{
"type": "URL",
"indicator": "https://open.assembly.go.kr/portal/openapi/selectInfsOpenApiListPaging.do",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://open.assembly.go.kr/portal/openapi/selectInfsOpenApiListPaging.do",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4136356586,
"indicator": "https://open.assembly.go.kr/portal/openapi/selectInfsOpenApiListPaging.do",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 25,
"pulses": [
{
"id": "69b2b92a27c47d4e28927364",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:26.110000",
"created": "2026-03-12T13:01:30.067000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 73,
"modified_text": "80 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b9295603a6100edfa8c8",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:25.387000",
"created": "2026-03-12T13:01:29.284000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "80 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b927aa7f10e82639d204",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.872000",
"created": "2026-03-12T13:01:27.872000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b927c086397130c5d114",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.275000",
"created": "2026-03-12T13:01:27.275000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b926871746ed8a1bc324",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:26.440000",
"created": "2026-03-12T13:01:26.440000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b925e85c948d4dd608cc",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:25.852000",
"created": "2026-03-12T13:01:25.852000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8e974189d2c41f07ed8",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:25.910000",
"created": "2026-03-12T13:00:25.910000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8e74d2b3effd55f88c3",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:23.173000",
"created": "2026-03-12T13:00:23.173000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8dfbf8426a7a1d0146d",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:15.427000",
"created": "2026-03-12T13:00:15.427000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d7123610591625b8fb",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:07.354000",
"created": "2026-03-12T13:00:07.354000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d61e3f64a8f1f169b6",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:06.214000",
"created": "2026-03-12T13:00:06.214000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d24eeb4200bdb1d702",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:02.096000",
"created": "2026-03-12T13:00:02.096000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6975c5cd4db6104ea1a3d69b",
"name": "The Blender Foundation BouncyCastle-Virut | Malware /Stealer Empty FileHash | Eternal7 (Shadow Broker) Related",
"description": "Empty FileHash isn\u2019t benign. Interesting relationships to the Eternal 7. Malware, Stealer and Suspicious History File Operation. BouncyCastle-Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys / Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"modified": "2026-02-24T06:02:43.853000",
"created": "2026-01-25T07:27:09.640000",
"tags": [
"empty",
"blender",
"eurostile",
"augustin",
"butterfield",
"cook",
"drummer",
"erickson",
"fjsv",
"flynn",
"gorman",
"holmes",
"easy",
"rada",
"xanadu",
"config",
"reboot",
"screen",
"microsoft",
"commerce server",
"edition",
"draw",
"exchange server",
"tools",
"linux",
"ideal link",
"nsrl test",
"nist",
"file",
"cultureneutral",
"fix pack",
"free download",
"bouncycastle",
"read c",
"search",
"et trojan",
"w32kegotip cnc",
"whitelisted",
"ids detections",
"intel",
"write",
"trojan",
"malware",
"yara detections",
"productversion",
"fileversion",
"av detections",
"alerts",
"analysis date",
"file score",
"united",
"aaaa",
"passive dns",
"ip address",
"present dec",
"body html",
"head meta",
"title",
"urls",
"url https",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"beacon",
"et",
"ipv4",
"files",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"related pulses",
"show",
"win32virut",
"destination",
"port",
"ms windows",
"pe32",
"medium",
"suspicious",
"virustotal",
"startul",
"shadowbrokers",
"total",
"delete",
"artemis",
"win32.injector",
"trendmicro",
"data upload",
"extraction",
"included iocs"
],
"references": [
"The Blender Foundation",
"website \u2022 http://oldapps.com/blender.php?old_blender=7584",
"oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]",
"Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community",
"Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks",
"ET TROJAN W32/Kegotip CnC Beacon",
"IDS Detections ET POLICY Suspicious User-Agent Containing .exe",
"Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit",
"Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /",
"Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "BouncyCastle",
"display_name": "BouncyCastle",
"target": null
},
{
"id": "Sf:ShellCode-AU",
"display_name": "Sf:ShellCode-AU",
"target": null
},
{
"id": "Win.Trojan.Fareit-82",
"display_name": "Win.Trojan.Fareit-82",
"target": null
},
{
"id": "Win.Trojan.Agent-245901",
"display_name": "Win.Trojan.Agent-245901",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "W32/Kegotip CnC",
"display_name": "W32/Kegotip CnC",
"target": null
},
{
"id": "W32.Virut.ci",
"display_name": "W32.Virut.ci",
"target": null
},
{
"id": "Downloader.Generic13.CMTW",
"display_name": "Downloader.Generic13.CMTW",
"target": null
},
{
"id": "Downloader.Generic13.BOBZ",
"display_name": "Downloader.Generic13.BOBZ",
"target": null
},
{
"id": "Win.Trojan.Injector-12138",
"display_name": "Win.Trojan.Injector-12138",
"target": null
},
{
"id": "Generic36.ADTY",
"display_name": "Generic36.ADTY",
"target": null
},
{
"id": "Generic36.AIAA.Dropper",
"display_name": "Generic36.AIAA.Dropper",
"target": null
},
{
"id": "Generic36.AJSM",
"display_name": "Generic36.AJSM",
"target": null
},
{
"id": "Win32/Virut",
"display_name": "Win32/Virut",
"target": null
},
{
"id": "Win32/Ramnit.A",
"display_name": "Win32/Ramnit.A",
"target": null
},
{
"id": "Worm.Autorun-6180",
"display_name": "Worm.Autorun-6180",
"target": null
},
{
"id": "Hider.BIY",
"display_name": "Hider.BIY",
"target": null
},
{
"id": "Win.Trojan.Rootkit-4532",
"display_name": "Win.Trojan.Rootkit-4532",
"target": null
},
{
"id": "Win32/Blacked",
"display_name": "Win32/Blacked",
"target": null
},
{
"id": "Win32.Injector",
"display_name": "Win32.Injector",
"target": null
},
{
"id": "TrendMicro",
"display_name": "TrendMicro",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 71,
"FileHash-SHA256": 853,
"URL": 1639,
"domain": 288,
"FileHash-MD5": 78,
"hostname": 545
},
"indicator_count": 3474,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6967bc8b26b69d4dc2604a13",
"name": "Telegram@V2ray_Alpha/ | Mirai | ExhoBot CNC | EtT",
"description": "Inbound Outbound connections. Tel et error. Hacking activity affecting various forms of connectivity via telecom. Possibly a controls\n computer vehicle connects to. Related? I was researching increased malicious activity aimed against a target. An associate close to target reported (mid research) Vehicle reported \u2018no longer being able to communicate. Module 5 has an error. Please contact customer service). Targets car was powered oof. No Bluetooth connection. No reports. Audio off. No phone message, connection or dial. This is targets experience not mowing what I was researching.",
"modified": "2026-02-13T15:04:30.631000",
"created": "2026-01-14T15:55:55.693000",
"tags": [
"v2rayalpha",
"united",
"unknown ns",
"unknown aaaa",
"domain add",
"urls",
"files",
"domain",
"github",
"file format",
"jkvpn",
"jointelegram",
"farahvpn vless",
"post",
"universal",
"scribd",
"typews",
"telegram",
"rdap",
"handle",
"iana registrar",
"roles",
"dnssec",
"aaaa",
"ttl value",
"rdap database",
"links",
"backdoor",
"antigua",
"virgin islands",
"status",
"org domains",
"proxy",
"ip address",
"barbuda unknown",
"passive dns",
"ipv4 add",
"twitter",
"dynamicloader",
"port",
"delete c",
"destination",
"high",
"windows",
"medium",
"displayname",
"write",
"tofsee",
"stream",
"malware",
"push",
"next",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ck techniques",
"evasion att",
"sha256",
"sha1",
"pattern match",
"ascii text",
"href",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"search",
"moved",
"record value",
"servers",
"title",
"encrypt",
"canada unknown",
"gmt content",
"reverse dns",
"location canada",
"canada asn",
"accept",
"cookie",
"dll read",
"function read",
"wscriptshell",
"shortcut",
"guard",
"error",
"present jan",
"name servers",
"registrar url",
"hong kong",
"invalid url",
"url analysis",
"location hong",
"kong flag",
"msie",
"chrome",
"type",
"media type",
"certificate",
"hostname add",
"present nov",
"present sep",
"present oct",
"expiration date",
"present dec",
"script urls",
"a domains",
"present mar",
"present feb",
"meta",
"show",
"read c",
"entries",
"read",
"intel",
"ms windows",
"delete",
"please",
"artemis",
"virustotal",
"trojan",
"mcafee",
"drweb",
"vipre",
"panda",
"write c",
"total",
"next associated",
"thursday",
"gmt cache",
"ipv4",
"form",
"date",
"mirai",
"telnet login",
"south korea",
"bad login",
"as4766 korea",
"taiwan as3462",
"china as45090",
"telnet root",
"cve201717215",
"execution",
"copy",
"contacted",
"mtb ids",
"dns query",
"variant cnc",
"domain huawei",
"remote command",
"huawei remote",
"echobot",
"linux mirai",
"monitoring",
"cnc"
],
"references": [
"https://pamchall.com/Telegram@V2ray_Alpha/",
"Domain: t.me \u2022 Email: 1047f946-a6da-45dd-fa53-e00edb48e367@www.speedtest.net",
"https://t.me/",
"Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Cabinet_Archive , SFX_CAB",
"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile",
"Antivirus Detections: ELF:Mirai-AAL\\ [Trj] , Unix.Trojan.Mirai-1 , Backdoor:Linux/Mirai.N!MTB",
"IDS Detections: Observed DNS Query to ELF/Various Mirai Variant CnC Domain Huawei Remote Command Execution (CVE-2017-17215)",
"Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
"Huawei HG532 RCE Vulnerability (CVE-2017-17215)",
"DYNAMIC_DNS Query to *.duckdns. Domain",
"SUSPICIOUS Path to BusyBox HiSilicon DVR - Default",
"Telnet Root Password Inbound TELNET login failed root login Bad Login Less",
"Yara Detections Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai , ECHOBOT",
"dead_host network_icmp tcp_syn_scan nolookup_communication networkdyndns_checkip writes_to_stdout",
"IP\u2019s Contacted: 1.0.21.231 1.0.42.181 1.1.116.28 1.10.203.28 1.10.54.62 1.101.0.202",
"IP\u2019s Contacted: 1.101.184.254 1.103.104.9 1.103.141.89 1.104.104.227",
"Contacted: newmethcnc.duckdns.org",
"https://otx.alienvault.com/indicator/file/3215b2d1c44c7114c7f94af1bbcb858707b636baeae2c6752219fdf184c7b00e",
"https://eurotarget.com/it/auto/toyota/c-hr/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Win.Malware.Reline-9887776-0",
"display_name": "Win.Malware.Reline-9887776-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai.N!MTB",
"display_name": "Backdoor:Linux/Mirai.N!MTB",
"target": "/malware/Backdoor:Linux/Mirai.N!MTB"
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1222.002",
"name": "Linux and Mac File and Directory Permissions Modification",
"display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification"
},
{
"id": "T1399",
"name": "Modify Trusted Execution Environment",
"display_name": "T1399 - Modify Trusted Execution Environment"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1011.001",
"name": "Exfiltration Over Bluetooth",
"display_name": "T1011.001 - Exfiltration Over Bluetooth"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
}
],
"industries": [
"Telecom"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6227,
"domain": 1437,
"hostname": 2331,
"email": 8,
"FileHash-SHA256": 3252,
"FileHash-MD5": 465,
"FileHash-SHA1": 457,
"CIDR": 1,
"CVE": 3
},
"indicator_count": 14181,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "107 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6962f12c2578ca1d1f8e212f",
"name": "Google_Chrome Attack related to Pahamify Pegasus Intrusive Monitoring of a Crime.Victim",
"description": "Pahamify Pegasus: Google_Chrome_64bit_v136.0.7103.49.exe \nIsolated IOC\u2019s || Related to the targeting of a crime victim.\nDrive by compromise seen on old iPhone locked screen in past. Glitched Bible Gateway app access stuttered entire phone (new and updated at the time) | add pop\nups began, finally an early morning drive by compromise on locked screen \u2018Do you have a Starbucks App?) |[Issue: can only access phone if you answer. Easy mistake , powering off device may or may not have cleared screen] victim checks Bible gateway app believing it to be a malicious app DLL from Apple App Store.\n\nFirebase apps remotely installed, can access via email. other apps corrupted. Google Translate and Notepad linked directly to threat actors.\nNotepad linked to and FBI website in Loudon County, Va. Acted as fake content scraper constantly creating websites.",
"modified": "2026-02-09T23:00:37.530000",
"created": "2026-01-11T00:39:08.048000",
"tags": [
"ipv4",
"url https",
"url http",
"ipv6",
"indicator role",
"title added",
"active related",
"type indicator",
"related pulses",
"discovery",
"gather victim",
"information",
"tool transfer",
"capture",
"hijacking",
"t1055",
"injection",
"service",
"manipulation",
"impact",
"execution",
"timestomp",
"tools",
"usercitynewyork",
"bannerid682713",
"landingid702316",
"countryid774749",
"chrome",
"google",
"yahoo",
"active",
"indicator",
"source",
"ck id",
"show technique",
"mitre att",
"ck matrix",
"file",
"pattern match",
"internet",
"error",
"errore",
"crypto",
"compiler",
"installer",
"download",
"hybrid",
"shutdown",
"strings",
"erreur",
"updater",
"install",
"yang",
"downloader",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"defense evasion",
"found",
"found registry",
"able",
"model",
"united",
"et trojan",
"show",
"search",
"as15169",
"get http",
"intel",
"ms windows",
"write",
"read c",
"malware",
"trojan",
"possible",
"sha1",
"rgba",
"size",
"ascii text",
"png image",
"sha256",
"span",
"core",
"date",
"title",
"meta",
"format",
"august",
"general",
"local",
"encrypt",
"root",
"click",
"form",
"refresh",
"jsme",
"qsnw4im",
"high",
"artemis",
"virustotal",
"generic",
"mcafee",
"baidu",
"drweb",
"vipre",
"panda",
"malsinowaa",
"less see",
"all yara",
"detections none",
"mebroot",
"contacted",
"domains",
"all related",
"pulses otx",
"pulses",
"tags",
"related tags",
"file type",
"pexe",
"targeting",
"monitored target",
"pegasus"
],
"references": [
"Gen:Trojan.Heur.wq5@QsnW4Im , Backdoor.Win32.Sinowal.fac , Mal/Sinowa-A ,",
"Trojan.Mebroot , a variant of Win32/Mebroot.BM , Trojan:W32/Mebroot.gen!A , Trojan.Packed.2447",
"Detections PSW.Sinowal.X , Win.Trojan.Sinowal-13971 , Artemis!0DF9D8682EFA ,",
"Alerts: stealth_network antivirus_virustotal static_pe_anomaly",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_(64bit)_v136.0.7103.49.exe",
"Google_Chrome_64bit_v136.0.7103.49.exe",
"https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
"IDS Detections: ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.google.com)",
"ET TROJAN Possible VirLock Connectivity Check"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Mebroot",
"display_name": "Mebroot",
"target": null
},
{
"id": "PSW.Sinowal.X",
"display_name": "PSW.Sinowal.X",
"target": null
}
],
"attack_ids": [
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1029",
"name": "Scheduled Transfer",
"display_name": "T1029 - Scheduled Transfer"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1124",
"name": "System Time Discovery",
"display_name": "T1124 - System Time Discovery"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1213",
"name": "Data from Information Repositories",
"display_name": "T1213 - Data from Information Repositories"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1489",
"name": "Service Stop",
"display_name": "T1489 - Service Stop"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1529",
"name": "System Shutdown/Reboot",
"display_name": "T1529 - System Shutdown/Reboot"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1559",
"name": "Inter-Process Communication",
"display_name": "T1559 - Inter-Process Communication"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1569",
"name": "System Services",
"display_name": "T1569 - System Services"
},
{
"id": "T1570",
"name": "Lateral Tool Transfer",
"display_name": "T1570 - Lateral Tool Transfer"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2126,
"domain": 492,
"hostname": 913,
"email": 3,
"FileHash-SHA256": 953,
"FileHash-MD5": 78,
"FileHash-SHA1": 61,
"SSLCertFingerprint": 14
},
"indicator_count": 4640,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "111 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6962b68da732abc66a0c2caf",
"name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus",
"description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else",
"modified": "2026-02-09T19:00:09.890000",
"created": "2026-01-10T20:29:01.675000",
"tags": [
"ip address",
"status code",
"kb body",
"iocs",
"deny age",
"cloudfront",
"utc google",
"tag manager",
"g8t6ln06z40",
"utc na",
"google tag",
"injection",
"t1055 malware",
"tree",
"help v",
"defense evasion",
"injection t1055",
"resolved ips",
"get http",
"dns resolutions",
"v memory",
"pattern domains",
"full reports",
"v help",
"memory pattern",
"urls https",
"hashes",
"tiktok",
"microsoft",
"dashboard falcon",
"request",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"appleid",
"united",
"name servers",
"aaaa",
"servers",
"moved",
"script urls",
"passive dns",
"urls",
"data upload",
"extraction",
"failed",
"jsvendor",
"jsapp",
"script script",
"cssapp",
"jsfirebase",
"pegasus",
"encrypt",
"title error",
"ipv4",
"files",
"reverse dns",
"united states",
"malware",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"execution att",
"t1204 user",
"script",
"beginstring",
"bad traffic",
"et info",
"null",
"title",
"refresh",
"span",
"strings",
"error",
"tools",
"meta",
"look",
"verify",
"restart",
"mitre att",
"ascii text",
"pattern match",
"ck matrix",
"tls handshake",
"hybrid",
"general",
"local",
"path",
"click",
"ck techniques",
"access att",
"div div",
"a li",
"ul div",
"record value",
"emails",
"accept",
"referen https",
"microsoft-falcon.net",
"proxy",
"status",
"certificate",
"updated date",
"whois server",
"zipcode",
"entries http",
"scans show",
"search",
"matches x",
"type",
"gmt cache",
"all ipv4",
"america flag",
"america asn",
"sameorigin",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results jan",
"ipv4 add",
"win32mydoom jan",
"trojan",
"worm",
"expiration date",
"files show",
"date hash",
"avast avg",
"win32mydoom",
"backdoor",
"found",
"gmt connection",
"control",
"content type",
"twitter",
"dynamicloader",
"medium",
"high",
"msie",
"wow64",
"slcc2",
"media center",
"write",
"global",
"domain name",
"hostname",
"apple",
"racebook",
"mouse movement",
"remote mouse",
"domain",
"hostname add",
"url analysis",
"crlf line",
"ff d5",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"f0 ff",
"ff bb",
"music",
"push",
"autorun",
"unknown",
"present sep",
"present may",
"present jan",
"present aug",
"cname",
"present nov",
"present jun",
"apache",
"body",
"pragma",
"found registry",
"able",
"model",
"indicator",
"source",
"show technique",
"file",
"internet",
"errore",
"erreur",
"download",
"service",
"crypto",
"compiler",
"installer",
"yang",
"updater",
"shutdown",
"thunk",
"este",
"install",
"reboot",
"code",
"downloader",
"sigur",
"kanna",
"der zugriff",
"google",
"chrome",
"Pahamify Pegasus",
"christoper p. ahmann",
"law enforcement",
"retaliation",
"phone",
"espionage",
"united states",
"m brian sabey",
"quasi government",
"target",
"monitored targeting",
"aig",
"therahand (old name)",
"target: tsara brashears",
"douglas county, co",
"sheriff",
"industry and commerce",
"worker\u2019s compensation",
"crime",
"financial crime",
"danger",
"nem tih",
"amazon",
"aws",
"amazon aws",
"deal",
"deal with it lawfully",
"pay victim",
"protecting reimer"
],
"references": [
"https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur",
"Pahamify Pegasus",
"Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
"https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
"https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
"tv.apple.com",
"dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
"Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A",
"IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
"IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
"IDS: TLS Handshake Failure",
"Yara Detections BackdoorWin32Simda",
"Google_Chrome_64bit_v136.0.7103.49.exe",
"https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Pariham.A",
"display_name": "Trojan:Win32/Pariham.A",
"target": "/malware/Trojan:Win32/Pariham.A"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Virus:Win95/Cerebrus",
"display_name": "Virus:Win95/Cerebrus",
"target": "/malware/Virus:Win95/Cerebrus"
},
{
"id": "AutoRunIt",
"display_name": "AutoRunIt",
"target": null
},
{
"id": "Sigur",
"display_name": "Sigur",
"target": null
},
{
"id": "Kanna",
"display_name": "Kanna",
"target": null
},
{
"id": "Der Zugriff",
"display_name": "Der Zugriff",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1029",
"name": "Scheduled Transfer",
"display_name": "T1029 - Scheduled Transfer"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1124",
"name": "System Time Discovery",
"display_name": "T1124 - System Time Discovery"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1213",
"name": "Data from Information Repositories",
"display_name": "T1213 - Data from Information Repositories"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1489",
"name": "Service Stop",
"display_name": "T1489 - Service Stop"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1529",
"name": "System Shutdown/Reboot",
"display_name": "T1529 - System Shutdown/Reboot"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1559",
"name": "Inter-Process Communication",
"display_name": "T1559 - Inter-Process Communication"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1569",
"name": "System Services",
"display_name": "T1569 - System Services"
},
{
"id": "T1570",
"name": "Lateral Tool Transfer",
"display_name": "T1570 - Lateral Tool Transfer"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1569.002",
"name": "Service Execution",
"display_name": "T1569.002 - Service Execution"
},
{
"id": "T1543.003",
"name": "Windows Service",
"display_name": "T1543.003 - Windows Service"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1134.001",
"name": "Token Impersonation/Theft",
"display_name": "T1134.001 - Token Impersonation/Theft"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1134.002",
"name": "Create Process with Token",
"display_name": "T1134.002 - Create Process with Token"
},
{
"id": "T1070.006",
"name": "Timestomp",
"display_name": "T1070.006 - Timestomp"
},
{
"id": "T1564.003",
"name": "Hidden Window",
"display_name": "T1564.003 - Hidden Window"
},
{
"id": "T1497.003",
"name": "Time Based Evasion",
"display_name": "T1497.003 - Time Based Evasion"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1497.002",
"name": "User Activity Based Checks",
"display_name": "T1497.002 - User Activity Based Checks"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1074.001",
"name": "Local Data Staging",
"display_name": "T1074.001 - Local Data Staging"
},
{
"id": "T1560.002",
"name": "Archive via Library",
"display_name": "T1560.002 - Archive via Library"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
}
],
"industries": [
"Civil Society",
"Legal",
"Government",
"Technology",
"Telecommunications",
"Financial"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6094,
"domain": 1195,
"hostname": 2001,
"FileHash-SHA256": 2598,
"FileHash-MD5": 546,
"FileHash-SHA1": 403,
"email": 16,
"CVE": 2,
"SSLCertFingerprint": 3
},
"indicator_count": 12858,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "111 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6953775a0aed71947ca3f90e",
"name": "Ransom WannaCrypt- Hackers masquerade as a law firm | Social Engineering |",
"description": "Hackers , likely Colorado State employees masquerading as legal, entities, social\nengineering, financial exchanges involved. Fraud. Dangerous enterprise. Found in an \u2018alleged \u2018 Plaintiff Law Firms malicious link discovered in old print out, also seen in earlier pulse. [OTX generated description: Adversaries may be able to evade detection and network filtering by blending in with existing traffic, as well as using web protocols, in order to avoid detection/network filtering. and other measures.]",
"modified": "2026-01-29T06:09:08.504000",
"created": "2025-12-30T06:55:22.105000",
"tags": [
"united",
"urls",
"moved",
"files",
"ip address",
"gmt content",
"x adblock",
"encrypt",
"backdoor",
"bq dec",
"virtool",
"ipv4 add",
"ascii text",
"pattern match",
"ck id",
"mitre att",
"meta",
"general",
"local",
"path",
"click",
"strings",
"unknown",
"simplified",
"etpro trojan",
"possible virut",
"dga nxdomain",
"responses",
"virus",
"medium",
"virustotal",
"vipre",
"baidu",
"vitro",
"drweb",
"mcafee",
"panda",
"malware",
"write",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"yara rule",
"simda",
"internal",
"learn",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"defense evasion",
"t1480 execution",
"discovery att",
"ck matrix",
"network traffic",
"t1071",
"t1057",
"hybrid",
"yara detections",
"composite",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"none related",
"passive dns",
"hosting",
"reverse dns",
"location united",
"title",
"ences s",
"data upload",
"extraction",
"status",
"hostname add",
"url analysis",
"push",
"present sep",
"present may",
"present jul",
"present jan",
"win32small dec",
"ransom",
"write c",
"show",
"search",
"high",
"et exploit",
"probe ms17010",
"eternal blue",
"englewood colorado",
"wannacry",
"wannacrypt",
"ransom",
"wanna"
],
"references": [
"https://aws.hirecar.net/",
"w32.virut.cf \u2022 win32.virut.am \u2022 virut.cf \u2022 http://w32.virut.cf \u2022http://w32.virut.cf/ \u2022 https://w32.virut.cf",
"pandacookie2018.xyz",
"Antivirus Detections: Win.Ransomware.Wanna-9769986-0 , Ransom:Win32/WannaCrypt.H",
"IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS",
"DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) Possible ETERNALBLUE Probe MS17-010 (Generic Flags) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic , MS17_010_WanaCry_worm , stack_string More Alerts 25 Alerts suspicious_iocontrol_codes persistence_autorun persistence_autorun_tasks stealth_file suricata_alert antivm_generic_disk anomalous_deletefil",
"Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com \u2022\u2019survey-smiles.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Backdoor:Win32/Small.IR",
"display_name": "Backdoor:Win32/Small.IR",
"target": "/malware/Backdoor:Win32/Small.IR"
},
{
"id": "Win.Trojan.Agent-31853",
"display_name": "Win.Trojan.Agent-31853",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "Win.Ransomware.Wanna-9769986-0",
"display_name": "Win.Ransomware.Wanna-9769986-0",
"target": null
},
{
"id": "Ransom:Win32/WannaCrypt.H",
"display_name": "Ransom:Win32/WannaCrypt.H",
"target": "/malware/Ransom:Win32/WannaCrypt.H"
},
{
"id": "Virtool:Win32/Injector.gen!BQ",
"display_name": "Virtool:Win32/Injector.gen!BQ",
"target": "/malware/Virtool:Win32/Injector.gen!BQ"
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
}
],
"industries": [
"Government",
"Technology",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8605,
"domain": 1228,
"email": 2,
"hostname": 1981,
"FileHash-SHA256": 1617,
"FileHash-SHA1": 184,
"FileHash-MD5": 206,
"SSLCertFingerprint": 2
},
"indicator_count": 13825,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "123 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "139 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "145 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "687992eceac6f12e9cebd65f",
"name": "Operation Endgame | ThreatIntelligence | Pegasus | Mirai | Berbew | Emotet",
"description": "Operation Endgame - Mass spying on civilians suspected of involvement in illegal activity. This spying can last for years. Law enforcement and intelligence agencies use infrastructures from Google, Bing, Apple, Amazon, Coudflare, Microsoft, among other companies. Traffic can be masked in DNS and encrypted connections to go undetected. It is recommended to abandon closed-source services and software and opt for fully open-source software and install a powerful firewall. The use of a secure VPN is recommended. \nThere may be repeated indicators and some false positives due to the nature of the threats. We are working to eliminate duplicate entries and false positives. Check the comment box for important notifications. Follow our Telegram channel: @PrivacyNotACrime",
"modified": "2025-12-28T19:04:27.449000",
"created": "2025-07-18T00:18:50.968000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": null,
"export_count": 375,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 7,
"follower_count": 0,
"vote": 0,
"author": {
"username": "privacynotacrime",
"id": "349346",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 123,
"modified_text": "154 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6920c43c3772bb24f26f70cc",
"name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun",
"description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.",
"modified": "2025-12-21T18:01:07.268000",
"created": "2025-11-21T19:57:48.145000",
"tags": [
"dynamicloader",
"write c",
"write",
"high",
"yara rule",
"myapp",
"delphi",
"worm",
"win32",
"error",
"code",
"malware",
"defender",
"medium",
"binary file",
"heavensgate",
"bochs",
"dynamic",
"td td",
"td tr",
"united",
"a td",
"a domains",
"dynamic dns",
"static dns",
"dd wrt",
"twitter",
"trojan",
"trojandropper",
"null",
"enough",
"simple",
"click",
"easy",
"premium",
"associated urls",
"server response",
"google safe",
"results nov",
"avast avg",
"11.21.2025",
"11.20.2025",
"borland delphi",
"pe32",
"intel",
"ms windows",
"inno setup",
"win32 exe",
"pecompact",
"delphi generic",
"pe32 compiler",
"dark comet",
"dark gate",
"glassworm",
"md5 code",
"data",
"porkbun llc",
"windows match",
"getprocaddress",
"peb idrdata",
"match peb",
"t1547",
"t1059 t1112",
"shared modules",
"t1129",
"boot",
"logon autostart",
"execu",
"t1134 boot",
"encoding",
"capture e1113",
"file attributes",
"analysis ob0001",
"b0001 software",
"virtual machine",
"detection b0009",
"analysis ob0002",
"ob0003 screen",
"windows get",
"check",
"encode",
"check internet",
"wininet set",
"clear file",
"enumerate gui",
"get hostname",
"get keyboard",
"set registry",
"find",
"capture",
"url http",
"consolefoundry",
"console foundry",
"foundry",
"malware catalog tree",
"autorun keys",
"modification",
"alexander karp",
"peter theil",
"christoper ahmann",
"christopher pool",
"mercedes",
"apple",
"palantir",
"adversarial",
"adversaries",
"hostile",
"quasi",
"empty hash",
"denver",
"mal_xred_backdoor",
"backdoor",
"xred",
"brian sabey",
"first-send-petikvx",
"stop",
"glassworm",
"elex",
"darkgate",
"dark-comet",
"search",
"entries",
"show",
"yara detections",
"icmp traffic",
"rtf file",
"top source",
"top destination",
"format",
"host",
"copy",
"next",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"access att",
"font",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"ascii text",
"pattern match",
"sha256",
"mitre att",
"title",
"meta",
"hybrid",
"local",
"path",
"strings",
"body",
"contact",
"trace",
"form",
"bitcoin",
"core",
"jeffrey reimer",
"exe infection",
"cve",
"porn"
],
"references": [
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns",
"Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep",
"Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading",
"Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn",
"Alerts: packer_unknown",
"Malicious IP Contacted: 69.42.215.252",
"Abused Domains Contacted: xred.mooo.com freedns.afraid.org",
"IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org",
"IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com",
"IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com",
"Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry",
"Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below",
"by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"http://freedns.afraid.org/images/apple.gif",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://www.mumuplayer.com/redirect/customerservice/_wig",
"https://www.mumuplayer.com/redirect/customerservice/fB)y",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth",
"https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"http://consolefoundry.date/one/gate.php",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453",
"display_name": "Win.Trojan.Emotet-9850453",
"target": null
},
{
"id": "Win.Trojan.BlackNetRAT-7838854-0",
"display_name": "Win.Trojan.BlackNetRAT-7838854-0",
"target": null
},
{
"id": "Win.Dropper.Nanocore-10021490-0",
"display_name": "Win.Dropper.Nanocore-10021490-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win.Packed.Remcos-10024510-0",
"display_name": "Win.Packed.Remcos-10024510-0",
"target": null
},
{
"id": "Code Overlap",
"display_name": "Code Overlap",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "PSW:Win32/VB.CU",
"display_name": "PSW:Win32/VB.CU",
"target": "/malware/PSW:Win32/VB.CU"
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1541",
"name": "Foreground Persistence",
"display_name": "T1541 - Foreground Persistence"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 460,
"FileHash-SHA1": 437,
"FileHash-SHA256": 4483,
"SSLCertFingerprint": 2,
"URL": 6487,
"hostname": 1772,
"domain": 652,
"CVE": 3,
"email": 5
},
"indicator_count": 14301,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "161 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68feb98a8c1b75b4431a3e8e",
"name": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator?",
"description": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator? 1.) (userlolxxl) is also disable_duck, has an unhealthy interest in the Tsara Brashears \u2018dead yet\u2019 theory , has many profiles. His issues are self made by grabbing vulnerabilities found and linking them to a fake University website. We checked. Profile belongs to a group causing needless distraction and hooking users into the \u2018No Problems\u2019 group. \n\nWe swiftly got Regis University to take notice of Palantirs Prometheus Intelligence Technology tracking. Dean let semester begin putting students at risk despite warnings from Tsara Brashears of owa canary cookie in server, to replace computers , halt school , deal with issue. RU ignored issues, Brashears didn\u2019t. They went black , blacklisted Tsara warning of credible death threats on dark web.",
"modified": "2025-11-25T20:05:31.749000",
"created": "2025-10-27T00:15:06.191000",
"tags": [
"html internet",
"html document",
"ascii text",
"language",
"cve202323397",
"iframe tags",
"tag manager",
"gtmkvjvztk",
"anchor hrefs",
"info ta0011",
"protocol",
"layer protocol",
"port",
"t1571 encrypted",
"channel",
"t1573 malware",
"tree",
"oc0006 http",
"c0014",
"get http",
"dns resolutions",
"resolved ips",
"user",
"data",
"datacrashpad",
"edge",
"v full",
"reports v",
"chrome u",
"appdata local",
"googlechrome u",
"u ser",
"cname",
"ip address",
"http",
"accept",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"shutdown",
"extraction",
"suggested iocs",
"data upload",
"cry dee",
"stop",
"type",
"url indicator",
"enter",
"failed",
"se share",
"extrac",
"enter so",
"passive dns",
"urls",
"hostname add",
"pulse pulses",
"files",
"domain",
"files ip",
"address",
"location united",
"asn as20473",
"dynamicloader",
"directui",
"write c",
"intel",
"ms windows",
"pe32",
"element",
"delete c",
"document file",
"v2 document",
"explorer",
"trojandropper",
"write",
"markus",
"august",
"movie",
"insert",
"pulse submit",
"url analysis",
"asn as8068",
"united",
"entries",
"body",
"please",
"x msedge",
"ipv4 add",
"present sep",
"present oct",
"present feb",
"status",
"unknown ns",
"search",
"name servers",
"present jul",
"aaaa",
"present apr",
"trojan",
"medium",
"high",
"yara rule",
"globalc",
"june",
"malware",
"win64",
"unknown",
"america flag",
"twitter",
"hostname",
"domain add",
"reverse dns",
"america asn",
"present aug",
"a domains",
"moved",
"first pqc",
"unknown aaaa",
"title",
"meta",
"window",
"encrypt",
"pulse indicator",
"body doctype",
"welcome",
"ok server",
"gmt content",
"atlanta",
"abuse",
"agent",
"service",
"present jun",
"present may",
"creation date",
"record value",
"servers",
"libretv meta",
"certificate",
"value",
"whois lookup",
"loopia ab",
"userlolxxl"
],
"references": [
"http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist",
"It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!",
"pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz",
"Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com",
"docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips",
"https://hs.ecam.com/your-challenges-ecams-solutions",
"https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022",
"https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/",
"Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Wannacry",
"display_name": "Wannacry",
"target": null
},
{
"id": "Foundry",
"display_name": "Foundry",
"target": null
},
{
"id": "Trojan:Win32/Comisproc!gmb",
"display_name": "Trojan:Win32/Comisproc!gmb",
"target": "/malware/Trojan:Win32/Comisproc!gmb"
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "#Exploit:Win32/CVE- 2023 - 23397",
"display_name": "#Exploit:Win32/CVE- 2023 - 23397",
"target": "/malware/#Exploit:Win32/CVE- 2023 - 23397"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "ALF:PulZati:Worm:Win32/Mydoom",
"display_name": "ALF:PulZati:Worm:Win32/Mydoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 8,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 248,
"FileHash-SHA1": 134,
"FileHash-SHA256": 2661,
"URL": 6257,
"domain": 682,
"email": 8,
"hostname": 2077,
"CVE": 1
},
"indicator_count": 12068,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "187 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f7582b2454d926e77db68c",
"name": "AWS does have issues - Indictor removal service impacting threat hunting services",
"description": "Malicious. I hope the pulse posted yesterday didn\u2019t lead to AWS outage. I learned about it a few a few hours ago. AWS does have issues, like having a monopoly and the type of services allowed to exist on their servers. I never saw the links until I learned. I appreciate tips , opinions , and sharing.received. An issue found on targets old iOS 14 device ,due to deletions . This had me researching a link that is related to multiple links researched before. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship). There are many other malicious indicators.",
"modified": "2025-11-20T06:00:01.014000",
"created": "2025-10-21T09:53:47.767000",
"tags": [
"url http",
"url https",
"united",
"sweden",
"canada",
"search",
"type indicator",
"added active",
"related pulses",
"aws",
"passive dns",
"urls",
"files domain",
"files related",
"related tags",
"none google",
"safe browsing",
"present jun",
"present sep",
"present aug",
"present jul",
"present oct",
"present may",
"ip address",
"uruguay unknown",
"india showing",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"unknown",
"write",
"read",
"unknown www",
"et trojan",
"suspicious",
"read c",
"myagrent",
"get myagrent",
"win32",
"malware",
"ids detections",
"et",
"dynamicloader",
"medium",
"write c",
"high",
"pcratgh0st cnc",
"backdoor family",
"show",
"ms windows",
"trojandropper",
"code",
"next",
"polymorphic",
"indicator role",
"title added",
"active related",
"report spam",
"threat hunters",
"brian",
"sabey created",
"day ago",
"white indicator",
"sabey",
"worm",
"emotet",
"tags",
"malware family",
"ck ids",
"t1140",
"information",
"t1045",
"packing",
"t1060",
"dns",
"role title",
"filehashmd5",
"malware attacks",
"find encrypted",
"pulses url",
"q oct",
"dns",
"ators show",
"tbmvid",
"sourcelnms",
"ipv4",
"types",
"indicators show"
],
"references": [
"business-support.intel.com \u2022 dns0.org \u2022 http://g-ns-1047.awsdns-20.org/",
"Alerts: physical_drive_access deletes_executed_files anomalous_deletefile",
"Alerts: suspicious_iocontrol_codes polymorphic static_pe_anomaly suricata_alert",
"Alerts: injection_rwx antivm_checks_available_memory queries_computer_name",
"Alerts: resumethread_remote_process antivm_generic_disk antisandbox_sleep dynamic_function_loading",
"Alerts: enumerates_running_processes reads_self packer_unknown_pe_section_name contains_pe_overlay dropper queries_keyboard_layout",
"102 Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key",
"More PE Packer Microsoft Visual C++ Compilation | File Type PEXE - PE32 executable (GUI) Intel 80386, for MS Windows",
"IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)",
"Contacted ipp.getcash2018.com conf.f.360.cn",
"All IP\u2019s Contacted 27.102.115.143 199.232.210.172 Domains",
"IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)",
"New? patch-aws-8y03-v202542-266-2.space.prod.a0core.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Zegost",
"display_name": "Zegost",
"target": null
},
{
"id": "TrojanDropper:Win32/Zegost.B",
"display_name": "TrojanDropper:Win32/Zegost.B",
"target": "/malware/TrojanDropper:Win32/Zegost.B"
},
{
"id": "Worm:Win32/AutoRun.XXY!bit",
"display_name": "Worm:Win32/AutoRun.XXY!bit",
"target": "/malware/Worm:Win32/AutoRun.XXY!bit"
},
{
"id": "Trojan:Win32/Fugrafa",
"display_name": "Trojan:Win32/Fugrafa",
"target": "/malware/Trojan:Win32/Fugrafa"
},
{
"id": "Win32:MalwareX-gen",
"display_name": "Win32:MalwareX-gen",
"target": null
}
],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1224,
"URL": 2979,
"domain": 609,
"FileHash-SHA256": 765,
"FileHash-SHA1": 350,
"FileHash-MD5": 374,
"CVE": 1,
"email": 1
},
"indicator_count": 6303,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "193 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2ca40b12d7f02af896284",
"name": "Exploit Kit - 77.67.27.35 Isolated",
"description": "Information hastily gathered. IP 77.67.27.35\nbelongs to a server or device, WHOIS lookup indicates domain name cloud.com, owned by P.O. Box 412, 1043 CD, Amsterdam, Noord-Holland, NL | Summary ; ASN, AS3257 GTT Communications Inc. ; BGP, 77.67.0.0/17 ; IPs | BGP Looking Glass for AS3257 / GTT Communications Inc. | http.net - IP Transit Provider | Global Services - GTT | http://www.gtt.net Company Looking Glass: http://www.as3257.net/lg/ Info from single malicious file :Win32/Heur\n, \nTrojan.Crypted-29\nIDS Detections\nET POLICY Unsupported/Fake Windows NT Version 5.0\nET TROJAN Trojan/W32.KRBanker.60928.C Checkin\nYara Detections\nNone\nAlerts:\n\u2022 infostealer_browser\n\u2022 bypass_firewall\n\u2022 persistence_autorun\n\u2022 network_bind\n\u2022 network_http\n\u2022 packer_entropy\n- IP\u2019s Contacted :\n8.8.8.8 ,\n\n77.67.27.35 ,\n\n59.13.211.166 ,\n\n118.99.41.30 ,\nDomains Contacted :\nr.qzone.qq.com",
"modified": "2025-11-04T19:02:34.015000",
"created": "2025-10-05T19:42:56.097000",
"tags": [
"win32dh",
"mxigd4et",
"united",
"passive dns",
"entries",
"next associated",
"present oct",
"win32virut feb",
"all ipv4",
"pulse pulses",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"command",
"found",
"evasion att",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"ascii text",
"pattern match",
"mitre att",
"show technique",
"null",
"refresh",
"body",
"span",
"hybrid",
"local",
"path",
"click",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart",
"information",
"whois",
"amsterdam",
"noordholland",
"summary",
"as3257 gtt",
"bgp looking",
"glass",
"as3257",
"ip transit",
"global",
"jfif",
"clsid",
"jpeg image",
"windows nt",
"gif image",
"msie",
"rgba",
"utf8 unicode",
"malware",
"copy",
"write",
"next",
"handle",
"address range",
"cidr",
"network name",
"allocation type",
"assigned pa",
"status",
"whois server",
"ripe ncc",
"ripe network"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"Korea, Republic of",
"Hong Kong"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [
"Telecom"
],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 195,
"FileHash-SHA1": 106,
"FileHash-SHA256": 254,
"URL": 603,
"hostname": 256,
"domain": 74,
"CIDR": 3,
"email": 2
},
"indicator_count": 1493,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "208 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68dbee57fc8b1739c2223376",
"name": "Serious Privacy Violations \u2022 Groundup Monitoring a Household \u2022 IoT",
"description": "Thank you for the tip. It\u2019s taken me 98 days to get to this one. Enlightening. \n\nI\u2019m going to reserve my comments. A lot of new stuff here. \n#Intrusive\n#helix #helix_foundry_connection #amazon #advesaries_in_the_middle",
"modified": "2025-10-30T14:05:43.818000",
"created": "2025-09-30T14:51:03.111000",
"tags": [
"united",
"trojandropper",
"passive dns",
"lowfi",
"head meta",
"moved title",
"twitter",
"moved",
"a href",
"present sep",
"aaaa",
"ireland",
"ip address",
"emails",
"reverse dns",
"malware",
"unruy",
"upatre",
"snowjan",
"zusy",
"vb",
"x.com",
"downloader",
"trojan",
"agent",
"pe32 executable",
"intel",
"ms windows",
"reads",
"medium",
"write",
"delete",
"top source",
"push",
"germany unknown",
"name servers",
"head body",
"urls",
"files ip",
"url analysis",
"address",
"asn as3320",
"present jun",
"present jul",
"present may",
"present oct",
"present feb",
"present nov",
"url hostname",
"server response",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"development att",
"ssl certificate",
"path",
"sha256",
"pattern match",
"ffffff",
"general",
"iframe",
"click",
"strings",
"leon",
"dns requests",
"domain address",
"http",
"files domain",
"files related",
"ireland unknown",
"files",
"dublin",
"ireland asn",
"as16509",
"script urls",
"dubai real",
"meta",
"encrypt",
"austria unknown",
"austria asn",
"asnone dns",
"resolutions",
"handle",
"rdap database",
"iana registrar",
"helix",
"foundry",
"iot",
"apple",
"itunes",
"amazon",
"unknown ns",
"found",
"content type",
"gmt server",
"x xss",
"certificate",
"domain add",
"error",
"code",
"date",
"entries",
"next associated",
"body html",
"title",
"present aug",
"servers",
"status",
"for privacy",
"redacted for",
"spawns",
"ck techniques",
"url add",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"media",
"cname",
"invalid url",
"creation date",
"body",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"ascii text",
"mitre att",
"show technique",
"hybrid",
"local"
],
"references": [
"families.google/intl/pt-PT_ALL/familylink \u2022 cameyo.google \u2022 googlecampaigns.com \u2022. chrome.com.bh",
"t-iot.de \u2022 dockerregistry.xlab.t-iot.de\t \u2022 netbox.nic.xlab.t-iot.de",
"www.n-helix.com - Foundry remnant",
"itunes.apple.com \u2022 api.amazon.com",
"https://webclientshellserver-prod-trafficmanager-net.s-0005.dual-s-msedge.net",
"https://www.matchsticksandgasoline.com/2018/11/2/18051280/the-morning-after-colorado-if-you-want-to-be-a-goalie-skip-these-highlights-mark-giordano",
"http://s.vebnox.com \u2022 vebnox.com \u2022 http://stulancer.vebnox.com \u2022 vebnox.com \u2022 http://vedonate.vebnox.com \u2022 vebnox.com \u2022 https://home.vebnox.com vebnox.com \u2022 https://vedonate.vebnox.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Win.Malware.Zusy",
"display_name": "Win.Malware.Zusy",
"target": null
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "Win.Malware.Snojan",
"display_name": "Win.Malware.Snojan",
"target": null
},
{
"id": "Win.Packed",
"display_name": "Win.Packed",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Unruy",
"display_name": "Unruy",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
},
{
"id": "ALF:Trojan:Win32/Agent.WTK!MTB",
"display_name": "ALF:Trojan:Win32/Agent.WTK!MTB",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3399,
"domain": 790,
"FileHash-MD5": 174,
"FileHash-SHA1": 171,
"FileHash-SHA256": 3349,
"hostname": 1325,
"email": 10,
"SSLCertFingerprint": 9
},
"indicator_count": 9227,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 148,
"modified_text": "213 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
"Alerts: stealth_network antivirus_virustotal static_pe_anomaly",
"families.google/intl/pt-PT_ALL/familylink \u2022 cameyo.google \u2022 googlecampaigns.com \u2022. chrome.com.bh",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert",
"Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)",
"Alerts: suspicious_iocontrol_codes polymorphic static_pe_anomaly suricata_alert",
"Win32/Tofsee.AX google.com connectivity check",
"android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022",
"https://t.me/",
"https://otx.alienvault.com/indicator/file/3215b2d1c44c7114c7f94af1bbcb858707b636baeae2c6752219fdf184c7b00e",
"pandacookie2018.xyz",
"https://es.pornhat.com/models/the-sex-creator/",
"Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com",
"The Blender Foundation",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"Alerts: packer_unknown",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns",
"http://freedns.afraid.org/images/apple.gif",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"102 Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key",
"Antivirus Detections: Win.Ransomware.Wanna-9769986-0 , Ransom:Win32/WannaCrypt.H",
"Alerts: injection_rwx antivm_checks_available_memory queries_computer_name",
"New? patch-aws-8y03-v202542-266-2.space.prod.a0core.net",
"https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
"IP\u2019s Contacted: 1.0.21.231 1.0.42.181 1.1.116.28 1.10.203.28 1.10.54.62 1.101.0.202",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com",
"IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)",
"dead_host network_icmp tcp_syn_scan nolookup_communication networkdyndns_checkip writes_to_stdout",
"Contacted ipp.getcash2018.com conf.f.360.cn",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www.mumuplayer.com/redirect/customerservice/_wig",
"https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
"Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks",
"oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download",
"iamrobert.com Y.A.S.",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"website \u2022 http://oldapps.com/blender.php?old_blender=7584",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"https://hs.ecam.com/your-challenges-ecams-solutions",
"OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist",
"Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
"https://aws.hirecar.net/",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"Yara Detections: Cabinet_Archive , SFX_CAB",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://eurotarget.com/it/auto/toyota/c-hr/",
"https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545",
"Malicious IP Contacted: 69.42.215.252",
"https://webclientshellserver-prod-trafficmanager-net.s-0005.dual-s-msedge.net",
"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile",
"https://www.matchsticksandgasoline.com/2018/11/2/18051280/the-morning-after-colorado-if-you-want-to-be-a-goalie-skip-these-highlights-mark-giordano",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"Domain: t.me \u2022 Email: 1047f946-a6da-45dd-fa53-e00edb48e367@www.speedtest.net",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://pamchall.com/Telegram@V2ray_Alpha/",
"There is fear in silence or speaking out",
"http://consolefoundry.date/one/gate.php",
"dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
"Pahamify Pegasus",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"Target agreed and complied with all lie detector measures.",
"Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep",
"ET TROJAN Possible VirLock Connectivity Check",
"www.n-helix.com - Foundry remnant",
"tv.apple.com",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
"https://meumundogay-com.sexogratis.page/locker",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354",
"SUSPICIOUS Path to BusyBox HiSilicon DVR - Default",
"Huawei HG532 RCE Vulnerability (CVE-2017-17215)",
"Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A",
"IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) Possible ETERNALBLUE Probe MS17-010 (Generic Flags) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic , MS17_010_WanaCry_worm , stack_string More Alerts 25 Alerts suspicious_iocontrol_codes persistence_autorun persistence_autorun_tasks stealth_file suricata_alert antivm_generic_disk anomalous_deletefil",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"All IP\u2019s Contacted 27.102.115.143 199.232.210.172 Domains",
"http://s.vebnox.com \u2022 vebnox.com \u2022 http://stulancer.vebnox.com \u2022 vebnox.com \u2022 http://vedonate.vebnox.com \u2022 vebnox.com \u2022 https://home.vebnox.com vebnox.com \u2022 https://vedonate.vebnox.com",
"Can the DoD no questions asked target a SA victim",
"Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access",
"Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below",
"Alerts: physical_drive_access deletes_executed_files anomalous_deletefile",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_(64bit)_v136.0.7103.49.exe",
"IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org",
"http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"Contacted: newmethcnc.duckdns.org",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"Antivirus Detections: ELF:Mirai-AAL\\ [Trj] , Unix.Trojan.Mirai-1 , Backdoor:Linux/Mirai.N!MTB",
"More PE Packer Microsoft Visual C++ Compilation | File Type PEXE - PE32 executable (GUI) Intel 80386, for MS Windows",
"Yara Detections Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai , ECHOBOT",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"w32.virut.cf \u2022 win32.virut.am \u2022 virut.cf \u2022 http://w32.virut.cf \u2022http://w32.virut.cf/ \u2022 https://w32.virut.cf",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"business-support.intel.com \u2022 dns0.org \u2022 http://g-ns-1047.awsdns-20.org/",
"DYNAMIC_DNS Query to *.duckdns. Domain",
"Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
"Abused Domains Contacted: xred.mooo.com freedns.afraid.org",
"https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html",
"Alerts: enumerates_running_processes reads_self packer_unknown_pe_section_name contains_pe_overlay dropper queries_keyboard_layout",
"Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"IDS Detections ET POLICY Suspicious User-Agent Containing .exe",
"Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"Google_Chrome_64bit_v136.0.7103.49.exe",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"ET TROJAN W32/Kegotip CnC Beacon",
"IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://www.mumuplayer.com/redirect/customerservice/fB)y",
"Telnet Root Password Inbound TELNET login failed root login Bad Login Less",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com",
"Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading",
"Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com \u2022\u2019survey-smiles.com",
"It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"IP\u2019s Contacted: 1.101.184.254 1.103.104.9 1.103.141.89 1.104.104.227",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"Trojan.Mebroot , a variant of Win32/Mebroot.BM , Trojan:W32/Mebroot.gen!A , Trojan.Packed.2447",
"IDS: TLS Handshake Failure",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry",
"I am very upset. Whoever is doing this is sick.",
"docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips",
"by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"itunes.apple.com \u2022 api.amazon.com",
"Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
"Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"IDS Detections: Observed DNS Query to ELF/Various Mirai Variant CnC Domain Huawei Remote Command Execution (CVE-2017-17215)",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth",
"pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz",
"Gen:Trojan.Heur.wq5@QsnW4Im , Backdoor.Win32.Sinowal.fac , Mal/Sinowa-A ,",
"https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
"Yara Detections BackdoorWin32Simda",
"Alerts: resumethread_remote_process antivm_generic_disk antisandbox_sleep dynamic_function_loading",
"Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/",
"IDS Detections: ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.google.com)",
"Detections PSW.Sinowal.X , Win.Trojan.Sinowal-13971 , Artemis!0DF9D8682EFA ,",
"t-iot.de \u2022 dockerregistry.xlab.t-iot.de\t \u2022 netbox.nic.xlab.t-iot.de",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips",
"Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others"
],
"malware_families": [
"Mirai (windows)",
"#lowfi:siga:trojandownloader:msil/genmaldow",
"Trojan:win32/qqpass",
"Unruy",
"Autorunit",
"Starfighter (javascript)",
"Other malware",
"Pegasus for mac",
"Win32/virut",
"Win32/ramnit.a",
"Pegasus rdp module for windows",
"Win.malware.snojan",
"Generic36.adty",
"Alf:trojan:win32/agent.wtk!mtb",
"Psw:win32/vb.cu",
"Win.trojan.agent-245901",
"Backdoor:win32/tofsee.t",
"Bouncycastle",
"Trojandropper:win32/zegost.b",
"Xloader for ios - s0490",
"Alf:backdoor:powershell/reverseshell",
"#lowfi:hstr:win32/mediadownloader",
"Sigur",
"Backdoor:win32/small.ir",
"Trojan:win32/pariham.a",
"Win.trojan.emotet-9850453",
"Graphite (pegasus variant)",
"Worm.autorun-6180",
"Paragon (pegasus variant)",
"Alf:pulzati:worm:win32/mydoom",
"Win.malware.reline-9887776-0",
"W32.virut.ci",
"Mirai (elf)",
"Downloader.generic13.bobz",
"Backdoor:linux/mirai",
"#lowfitrojan:html/iframe",
"Virut",
"Win32.injector",
"Trojan:win32/fugrafa",
"Mirai",
"#lowfi:exploit:java/cve-2012-0507",
"Win.ransomware.wanna-9769986-0",
"W32/kegotip cnc",
"Alf:backdoor:java/webshell",
"Ransom:win32/wannacrypt.h",
"Win.trojan.rootkit-4532",
"Win.malware.zusy",
"Kanna",
"Pegasus for android - mob-s0032",
"#lowfi:hstr:msil/possibledownloader.s01",
"Trojandropper:win32/vb.il",
"Html smuggling",
"Alf:html/phishing",
"Backdoor:linux/mirai.n!mtb",
"Worm:win32/autorun.xxy!bit",
"Generic36.ajsm",
"Generic36.aiaa.dropper",
"#lowfienabledtcontinueafterunpacking",
"Careto",
"Pegasus for ios - s0289",
"Zeroaccess - s0027",
"Win.dropper.nanocore-10021490-0",
"Der zugriff",
"Trojan:js/berbew",
"#hstr:hacktool:win32/remoteshell",
"Psw.sinowal.x",
"Worm:win32/autorun!atmn",
"Mebroot",
"Win.packed.remcos-10024510-0",
"Virtool:win32/injector.gen!bq",
"Win.trojan.agent-31853",
"Win.trojan.injector-12138",
"Win32/blacked",
"Et",
"Trojandownloader:linux/mirai",
"Pegasus",
"Zegost",
"Trojan:win32/comisproc!gmb",
"Malware",
"Win.packed",
"Virus:win95/cerebrus",
"Downloader.generic13.cmtw",
"#exploit:win32/cve- 2023 - 23397",
"Mydoom",
"Hider.biy",
"Win.trojan.blacknetrat-7838854-0",
"Skynet",
"Sf:shellcode-au",
"Win32:malwarex-gen",
"Apnic",
"Code overlap",
"Upatre",
"Foundry",
"Trendmicro",
"Wannacry",
"Win.trojan.fareit-82"
],
"industries": [
"Telecommunications",
"Government",
"Civil",
"Telecom",
"Legal",
"Civilians",
"Technology",
"People",
"Financial",
"Civil society"
],
"unique_indicators": 385097
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/assembly.go.kr",
"whois": "http://whois.domaintools.com/assembly.go.kr",
"domain": "assembly.go.kr",
"hostname": "open.assembly.go.kr"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 25,
"pulses": [
{
"id": "69b2b92a27c47d4e28927364",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:26.110000",
"created": "2026-03-12T13:01:30.067000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 73,
"modified_text": "80 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b9295603a6100edfa8c8",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:25.387000",
"created": "2026-03-12T13:01:29.284000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "80 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b927aa7f10e82639d204",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.872000",
"created": "2026-03-12T13:01:27.872000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b927c086397130c5d114",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.275000",
"created": "2026-03-12T13:01:27.275000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b926871746ed8a1bc324",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:26.440000",
"created": "2026-03-12T13:01:26.440000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b925e85c948d4dd608cc",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:25.852000",
"created": "2026-03-12T13:01:25.852000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8e974189d2c41f07ed8",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:25.910000",
"created": "2026-03-12T13:00:25.910000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8e74d2b3effd55f88c3",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:23.173000",
"created": "2026-03-12T13:00:23.173000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8dfbf8426a7a1d0146d",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:15.427000",
"created": "2026-03-12T13:00:15.427000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d7123610591625b8fb",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:07.354000",
"created": "2026-03-12T13:00:07.354000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://open.assembly.go.kr/portal/openapi/selectInfsOpenApiListPaging.do",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://open.assembly.go.kr/portal/openapi/selectInfsOpenApiListPaging.do",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780306006.399369
}