{ "type": "URL", "indicator": "https://openbsd.map.fastlydns.net", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://openbsd.map.fastlydns.net", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4119206994, "indicator": "https://openbsd.map.fastlydns.net", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69f54c711cd17df01c20d601", "name": "Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT", "description": "Active cyber issues\ncontinue to affect Colorado Judicial, Government and Hospital systems. \n\nWhat\u2019s true: Targeting, Hacking , Rogue Domain Controller. Bad actors regularly ride outdated , poorly managed networks. \n\n\nTipped: Monitored Targets past irregular mail \nissues. URLs that redirects to Colorado Justice system., included in a letter that was sent to an undeliverable address. Mail sent again, recipient believes the contents of letters does not appear authentic. \n\n\nTipped: RE: Monitored Target. Unfavorable, Unjust conditions in Denver , Colorado USA. As recent as 4/2026. Other pulses related to this matter suggests a Pegasus relationship. Will need to analyze.", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T00:59:29.794000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 271, "hostname": 743, "URL": 1509, "FileHash-SHA256": 1574, "IPv4": 30, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4 }, "indicator_count": 4437, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "2 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5d960e861f6159823ff0b", "name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT'] credit, Q.VASHTI", "description": "", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T11:00:48.440000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": "69f54c711cd17df01c20d601", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 271, "hostname": 744, "URL": 1509, "FileHash-SHA256": 1574, "IPv4": 45, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4 }, "indicator_count": 4453, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5da1228db82eb87274cab", "name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court] clone from cellphone seperate", "description": "", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T11:03:46.995000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": "69f5d960e861f6159823ff0b", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 273, "hostname": 769, "URL": 1601, "FileHash-SHA256": 1576, "IPv4": 242, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4, "IPv6": 4 }, "indicator_count": 4775, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "2 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689b9b9fab42ca4f016a226f", "name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)", "description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +", "modified": "2025-09-11T13:03:18.814000", "created": "2025-08-12T19:53:03.953000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses url", "entries", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "href", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "show technique", "ck matrix", "null", "refresh", "body", "span", "general", "local", "path", "iframe", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "united", "unknown ns", "ip address", "creation date", "search", "present sep", "moved", "domain add", "encrypt", "accept", "please", "passive dns", "msie", "next associated", "html", "background", "unknown site", "div div", "trojan", "zeus", "process32nextw", "read c", "show", "shellexecuteexw", "windows nt", "wow64", "copy", "dock", "write", "malware", "unknown", "defense evasion", "t1480 execution", "file defense", "august", "hybrid", "port", "destination", "tlsv1", "as15169", "ogoogle trust", "cngts ca", "execution", "next", "persistence", "data upload", "extraction", "win32", "ransom", "trojandropper", "mtb nov", "forcud", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4179, "domain": 774, "hostname": 1673, "FileHash-MD5": 169, "FileHash-SHA1": 110, "FileHash-SHA256": 2073, "email": 1, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 8993, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "261 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "www.its.courts.state.co.us", "https://rockylinux.map.fastlydns.net/", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "https://www.coloradojudicial.gov/data", "chrome.cloudflare-dns.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.trojan.gh0strat-7480037-0", "Trojandownloader:win32/vb.il", "Trojan:msil/snakekeylogger.mk1!mtb", "Trojan:win32/gupboot.b", "Trojandownloader:win32/upatre", "Trojandownloader:win32/misfox", "Alf:trojan:win32/cassini_f2776388!ibt", "Trojan:win32/zombie.a", "Win.trojan.killav-210", "Tel:trojan:win32/injector.ab!msr", "Trojan:win32/scar.mr!mtb", "Trojan:win32/zbot", "Trojandownloader:win32/nemucod", "Trojandownloader:win32/systex.a", "Trojan:win32/dorv.a", "Trojan:win32/blihan.a", "Malware packed", "Win.trojan.barys", "Win.malware.jaik-9968280-0", "Trojandownloader:win32/inbat.h", "Win.trojan.generic-9908275-0", "Alf:pulzati:trojan:win32/emotet!rfn", "Trojan:win32/glupteba.mt!mtb" ], "industries": [ "Technology", "Government", "Law" ], "unique_indicators": 13619 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/fastlydns.net", "whois": "http://whois.domaintools.com/fastlydns.net", "domain": "fastlydns.net", "hostname": "openbsd.map.fastlydns.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69f54c711cd17df01c20d601", "name": "Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT", "description": "Active cyber issues\ncontinue to affect Colorado Judicial, Government and Hospital systems. \n\nWhat\u2019s true: Targeting, Hacking , Rogue Domain Controller. Bad actors regularly ride outdated , poorly managed networks. \n\n\nTipped: Monitored Targets past irregular mail \nissues. URLs that redirects to Colorado Justice system., included in a letter that was sent to an undeliverable address. Mail sent again, recipient believes the contents of letters does not appear authentic. \n\n\nTipped: RE: Monitored Target. Unfavorable, Unjust conditions in Denver , Colorado USA. As recent as 4/2026. Other pulses related to this matter suggests a Pegasus relationship. Will need to analyze.", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T00:59:29.794000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 271, "hostname": 743, "URL": 1509, "FileHash-SHA256": 1574, "IPv4": 30, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4 }, "indicator_count": 4437, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "2 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5d960e861f6159823ff0b", "name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT'] credit, Q.VASHTI", "description": "", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T11:00:48.440000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": "69f54c711cd17df01c20d601", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 271, "hostname": 744, "URL": 1509, "FileHash-SHA256": 1574, "IPv4": 45, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4 }, "indicator_count": 4453, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5da1228db82eb87274cab", "name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court] clone from cellphone seperate", "description": "", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T11:03:46.995000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": "69f5d960e861f6159823ff0b", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 273, "hostname": 769, "URL": 1601, "FileHash-SHA256": 1576, "IPv4": 242, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4, "IPv6": 4 }, "indicator_count": 4775, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "2 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689b9b9fab42ca4f016a226f", "name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)", "description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +", "modified": "2025-09-11T13:03:18.814000", "created": "2025-08-12T19:53:03.953000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses url", "entries", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "href", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "show technique", "ck matrix", "null", "refresh", "body", "span", "general", "local", "path", "iframe", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "united", "unknown ns", "ip address", "creation date", "search", "present sep", "moved", "domain add", "encrypt", "accept", "please", "passive dns", "msie", "next associated", "html", "background", "unknown site", "div div", "trojan", "zeus", "process32nextw", "read c", "show", "shellexecuteexw", "windows nt", "wow64", "copy", "dock", "write", "malware", "unknown", "defense evasion", "t1480 execution", "file defense", "august", "hybrid", "port", "destination", "tlsv1", "as15169", "ogoogle trust", "cngts ca", "execution", "next", "persistence", "data upload", "extraction", "win32", "ransom", "trojandropper", "mtb nov", "forcud", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4179, "domain": 774, "hostname": 1673, "FileHash-MD5": 169, "FileHash-SHA1": 110, "FileHash-SHA256": 2073, "email": 1, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 8993, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "261 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://openbsd.map.fastlydns.net", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://openbsd.map.fastlydns.net", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780215241.7062087 }