035540-0",
"target": null
},
{
"id": "Win.Packed.Usteal-7531303-0",
"display_name": "Win.Packed.Usteal-7531303-0",
"target": null
},
{
"id": "tR",
"display_name": "tR",
"target": null
},
{
"id": "DeathHiddenTear (Large&Small HT) >",
"display_name": "DeathHiddenTear (Large&Small HT) >",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1586,
"FileHash-SHA1": 1479,
"FileHash-SHA256": 1938,
"URL": 4548,
"domain": 1052,
"hostname": 2501,
"email": 9,
"SSLCertFingerprint": 7,
"CIDR": 2
},
"indicator_count": 13122,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "88 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6975c5cd4db6104ea1a3d69b",
"name": "The Blender Foundation BouncyCastle-Virut | Malware /Stealer Empty FileHash | Eternal7 (Shadow Broker) Related",
"description": "Empty FileHash isn\u2019t benign. Interesting relationships to the Eternal 7. Malware, Stealer and Suspicious History File Operation. BouncyCastle-Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys / Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"modified": "2026-02-24T06:02:43.853000",
"created": "2026-01-25T07:27:09.640000",
"tags": [
"empty",
"blender",
"eurostile",
"augustin",
"butterfield",
"cook",
"drummer",
"erickson",
"fjsv",
"flynn",
"gorman",
"holmes",
"easy",
"rada",
"xanadu",
"config",
"reboot",
"screen",
"microsoft",
"commerce server",
"edition",
"draw",
"exchange server",
"tools",
"linux",
"ideal link",
"nsrl test",
"nist",
"file",
"cultureneutral",
"fix pack",
"free download",
"bouncycastle",
"read c",
"search",
"et trojan",
"w32kegotip cnc",
"whitelisted",
"ids detections",
"intel",
"write",
"trojan",
"malware",
"yara detections",
"productversion",
"fileversion",
"av detections",
"alerts",
"analysis date",
"file score",
"united",
"aaaa",
"passive dns",
"ip address",
"present dec",
"body html",
"head meta",
"title",
"urls",
"url https",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"beacon",
"et",
"ipv4",
"files",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"related pulses",
"show",
"win32virut",
"destination",
"port",
"ms windows",
"pe32",
"medium",
"suspicious",
"virustotal",
"startul",
"shadowbrokers",
"total",
"delete",
"artemis",
"win32.injector",
"trendmicro",
"data upload",
"extraction",
"included iocs"
],
"references": [
"The Blender Foundation",
"website \u2022 http://oldapps.com/blender.php?old_blender=7584",
"oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]",
"Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community",
"Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks",
"ET TROJAN W32/Kegotip CnC Beacon",
"IDS Detections ET POLICY Suspicious User-Agent Containing .exe",
"Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit",
"Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /",
"Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "BouncyCastle",
"display_name": "BouncyCastle",
"target": null
},
{
"id": "Sf:ShellCode-AU",
"display_name": "Sf:ShellCode-AU",
"target": null
},
{
"id": "Win.Trojan.Fareit-82",
"display_name": "Win.Trojan.Fareit-82",
"target": null
},
{
"id": "Win.Trojan.Agent-245901",
"display_name": "Win.Trojan.Agent-245901",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "W32/Kegotip CnC",
"display_name": "W32/Kegotip CnC",
"target": null
},
{
"id": "W32.Virut.ci",
"display_name": "W32.Virut.ci",
"target": null
},
{
"id": "Downloader.Generic13.CMTW",
"display_name": "Downloader.Generic13.CMTW",
"target": null
},
{
"id": "Downloader.Generic13.BOBZ",
"display_name": "Downloader.Generic13.BOBZ",
"target": null
},
{
"id": "Win.Trojan.Injector-12138",
"display_name": "Win.Trojan.Injector-12138",
"target": null
},
{
"id": "Generic36.ADTY",
"display_name": "Generic36.ADTY",
"target": null
},
{
"id": "Generic36.AIAA.Dropper",
"display_name": "Generic36.AIAA.Dropper",
"target": null
},
{
"id": "Generic36.AJSM",
"display_name": "Generic36.AJSM",
"target": null
},
{
"id": "Win32/Virut",
"display_name": "Win32/Virut",
"target": null
},
{
"id": "Win32/Ramnit.A",
"display_name": "Win32/Ramnit.A",
"target": null
},
{
"id": "Worm.Autorun-6180",
"display_name": "Worm.Autorun-6180",
"target": null
},
{
"id": "Hider.BIY",
"display_name": "Hider.BIY",
"target": null
},
{
"id": "Win.Trojan.Rootkit-4532",
"display_name": "Win.Trojan.Rootkit-4532",
"target": null
},
{
"id": "Win32/Blacked",
"display_name": "Win32/Blacked",
"target": null
},
{
"id": "Win32.Injector",
"display_name": "Win32.Injector",
"target": null
},
{
"id": "TrendMicro",
"display_name": "TrendMicro",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 71,
"FileHash-SHA256": 853,
"URL": 1639,
"domain": 288,
"FileHash-MD5": 78,
"hostname": 545
},
"indicator_count": 3474,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "697488f095f69d392afd00fb",
"name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes",
"description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.",
"modified": "2026-02-23T07:04:04.285000",
"created": "2026-01-24T08:55:12.845000",
"tags": [
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"ck techniques",
"evasion att",
"t1480 execution",
"href",
"ascii text",
"pattern match",
"mitre att",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"form",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"active related",
"url https",
"related pulses",
"url http",
"united",
"czechia",
"hong kong",
"ipv4",
"indicators hong",
"kong",
"south korea",
"netherlands",
"germany",
"ireland",
"denmark",
"sweden",
"active",
"government",
"finance",
"security",
"type indicator",
"yara detections",
"av detections",
"ids detections",
"alerts",
"analysis date",
"mcsf",
"microsoft",
"yara",
"insurance",
"fidelity investments",
"description",
"fidelity international",
"ms windows",
"pe32",
"writeconsolew",
"read c",
"pe32 executable",
"t1045",
"susp",
"write",
"win64",
"malware",
"modified",
"ck ids",
"t1040",
"sniffing",
"packing",
"t1112",
"packing t1045",
"icmp traffic",
"memcommit",
"pe section",
"low software",
"pe resource",
"win32",
"trojan",
"april",
"sara ligorria",
"tramp advert",
"black paper",
"createdate",
"subject laser",
"title laser",
"format",
"types of",
"japan",
"regsetvalueexa",
"regdword",
"regbinary",
"module download",
"tls handshake",
"high",
"defense evasion",
"discovery att",
"adversaries",
"title",
"role",
"flag",
"name server",
"server",
"domain address",
"markmonitor",
"clicktale ltd",
"enom",
"whoisguard",
"medium",
"unicode",
"rgba",
"delete",
"crlf line",
"next",
"dock",
"execution",
"date",
"users",
"tls sni",
"total",
"cnc domain",
"search",
"oamazon",
"cnamazon rsa",
"push",
"failure yara",
"contacted",
"hours ago",
"created",
"cia",
"fbi",
"telegram",
"tulach",
"sabey",
"state",
"gov",
"ahmann",
"financial fraud",
"t-mobile",
"walmartmobile",
"life insurance",
"fidelity life",
"guarantee",
"team",
"role title",
"added active",
"scan",
"iocs",
"learn more",
"filehashsha1",
"filehashmd5",
"kw3recepten",
"domainname0",
"searchbox0",
"kw1brinta",
"kw2muesli",
"indicator role",
"title added",
"pulses url",
"cve cve20170147",
"apple",
"apple id"
],
"references": [
"https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226",
"https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com",
"http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com",
"https://bhive.nectar.social/rKvoMY",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,",
"TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161",
"Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.",
"EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name",
"Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.",
"Domains Contacted api.nuget.org",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png",
"https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.fidelity.com/ https://www.fidelity.com/",
"cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99",
"cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl",
"https://www.anyxxxtube.net/search-porn/",
"https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears",
"fidelity-account.com e http://fidelity-account.com/fidelity/code.html",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex",
"http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022",
"\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:",
"https://bhive.nectar.social/rKvoMY",
"apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co",
"http://appleid.app",
"https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win64:Trojan-gen",
"display_name": "Win64:Trojan-gen",
"target": null
},
{
"id": "Trojan:MSIL/Ursu.KP",
"display_name": "Trojan:MSIL/Ursu.KP",
"target": "/malware/Trojan:MSIL/Ursu.KP"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F",
"target": null
},
{
"id": "Trojan:PDF/Phish.RR!MTB",
"display_name": "Trojan:PDF/Phish.RR!MTB",
"target": "/malware/Trojan:PDF/Phish.RR!MTB"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": ": ALF:Trojan:MSIL/Azorult.AC!",
"display_name": ": ALF:Trojan:MSIL/Azorult.AC!",
"target": null
},
{
"id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB",
"display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB",
"target": null
},
{
"id": "Trojan:Win32/Conbea!rfn",
"display_name": "Trojan:Win32/Conbea!rfn",
"target": "/malware/Trojan:Win32/Conbea!rfn"
},
{
"id": "Trojan:Win32/Ausiv!rfn",
"display_name": "Trojan:Win32/Ausiv!rfn",
"target": "/malware/Trojan:Win32/Ausiv!rfn"
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat",
"target": null
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "TrojanDropper:Win32/Qhost",
"display_name": "TrojanDropper:Win32/Qhost",
"target": "/malware/TrojanDropper:Win32/Qhost"
},
{
"id": "Trojan:Win32/Miner.KA!MTB",
"display_name": "Trojan:Win32/Miner.KA!MTB",
"target": "/malware/Trojan:Win32/Miner.KA!MTB"
},
{
"id": "DNSTrojan",
"display_name": "DNSTrojan",
"target": null
},
{
"id": "EternalRocks",
"display_name": "EternalRocks",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Government",
"Finance",
"Insurance"
],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2793,
"URL": 6639,
"FileHash-SHA256": 2462,
"domain": 1070,
"FileHash-MD5": 307,
"FileHash-SHA1": 186,
"SSLCertFingerprint": 1,
"email": 1,
"CVE": 3
},
"indicator_count": 13462,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"",
"Antivirus Detections: Trojan:Win32/Dorv.A",
"The Blender Foundation",
"https://fs25.mygamesteam.com/download/underground-parking/",
"Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"website \u2022 http://oldapps.com/blender.php?old_blender=7584",
"EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community",
"http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe",
"Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT",
"ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att",
"TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks",
"Yara: Detections Delphi",
"Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks",
"http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/",
"https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d",
"Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html",
"cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99",
"https://www.anyxxxtube.net/search-porn/",
"TAGS: mtb yara name servers name tactics network traffic new browser next associated next",
"TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan",
"TAGS: sample analysis se domains search security quic add source level span spawns spy",
"https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022",
"TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater",
"adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"ET TROJAN W32/Kegotip CnC Beacon",
"TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"Yara Detections: is__elf , ECHOBOT",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022",
"https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9",
"https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf",
"https://cpcontacts.apple4you.it",
"It appears there are 5-7 known affected that I was able to find",
"Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com",
"https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears",
"TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary",
"TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip",
"android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]",
"Alerts: infostealer_cookies antiav_detectfile",
"Requires further research.",
"https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a",
"ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB",
"IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80",
"Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile",
"fidelity-account.com e http://fidelity-account.com/fidelity/code.html",
"AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference",
"Alerts: dead_host network_icmp tcp_by",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"TAGS: detection detections detections name development att direct dirty dns resolutions domain",
"IDS Detections: Suspicious Activity potential UPnProxy",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation",
"https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226",
"https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423",
"cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf",
"apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022",
"IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)",
"Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert",
"TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com",
"TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide",
"9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB",
"oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download",
"Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)",
"http://spiritzuridgerunelahubcloudgusparkx.rest/",
"TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown",
"Domains Contacted api.nuget.org",
"TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push",
"https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com",
"apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co",
"Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca",
"Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name",
"www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e",
"IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75",
"http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/",
"TAGS: yara niggercat none file null object os x outbound passive dns path pattern match",
"https://l.us-1.a.mimecastprotect.com/l",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule",
"TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver",
"nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022",
"Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /",
"TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335",
"Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http",
"Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org",
"My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.",
"IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check",
"output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]",
"IDS Detections ET POLICY Suspicious User-Agent Containing .exe",
"hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann",
"https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934",
"http://appleid.app",
"TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec",
"TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161",
"Antivirus Detections: Win.Malware.Pits-10035540-0",
"Same legal , and quasi governmental pattern identified",
"Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed",
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"IDS Detections: Domain (whatismyipaddress .com in HTTP Host)",
"127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies",
"TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections",
"Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner",
"I apologize for the lack of reference.",
"https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"https://bhive.nectar.social/rKvoMY",
"TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv",
"Verification failure observed in automated verification handlers during sandbox replay.",
"IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup",
"TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination",
"TAGS: pyspark python python initiated quic ransom recipes record value redacted for",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"https://www.fidelity.com/ https://www.fidelity.com/",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram",
"div>
",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"4-0 win.malware.pits-10035540-0",
"Deathhiddentear (large&small ht) >",
"Win.trojan.agent-245901",
"Trojan:win32/dorv.a",
"Pykspa.c",
"Ddos:linux/gafgyt.ya!mtb",
"#lowfienabledtcontinueafterunpacking",
"Downloader.generic13.bobz",
"Alf:trojan:win32/cryptwrapper.rt!mtb",
"Trojan:win32/ausiv!rfn",
"Elf:ddos-s\\ [trj]",
"Generic36.aiaa.dropper",
"Trojan:win32/miner.ka!mtb",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Alf:heraklezeval:trojan:msil/gravityrat",
"Trojan:msil/ursu.kp",
"Trendmicro",
"#lowfi:lua:dllsuspiciousexport.a",
": alf:trojan:msil/azorult.ac!",
"Trojan:win32/smkldr.h!mtb",
"Hider.biy",
"Win.trojan.rootkit-4532",
"Dnstrojan",
"Tofsee",
"Trojan:win32/conbea!rfn",
"Icedid",
"Tr",
"Win32:trojanx-gen\\ [trj]",
"Win32/blacked",
"Win.packed.usteal-7531303-0",
"Trojandropper:win32/qhost",
"Generic36.adty",
"Win.trojan.injector-12138",
"W32/kegotip cnc",
"Unix.trojan.gafgyt-698115",
"Sf:shellcode-au",
"Trojan:pdf/phish.rr!mtb",
"Worm.autorun-6180",
"Win32/virut",
"W32.virut.ci",
"Alf:heraklezeval:trojan:win32/eqtonex.f",
"Bouncycastle",
"Win32/ramnit.a",
"Win32.injector",
"Eternalrocks",
"Win.trojan.fareit-82",
"Et",
"Downloader.generic13.cmtw",
"Trojan:bat/musecador",
"Win64:trojan-gen",
"Mydoom",
"Generic36.ajsm"
],
"industries": [
"Technology",
"Telecom",
"Government",
"Insurance",
"Finance",
"Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in",
"Legal"
],
"unique_indicators": 168828
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/one.one",
"whois": "http://whois.domaintools.com/one.one",
"domain": "one.one",
"hostname": "one.one.one.one"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 7,
"pulses": [
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-05-17T15:52:35.396000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 28000,
"FileHash-SHA256": 48374,
"FileHash-MD5": 42596,
"FileHash-SHA1": 23243,
"hostname": 35654,
"URL": 75758,
"SSLCertFingerprint": 30,
"CVE": 7585,
"email": 316,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"URI": 5,
"IPv4": 574,
"Mutex": 1
},
"indicator_count": 288350,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 92,
"modified_text": "13 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64e1d5e06aa6207f78de",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:21.863000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 149,
"modified_text": "65 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64eccb5d39a90a3c391e",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:32.565000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 152,
"modified_text": "65 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698037098c99c37cb91037c2",
"name": "Busy Box MITM Attacks via Drive-by-Compromise | Facebook | Apple",
"description": "Busy Box - MITM Attack\n\nDrive-by-Compromise | Facebook | Jamie Oliver Recipes | My sister-in-law made this once and I couldn\u2019t stop eating it. \nAdversarial Facebook pop up posts. .\n\n|| Pykspa.C Check in. \"Pykspa is a type of Remote Access Trojan (RAT). A powerful a worm that spreads via social media or via DGA algorithms. Parking crews are fond of these types of attacks. Christopher Ahmann",
"modified": "2026-03-04T04:07:14.513000",
"created": "2026-02-02T05:32:57.303000",
"tags": [
"no expiration",
"filehashsha256",
"ipv4",
"url http",
"domain",
"hostname",
"filehashmd5",
"filehashsha1",
"iocs",
"url https",
"search",
"type indicator",
"review iocs",
"role title",
"create new",
"pulse use",
"pdf report",
"pcap",
"extraction",
"sc data",
"extre data",
"include review",
"exclude sugges",
"data upload",
"failed",
"find s",
"oo data",
"enter source",
"url or",
"text drag",
"expiration",
"showing",
"entries",
"protect",
"pulse show",
"email abuse",
"related pulses",
"indicator role",
"returnurl no",
"drop",
"pulse provide",
"public tlp",
"green",
"adversary tags",
"buzz",
"x8664",
"add tag",
"groups add",
"add industry",
"trojan",
"tags"
],
"references": [
"https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9",
"www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250",
"Antivirus Detections: Trojan:Win32/Dorv.A",
"IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)",
"IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup",
"IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check",
"IDS Detections: Domain (whatismyipaddress .com in HTTP Host)",
"Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key",
"Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location",
"Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert",
"Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile",
"Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed",
"Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http",
"IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80",
"IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75",
"Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca",
"Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com",
"Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org",
"Antivirus Detections: Win.Malware.Pits-10035540-0",
"Yara: Detections Delphi",
"Alerts: infostealer_cookies antiav_detectfile",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022",
"http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/",
"http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe",
"http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/",
"http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt",
"output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]",
"https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary",
"https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a",
"https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf",
"https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423",
"https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9",
"apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022",
"https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022",
"http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022",
"https://cpcontacts.apple4you.it",
"AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference",
"adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com",
"https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest",
"https://fs25.mygamesteam.com/download/underground-parking/",
"http://spiritzuridgerunelahubcloudgusparkx.rest/",
"127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies",
"9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB",
"ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB",
"IDS Detections: Suspicious Activity potential UPnProxy",
"Yara Detections: is__elf , ECHOBOT",
"Alerts: dead_host network_icmp tcp_by",
"Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT",
"TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169",
"TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335",
"TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown",
"TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud",
"TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks",
"TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination",
"TAGS: detection detections detections name development att direct dirty dns resolutions domain",
"TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att",
"TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip",
"TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide",
"TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv",
"TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections",
"TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan",
"TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver",
"TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey",
"TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec",
"TAGS: mtb yara name servers name tactics network traffic new browser next associated next",
"TAGS: yara niggercat none file null object os x outbound passive dns path pattern match",
"TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push",
"TAGS: pyspark python python initiated quic ransom recipes record value redacted for",
"TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner",
"TAGS: sample analysis se domains search security quic add source level span spawns spy",
"TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation",
"TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater",
"TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Hungary"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "DDos:Linux/Gafgyt.YA!MTB",
"display_name": "DDos:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDos:Linux/Gafgyt.YA!MTB"
},
{
"id": "ELF:DDoS-S\\ [Trj]",
"display_name": "ELF:DDoS-S\\ [Trj]",
"target": null
},
{
"id": "Pykspa.C",
"display_name": "Pykspa.C",
"target": null
},
{
"id": "Trojan:Win32/Dorv.A",
"display_name": "Trojan:Win32/Dorv.A",
"target": "/malware/Trojan:Win32/Dorv.A"
},
{
"id": "Unix.Trojan.Gafgyt-698115",
"display_name": "Unix.Trojan.Gafgyt-698115",
"target": null
},
{
"id": "4-0 Win.Malware.Pits-10035540-0",
"display_name": "4-0 Win.Malware.Pits-10035540-0",
"target": null
},
{
"id": "Win.Packed.Usteal-7531303-0",
"display_name": "Win.Packed.Usteal-7531303-0",
"target": null
},
{
"id": "tR",
"display_name": "tR",
"target": null
},
{
"id": "DeathHiddenTear (Large&Small HT) >",
"display_name": "DeathHiddenTear (Large&Small HT) >",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1586,
"FileHash-SHA1": 1479,
"FileHash-SHA256": 1938,
"URL": 4548,
"domain": 1052,
"hostname": 2501,
"email": 9,
"SSLCertFingerprint": 7,
"CIDR": 2
},
"indicator_count": 13122,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "88 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6975c5cd4db6104ea1a3d69b",
"name": "The Blender Foundation BouncyCastle-Virut | Malware /Stealer Empty FileHash | Eternal7 (Shadow Broker) Related",
"description": "Empty FileHash isn\u2019t benign. Interesting relationships to the Eternal 7. Malware, Stealer and Suspicious History File Operation. BouncyCastle-Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys / Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"modified": "2026-02-24T06:02:43.853000",
"created": "2026-01-25T07:27:09.640000",
"tags": [
"empty",
"blender",
"eurostile",
"augustin",
"butterfield",
"cook",
"drummer",
"erickson",
"fjsv",
"flynn",
"gorman",
"holmes",
"easy",
"rada",
"xanadu",
"config",
"reboot",
"screen",
"microsoft",
"commerce server",
"edition",
"draw",
"exchange server",
"tools",
"linux",
"ideal link",
"nsrl test",
"nist",
"file",
"cultureneutral",
"fix pack",
"free download",
"bouncycastle",
"read c",
"search",
"et trojan",
"w32kegotip cnc",
"whitelisted",
"ids detections",
"intel",
"write",
"trojan",
"malware",
"yara detections",
"productversion",
"fileversion",
"av detections",
"alerts",
"analysis date",
"file score",
"united",
"aaaa",
"passive dns",
"ip address",
"present dec",
"body html",
"head meta",
"title",
"urls",
"url https",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"beacon",
"et",
"ipv4",
"files",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"related pulses",
"show",
"win32virut",
"destination",
"port",
"ms windows",
"pe32",
"medium",
"suspicious",
"virustotal",
"startul",
"shadowbrokers",
"total",
"delete",
"artemis",
"win32.injector",
"trendmicro",
"data upload",
"extraction",
"included iocs"
],
"references": [
"The Blender Foundation",
"website \u2022 http://oldapps.com/blender.php?old_blender=7584",
"oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]",
"Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community",
"Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks",
"ET TROJAN W32/Kegotip CnC Beacon",
"IDS Detections ET POLICY Suspicious User-Agent Containing .exe",
"Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit",
"Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /",
"Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "BouncyCastle",
"display_name": "BouncyCastle",
"target": null
},
{
"id": "Sf:ShellCode-AU",
"display_name": "Sf:ShellCode-AU",
"target": null
},
{
"id": "Win.Trojan.Fareit-82",
"display_name": "Win.Trojan.Fareit-82",
"target": null
},
{
"id": "Win.Trojan.Agent-245901",
"display_name": "Win.Trojan.Agent-245901",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "W32/Kegotip CnC",
"display_name": "W32/Kegotip CnC",
"target": null
},
{
"id": "W32.Virut.ci",
"display_name": "W32.Virut.ci",
"target": null
},
{
"id": "Downloader.Generic13.CMTW",
"display_name": "Downloader.Generic13.CMTW",
"target": null
},
{
"id": "Downloader.Generic13.BOBZ",
"display_name": "Downloader.Generic13.BOBZ",
"target": null
},
{
"id": "Win.Trojan.Injector-12138",
"display_name": "Win.Trojan.Injector-12138",
"target": null
},
{
"id": "Generic36.ADTY",
"display_name": "Generic36.ADTY",
"target": null
},
{
"id": "Generic36.AIAA.Dropper",
"display_name": "Generic36.AIAA.Dropper",
"target": null
},
{
"id": "Generic36.AJSM",
"display_name": "Generic36.AJSM",
"target": null
},
{
"id": "Win32/Virut",
"display_name": "Win32/Virut",
"target": null
},
{
"id": "Win32/Ramnit.A",
"display_name": "Win32/Ramnit.A",
"target": null
},
{
"id": "Worm.Autorun-6180",
"display_name": "Worm.Autorun-6180",
"target": null
},
{
"id": "Hider.BIY",
"display_name": "Hider.BIY",
"target": null
},
{
"id": "Win.Trojan.Rootkit-4532",
"display_name": "Win.Trojan.Rootkit-4532",
"target": null
},
{
"id": "Win32/Blacked",
"display_name": "Win32/Blacked",
"target": null
},
{
"id": "Win32.Injector",
"display_name": "Win32.Injector",
"target": null
},
{
"id": "TrendMicro",
"display_name": "TrendMicro",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 71,
"FileHash-SHA256": 853,
"URL": 1639,
"domain": 288,
"FileHash-MD5": 78,
"hostname": 545
},
"indicator_count": 3474,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "697488f095f69d392afd00fb",
"name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes",
"description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.",
"modified": "2026-02-23T07:04:04.285000",
"created": "2026-01-24T08:55:12.845000",
"tags": [
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"ck techniques",
"evasion att",
"t1480 execution",
"href",
"ascii text",
"pattern match",
"mitre att",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"form",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"active related",
"url https",
"related pulses",
"url http",
"united",
"czechia",
"hong kong",
"ipv4",
"indicators hong",
"kong",
"south korea",
"netherlands",
"germany",
"ireland",
"denmark",
"sweden",
"active",
"government",
"finance",
"security",
"type indicator",
"yara detections",
"av detections",
"ids detections",
"alerts",
"analysis date",
"mcsf",
"microsoft",
"yara",
"insurance",
"fidelity investments",
"description",
"fidelity international",
"ms windows",
"pe32",
"writeconsolew",
"read c",
"pe32 executable",
"t1045",
"susp",
"write",
"win64",
"malware",
"modified",
"ck ids",
"t1040",
"sniffing",
"packing",
"t1112",
"packing t1045",
"icmp traffic",
"memcommit",
"pe section",
"low software",
"pe resource",
"win32",
"trojan",
"april",
"sara ligorria",
"tramp advert",
"black paper",
"createdate",
"subject laser",
"title laser",
"format",
"types of",
"japan",
"regsetvalueexa",
"regdword",
"regbinary",
"module download",
"tls handshake",
"high",
"defense evasion",
"discovery att",
"adversaries",
"title",
"role",
"flag",
"name server",
"server",
"domain address",
"markmonitor",
"clicktale ltd",
"enom",
"whoisguard",
"medium",
"unicode",
"rgba",
"delete",
"crlf line",
"next",
"dock",
"execution",
"date",
"users",
"tls sni",
"total",
"cnc domain",
"search",
"oamazon",
"cnamazon rsa",
"push",
"failure yara",
"contacted",
"hours ago",
"created",
"cia",
"fbi",
"telegram",
"tulach",
"sabey",
"state",
"gov",
"ahmann",
"financial fraud",
"t-mobile",
"walmartmobile",
"life insurance",
"fidelity life",
"guarantee",
"team",
"role title",
"added active",
"scan",
"iocs",
"learn more",
"filehashsha1",
"filehashmd5",
"kw3recepten",
"domainname0",
"searchbox0",
"kw1brinta",
"kw2muesli",
"indicator role",
"title added",
"pulses url",
"cve cve20170147",
"apple",
"apple id"
],
"references": [
"https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226",
"https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com",
"http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com",
"https://bhive.nectar.social/rKvoMY",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,",
"TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161",
"Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.",
"EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name",
"Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.",
"Domains Contacted api.nuget.org",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png",
"https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.fidelity.com/ https://www.fidelity.com/",
"cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99",
"cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl",
"https://www.anyxxxtube.net/search-porn/",
"https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears",
"fidelity-account.com e http://fidelity-account.com/fidelity/code.html",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex",
"http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022",
"\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:",
"https://bhive.nectar.social/rKvoMY",
"apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co",
"http://appleid.app",
"https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win64:Trojan-gen",
"display_name": "Win64:Trojan-gen",
"target": null
},
{
"id": "Trojan:MSIL/Ursu.KP",
"display_name": "Trojan:MSIL/Ursu.KP",
"target": "/malware/Trojan:MSIL/Ursu.KP"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F",
"target": null
},
{
"id": "Trojan:PDF/Phish.RR!MTB",
"display_name": "Trojan:PDF/Phish.RR!MTB",
"target": "/malware/Trojan:PDF/Phish.RR!MTB"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": ": ALF:Trojan:MSIL/Azorult.AC!",
"display_name": ": ALF:Trojan:MSIL/Azorult.AC!",
"target": null
},
{
"id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB",
"display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB",
"target": null
},
{
"id": "Trojan:Win32/Conbea!rfn",
"display_name": "Trojan:Win32/Conbea!rfn",
"target": "/malware/Trojan:Win32/Conbea!rfn"
},
{
"id": "Trojan:Win32/Ausiv!rfn",
"display_name": "Trojan:Win32/Ausiv!rfn",
"target": "/malware/Trojan:Win32/Ausiv!rfn"
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat",
"target": null
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "TrojanDropper:Win32/Qhost",
"display_name": "TrojanDropper:Win32/Qhost",
"target": "/malware/TrojanDropper:Win32/Qhost"
},
{
"id": "Trojan:Win32/Miner.KA!MTB",
"display_name": "Trojan:Win32/Miner.KA!MTB",
"target": "/malware/Trojan:Win32/Miner.KA!MTB"
},
{
"id": "DNSTrojan",
"display_name": "DNSTrojan",
"target": null
},
{
"id": "EternalRocks",
"display_name": "EternalRocks",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Government",
"Finance",
"Insurance"
],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2793,
"URL": 6639,
"FileHash-SHA256": 2462,
"domain": 1070,
"FileHash-MD5": 307,
"FileHash-SHA1": 186,
"SSLCertFingerprint": 1,
"email": 1,
"CVE": 3
},
"indicator_count": 13462,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://one.one.one.one/dns-queryoint.initialized.clear.",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://one.one.one.one/dns-queryoint.initialized.clear.",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780237750.6994126
}