{ "type": "URL", "indicator": "https://openldap02.docs-planet.site", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://openldap02.docs-planet.site", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3374273341, "indicator": "https://openldap02.docs-planet.site", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 39, "pulses": [ { "id": "69a9cd444aa144401d0c4988", "name": "Pools Open", "description": "", "modified": "2026-04-15T19:21:28.851000", "created": "2026-03-05T18:36:52.014000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23428, "hostname": 9592, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47103, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a3c685d4b7c139ffe62930", "name": "Clone Pulse Reference", "description": "", "modified": "2026-04-01T00:44:45.494000", "created": "2026-03-01T04:54:29.384000", "tags": [ "ipv4", "active related", "trojandropper", "mtb jun", "lowfi", "trojan", "mtb jan", "fastly error", "please", "united", "ttl value", "get na", "total", "delete", "search", "yara detections", "sinkhole cookie", "value snkz", "write", "suspicious", "ransom", "malware", "Ransom.Win32.Birele.gsg Checkin", "AnubisNetworks Sinkhole Cookie Value Snkz", "Possible Compromised Host", "dynamicloader", "delete c", "default", "medium", "write c", "settingswpad", "intel", "ms windows", "users", "number", "title", "installer", "top source", "top destination", "source source", "port", "filehash", "av detections", "ids detections", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "ids signatures", "exploits", "sid name", "malware cve", "dns query", "dnsbin demo", "data exfil", "exif data", "DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr", "DNSBin Demo (requestbin .net) - Data Exfitration", "source port", "destination", "present sep", "script urls", "script script", "a domains", "script domains", "ip address", "meta", "present nov", "passive dns", "next associated", "domain add", "pe executable", "entries", "show", "msie", "windows nt", "wow64", "copy", "present jan", "present feb", "domain", "pulse pulses", "urls", "files", "tam legal", "christopher ahmann", "https://unicef.se/assets/apple", "treece alfrey", "hours ago", "information", "report spam", "ahmann colorado", "state", "special cousel", "created", "expiro", "capture" ], "references": [ "Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN", "Fastly Error and Palantir blocked several times over the last few months.", "Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)", "IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.", "Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN", "Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT", "Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName", "Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage", "https://unicef.se/assets/apple" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "PWS:Win32/QQpass.FC", "display_name": "PWS:Win32/QQpass.FC", "target": "/malware/PWS:Win32/QQpass.FC" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Urelas-9863836-0", "display_name": "Win.Malware.Urelas-9863836-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Win.Trojan.Vundo-7170412-0", "display_name": "Win.Trojan.Vundo-7170412-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Multiple Malware\u2019s , Trojans and Rats", "display_name": "Multiple Malware\u2019s , Trojans and Rats", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "6906bd99cadbd4140014c6af", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 909, "domain": 454, "hostname": 1404, "URL": 3557, "CIDR": 1, "FileHash-MD5": 242, "FileHash-SHA1": 185, "email": 1, "CVE": 1 }, "indicator_count": 6754, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac438a696c993b672106d", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:28.261000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac4327b5bc2e8be34f78a", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:22.323000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac416596cd89cf76bce55", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:04:53.997000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69642a749490c0bf404aa8ac", "name": "Google Services - Malware Packed Google Branded Services", "description": "Contacted Google services | Service (1 of 3) || GoogleChromeElevationService | Mofksys \u2022 Unruy | Relationship: https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b | \n#affilliated #worm _#exploit #alternate_google #infection #spyware", "modified": "2026-02-10T22:01:54.041000", "created": "2026-01-11T22:55:48.308000", "tags": [ "write c", "write", "delete c", "ms windows", "pe32 executable", "globalc", "united", "worm", "malware", "defender", "united states", "google", "google account", "mtb ids", "cloudflare dns", "https domain", "tls sni", "medium priority", "yara detections", "alerts", "google play", "google api", "google chrome", "mofksys", "exploit", "process32nextw", "msie", "windows nt", "wow64", "slcc2", "media center", "search", "precreate read", "read c", "dock", "unknown", "suspicious", "alt google", "execution att", "lowfi", "mtb jan", "trojandropper", "passive dns", "backdoor", "win32upatre jan", "origin trial", "gmt cache", "443 ma2592000", "possible", "trojan", "title", "mtb dec", "ipv4 add", "state", "trojan", "dropper", "phishing", "ransom", "of colorado" ], "references": [ "accounts.google.com \u2022 apis.google.com clients2.google.com \u2022 clients2.googleusercontent.com", "142.251.9.95 \u2022 https://clients2.google.com/cr/report \u2022 accounts.google.com \u2022", "ogads-pa.clients6.google.com \u2022 optimizationguide-pa.googleapis.com \u2022 play.google.com", "update.googleapis.com \u2022 www.google.com \u2022 clientservices.googleapis.com", "Worm:Win32/Mofksys.RND!MTB | Yara Detections: SUSP_Imphash_Mar23_2", "IDS Detection: Observed Cloudflare DNS over HTTPS \u2022 Domain (cloudflare-dns .com in TLS SNI)", "Alerts: suspicious_iocontrol_codes infostealer_cookies persistence_autorun antisandbox_sleep", "Alerts: persistence_autorun_tasks polymorphic procmem_yara static_pe_anomaly antiav_detectfile", "Alerts: antiav_detectreg antivm_bochs_keys antivm_generic_disk infostealer_mail injection_write", "Alerts: suspicious_command_tools anomalous_deletefile mouse_movement_detect", "Alerts: dynamic_function_loading resumethread_remote_process stealth_hiddenreg", "Contacted Google services", "SERVICE NAME: SSDPSRV \u2022 Delete upnphost\tDelete \u2022 GoogleChromeElevationService", "https://otx.alienvault.com/indicator/file/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "codewiki.google", "Win.Malware.Unruy-6912804-0 IDS Detections: Win32/Unruy.C Activity 403 Forbidden", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction", "Alerts: network_http antisandbox_sleep creates_exe dropper stealth_window", "Alerts: injection_process_search protection_rx", "IP\u2019s Contacted: 142.250.74.68 142.250.74.99 18.66.121.69 185.53.179.170 2.22.41.134 204.79.197.200", "IP\u2019s Contacted: 208.91.196.46 209.197.3.8 216.239.32.29 35.186.238.101", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com www.google.com", "Domains Contacted: ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com", "Domains Contacted: d38psrni17bvxu.cloudfront.net www2.megawebfind.com www6.megawebfind.com", "PE Version Information : TJprojMain.exe", "Found in : https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b", "IDS Detections Win32/Unruy.C Activity \u2022 403 Forbidden" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Unruy-6912804-0", "display_name": "Win.Malware.Unruy-6912804-0", "target": null }, { "id": "Win.Packed.Eyestye-9754938-0", "display_name": "Win.Packed.Eyestye-9754938-0", "target": null }, { "id": "Eyestye", "display_name": "Eyestye", "target": null }, { "id": "AutoRun", "display_name": "AutoRun", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "ALF:HeraklezEval:PUA:Win32/4Shared", "display_name": "ALF:HeraklezEval:PUA:Win32/4Shared", "target": null }, { "id": "Cassini", "display_name": "Cassini", "target": null }, { "id": "DarkMoon", "display_name": "DarkMoon", "target": null }, { "id": "PolyRansom", "display_name": "PolyRansom", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1078.003", "name": "Local Accounts", "display_name": "T1078.003 - Local Accounts" }, { "id": "T1078.001", "name": "Default Accounts", "display_name": "T1078.001 - Default Accounts" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1090.004", "name": "Domain Fronting", "display_name": "T1090.004 - Domain Fronting" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 198, "FileHash-SHA1": 165, "FileHash-SHA256": 867, "URL": 1461, "hostname": 429, "domain": 221, "SSLCertFingerprint": 1 }, "indicator_count": 3342, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6935d7d4979c94d296e4b033", "name": "New Exploits | CVE\u2019s | 12.07.2025", "description": "", "modified": "2026-01-06T00:03:32.099000", "created": "2025-12-07T19:39:00.258000", "tags": [], "references": [ "Phishing: https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav/", "https://www.redpacketsecurity.com/cve-alert-cve-2025-59230-microsoft-windows-10-version-1809/", "https://www.redpacketsecurity.com/cve_alert_cve-2024-12847/", "https://www.redpacketsecurity.com/cve_alert_cve-2025-4135/", "https://www.redpacketsecurity.com/cve_alert_cve-2025-4140/", "https://www.redpacketsecurity.com/cve_alert_cve-2025-4142/", "https://www.redpacketsecurity.com/cve_alert_cve-2025-45492/", "https://www.redpacketsecurity.com/firefox-0day-cve-2015-4495/" ], "public": 1, "adversary": "Coinbase Cartel", "targeted_countries": [ "United States of America", "Bangladesh", "Sweden", "Japan" ], "malware_families": [ { "id": "Exploit:Linux/CVE-2017-17215", "display_name": "Exploit:Linux/CVE-2017-17215", "target": "/malware/Exploit:Linux/CVE-2017-17215" }, { "id": "Exploit:JS/CVE-2014-0322", "display_name": "Exploit:JS/CVE-2014-0322", "target": "/malware/Exploit:JS/CVE-2014-0322" }, { "id": "CVE-2015-4495", "display_name": "CVE-2015-4495", "target": null }, { "id": "CVE-2024-12847", "display_name": "CVE-2024-12847", "target": null }, { "id": "CVE-2025-11727", "display_name": "CVE-2025-11727", "target": null }, { "id": "CVE-2025-4135", "display_name": "CVE-2025-4135", "target": null }, { "id": "CVE-2025-4140", "display_name": "CVE-2025-4140", "target": null }, { "id": "CVE-2025-4142", "display_name": "CVE-2025-4142", "target": null }, { "id": "CVE-2025-45492", "display_name": "CVE-2025-45492", "target": null }, { "id": "CVE-2025-59230", "display_name": "CVE-2025-59230", "target": null } ], "attack_ids": [ { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" } ], "industries": [ "Education" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 523, "CVE": 10, "domain": 44, "hostname": 149, "FileHash-MD5": 30, "FileHash-SHA1": 21, "FileHash-SHA256": 133 }, "indicator_count": 910, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "5fa57698ac0f6638b7b9a8ba", "name": "Pool's Closed", "description": "Two paupers from the meadow spring forth an upheaval of nasty sites on the world wide web.", "modified": "2025-12-27T05:02:34.910000", "created": "2020-11-06T16:15:20.139000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23426, "hostname": 9590, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47099, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6906bd99cadbd4140014c6af", "name": "Espionage - Gravity RAT + | Legal entities are State owned. Attacking severely injured PT\u2019s SA victim.", "description": "Fastly CDN for Palantir (Verizon) unless updated. Very malicious IoC\u2019s found evaluating IoC\u2019 from Christopher Ahmann - TAM Legal link.\n- Made contact with victim several times.\n- Illegal contact made with attorneys considering representing Tsara. \n- https://unicef.se/assets/apple - link related to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage.\n\nAhmann is named as special counsel but he , like Brian Sabey are \u2018ONLY\u2019 cyber attacking Tsara Brashears.\n\n- protecting Jeffrey Reimer DPT, multiple doctors, Concentra, blocked and denied care , hired a hitman/men and it would have. Even cheaper to pay her for the injuries she never sought compensation for due to aggressive attacks and threats.", "modified": "2025-12-02T01:05:30.331000", "created": "2025-11-02T02:10:33.546000", "tags": [ "ipv4", "active related", "trojandropper", "mtb jun", "lowfi", "trojan", "mtb jan", "fastly error", "please", "united", "ttl value", "get na", "total", "delete", "search", "yara detections", "sinkhole cookie", "value snkz", "write", "suspicious", "ransom", "malware", "Ransom.Win32.Birele.gsg Checkin", "AnubisNetworks Sinkhole Cookie Value Snkz", "Possible Compromised Host", "dynamicloader", "delete c", "default", "medium", "write c", "settingswpad", "intel", "ms windows", "users", "number", "title", "installer", "top source", "top destination", "source source", "port", "filehash", "av detections", "ids detections", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "ids signatures", "exploits", "sid name", "malware cve", "dns query", "dnsbin demo", "data exfil", "exif data", "DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr", "DNSBin Demo (requestbin .net) - Data Exfitration", "source port", "destination", "present sep", "script urls", "script script", "a domains", "script domains", "ip address", "meta", "present nov", "passive dns", "next associated", "domain add", "pe executable", "entries", "show", "msie", "windows nt", "wow64", "copy", "present jan", "present feb", "domain", "pulse pulses", "urls", "files", "tam legal", "christopher ahmann", "https://unicef.se/assets/apple", "treece alfrey", "hours ago", "information", "report spam", "ahmann colorado", "state", "special cousel", "created", "expiro", "capture" ], "references": [ "Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN", "Fastly Error and Palantir blocked several times over the last few months.", "Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)", "IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.", "Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN", "Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT", "Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName", "Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage", "https://unicef.se/assets/apple" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "PWS:Win32/QQpass.FC", "display_name": "PWS:Win32/QQpass.FC", "target": "/malware/PWS:Win32/QQpass.FC" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Urelas-9863836-0", "display_name": "Win.Malware.Urelas-9863836-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Win.Trojan.Vundo-7170412-0", "display_name": "Win.Trojan.Vundo-7170412-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Multiple Malware\u2019s , Trojans and Rats", "display_name": "Multiple Malware\u2019s , Trojans and Rats", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 909, "domain": 449, "hostname": 1403, "URL": 3552, "CIDR": 1, "FileHash-MD5": 242, "FileHash-SHA1": 185, "email": 1 }, "indicator_count": 6742, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "138 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "145 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68edc1c2be848e73a32ab9ba", "name": "Fatal Error - Hacker Known \u2022 Name Unknown | Lives @ risk", "description": "I am connected to targeteds phone. My location is autonomous _ will show up in Colorado most likely. \n\nScary, this weekend a woman dressed like a peasant somehow managed to give me a letter past Thursday with information about a death in the 11th floor of an Apartment in Denver. The Sova. Alleged drug overdose may have actually been a homicide, I sound & feel crazy, there were names inside , emails , plans for Airplane attacks affecting civilians this month. I couldn\u2019t, wouldn\u2019t create this. Apparently UK born citizens sponsored by a Google hierarchy were able to weave their way into the lives a family member & Tsara Brashears . These are white males, anlso involved are citizens from African, Ethiopia, India and America deeply involved. They used fake names and I have said too much. If there is an helpful person on here please help!!! There\nis worse and it might be legal hits to insight money for war!\n#nso_related", "modified": "2025-11-13T02:02:12.454000", "created": "2025-10-14T03:21:38.305000", "tags": [ "pulses ipv4", "ipv4", "div div", "united", "script script", "a li", "present jul", "param", "entries", "present aug", "certificate", "global domains", "date", "title", "class", "meta", "agent", "stack", "life", "a domains", "passive dns", "urls", "ok server", "gmt content", "type", "hostname add", "pulse pulses", "files", "win32mydoom oct", "trojan", "next associated", "pulse", "reverse dns", "twitter", "body", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "yara rule", "ff d5", "ascii text", "f0 ff", "eb e1", "unknown", "copy", "write", "malware", "push", "next", "autorun", "suspicious", "ip address", "unknown ns", "unknown aaaa", "ipv4 add", "location united", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ck id", "show technique", "mitre att", "path", "error", "fatalerror", "general", "hybrid", "local", "click", "strings", "filehashsha256", "filehashmd5", "filehashsha1", "iist", "malware family", "mydoom att", "ck ids", "t1060", "run keys", "indicator role", "title added", "active related", "showing", "url https", "url http", "startup", "folder", "web protocols", "t1105", "tool transfer", "indicators hong", "kong", "china", "germany", "australia", "search", "type indicator", "role title", "added active", "related pulses", "wire", "t1071" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2724, "hostname": 1212, "domain": 410, "FileHash-MD5": 408, "email": 9, "FileHash-SHA256": 604, "FileHash-SHA1": 307 }, "indicator_count": 5674, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dbee57fc8b1739c2223376", "name": "Serious Privacy Violations \u2022 Groundup Monitoring a Household \u2022 IoT", "description": "Thank you for the tip. It\u2019s taken me 98 days to get to this one. Enlightening. \n\nI\u2019m going to reserve my comments. A lot of new stuff here. \n#Intrusive\n#helix #helix_foundry_connection #amazon #advesaries_in_the_middle", "modified": "2025-10-30T14:05:43.818000", "created": "2025-09-30T14:51:03.111000", "tags": [ "united", "trojandropper", "passive dns", "lowfi", "head meta", "moved title", "twitter", "moved", "a href", "present sep", "aaaa", "ireland", "ip address", "emails", "reverse dns", "malware", "unruy", "upatre", "snowjan", "zusy", "vb", "x.com", "downloader", "trojan", "agent", "pe32 executable", "intel", "ms windows", "reads", "medium", "write", "delete", "top source", "push", "germany unknown", "name servers", "head body", "urls", "files ip", "url analysis", "address", "asn as3320", "present jun", "present jul", "present may", "present oct", "present feb", "present nov", "url hostname", "server response", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "development att", "ssl certificate", "path", "sha256", "pattern match", "ffffff", "general", "iframe", "click", "strings", "leon", "dns requests", "domain address", "http", "files domain", "files related", "ireland unknown", "files", "dublin", "ireland asn", "as16509", "script urls", "dubai real", "meta", "encrypt", "austria unknown", "austria asn", "asnone dns", "resolutions", "handle", "rdap database", "iana registrar", "helix", "foundry", "iot", "apple", "itunes", "amazon", "unknown ns", "found", "content type", "gmt server", "x xss", "certificate", "domain add", "error", "code", "date", "entries", "next associated", "body html", "title", "present aug", "servers", "status", "for privacy", "redacted for", "spawns", "ck techniques", "url add", "pulse pulses", "related nids", "files location", "flag united", "showing", "media", "cname", "invalid url", "creation date", "body", "sha1", "copy md5", "copy sha1", "copy sha256", "ascii text", "mitre att", "show technique", "hybrid", "local" ], "references": [ "families.google/intl/pt-PT_ALL/familylink \u2022 cameyo.google \u2022 googlecampaigns.com \u2022. chrome.com.bh", "t-iot.de \u2022 dockerregistry.xlab.t-iot.de\t \u2022 netbox.nic.xlab.t-iot.de", "www.n-helix.com - Foundry remnant", "itunes.apple.com \u2022 api.amazon.com", "https://webclientshellserver-prod-trafficmanager-net.s-0005.dual-s-msedge.net", "https://www.matchsticksandgasoline.com/2018/11/2/18051280/the-morning-after-colorado-if-you-want-to-be-a-goalie-skip-these-highlights-mark-giordano", "http://s.vebnox.com \u2022 vebnox.com \u2022 http://stulancer.vebnox.com \u2022 vebnox.com \u2022 http://vedonate.vebnox.com \u2022 vebnox.com \u2022 https://home.vebnox.com vebnox.com \u2022 https://vedonate.vebnox.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win.Malware.Zusy", "display_name": "Win.Malware.Zusy", "target": null }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "Win.Malware.Snojan", "display_name": "Win.Malware.Snojan", "target": null }, { "id": "Win.Packed", "display_name": "Win.Packed", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "ALF:Trojan:Win32/Agent.WTK!MTB", "display_name": "ALF:Trojan:Win32/Agent.WTK!MTB", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3399, "domain": 790, "FileHash-MD5": 174, "FileHash-SHA1": 171, "FileHash-SHA256": 3349, "hostname": 1325, "email": 10, "SSLCertFingerprint": 9 }, "indicator_count": 9227, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bc8015944465ffa1c03148", "name": "Security Affairs affecting Critical Infrastructure", "description": "Security affairs.com found in a State Policy & Financing website research due to social engineering & insurance policies hacking scheme. \u2022 SecurityAffairs.com statement: The website specializes in cybersecurity and its related fields, providing insights into current threats and trends. \nContent:\nIt features news articles, investigative reports, and analyses from experts in the field. \nTopics:\nContent often includes discussions on:\ncybercrime,\ncybersecurity trends ,\nintelligence and geopolitics,\nemerging threats. (I can\u2019t verify because idk).\n\n(Auto populated: 335,923 out of 489,337 Fortinet firewalls vulnerable to CVE-2023-27997)\nAdversary auto populated: Suggested Adversaries:\nMember Ad-Hoc Working ADVERSARIES Group on Cyber Threat Landscapes, Ethical Hacker, Security Evangelist", "modified": "2025-10-06T18:03:15.359000", "created": "2025-09-06T18:40:21.276000", "tags": [ "script urls", "security", "script domains", "ip address", "meta", "stealth window", "reads_self", "creates_largekey", "dynamic_function_loading", "script_created_process", "antivm_generic_disk", "ids", "infostealer_cookies", "infostealer_keylog", "custom malware", "suspicious_command_tools", "antisandbox_mouse_hook", "dynamicloader", "tlsv1", "ogoogle trust", "cngts ca", "tls handshake", "failure", "united", "high", "search", "write", "malware", "unknown", "extraction", "data upload", "extraction data", "enter soudae", "hdi ad", "temdac c", "extri", "include review", "trojandropper", "mtb jun", "passive dns", "files", "location united", "twitter", "exploit", "delete c", "intel", "ms windows", "medium", "pe32", "port", "destination", "present sep", "a domains", "creation date", "error", "title", "android", "known exploited", "google", "salesloft drift", "qantas", "july", "meetc2", "c2 framework", "google calendar", "apis", "critical", "rokrat", "windows", "tags none", "file type", "virustotal api", "screenshots", "comments", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "defense evasion", "spawns", "t1590 gather", "copy md5", "copy sha1", "copy sha256", "additional info", "yara signature", "unicode text", "utf8 text", "idat", "style", "defs", "command decode", "strings", "yxgbc", "core", "flag", "date", "markmonitor", "server", "automattic", "name server", "proxy", "llc name", "windir", "pattern match", "mitre att", "show technique", "ck matrix", "sha1", "show process", "hybrid", "general", "local", "path", "encrypt", "form", "iframe", "click", "server response", "google safe", "results aug", "affairs", "founder", "cybhorus", "cybaze", "member adhoc", "working group", "cyber threat", "landscapes", "ethical hacker", "hoc working", "ssl certificate", "initial access", "href", "ascii text" ], "references": [ "https://securityaffairs.com/", "/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html", "https://securityaffairs.com/106770/deep-web/ubereats-data-leaked-dark-web.html", "https://securityaffairs.com/107190/data-breach/sodinokibi-ransomware-brown-forman.html", "https://securityaffairs.com/115693/apt/chinese-hackers-5g.html", "https://securityaffairs.com/109224/data-breach/food-delivery-service-chowbus-hack.html", "https://securityaffairs.com/112637/cyber-crime/the-hospital-group-revil.html", "https://securityaffairs.com/139472/data-breach/commonspirit-data-breach-623k-patients.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "Multiple other undocumented malware" ], "public": 1, "adversary": "Hoc Working", "targeted_countries": [], "malware_families": [ { "id": "!#AddsCopyToStartup", "display_name": "!#AddsCopyToStartup", "target": null }, { "id": "!#LowFiWriteMZInUnusualExtension", "display_name": "!#LowFiWriteMZInUnusualExtension", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "\"prepending (enc) ransomware\" (Not an official name)", "display_name": "\"prepending (enc) ransomware\" (Not an official name)", "target": null }, { "id": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "target": null }, { "id": "CVE-2025-42957", "display_name": "CVE-2025-42957", "target": null }, { "id": "CVE-2023-27997", "display_name": "CVE-2023-27997", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Manufacturing", "Critical Infrastructure" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 187, "FileHash-SHA1": 152, "FileHash-SHA256": 1140, "URL": 1258, "domain": 237, "email": 1, "hostname": 470, "SSLCertFingerprint": 17, "CVE": 3 }, "indicator_count": 3465, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68abf66e97031d0ff0c04fed", "name": "Packed sentient.industries links to a targets business website", "description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.", "modified": "2025-09-24T04:04:05.604000", "created": "2025-08-25T05:36:46.327000", "tags": [ "moved", "body", "x cache", "cloudfront x", "cph50 c2", "certificate", "record value", "title", "h1 center", "server", "redacted for", "servers", "name redacted", "for privacy", "name servers", "org data", "privacy city", "privacy country", "ca creation", "passive dns", "urls", "files", "ip address", "asn as57033", "less whois", "registrar", "tucows domains", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl ecc", "domain secure", "site ca", "validity", "subject public", "extraction", "data upload", "extra data", "include review", "find", "failed", "typ no", "ms windows", "intel", "pe32", "united", "search", "as16509", "from win32bios", "show", "high", "medium", "delphi", "copy", "write", "launcher", "next", "present aug", "present jul", "lowfi", "win32", "a div", "div div", "learn xml", "babylon", "win64", "trojan", "colors", "python", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "et info", "tls handshake", "bad traffic", "failure", "date", "august", "hybrid", "general", "path", "starfield", "click", "strings", "se bethseda", "n bethseda", "n data", "error", "date checked", "url hostname", "server response", "google safe", "results aug", "read c", "tlsv1", "port", "destination", "module load", "execution", "dock", "persistence", "malware", "unknown", "cname", "aaaa", "creation date", "showing", "domain", "dga domains", "palantirfoundry", "foundry", "status", "unknown ns", "g2 tls", "rsa sha256", "italy unknown", "mtb may", "trojandropper", "invalid url", "next associated", "ddos", "body html", "hacktool", "ipv4", "url analysis", "ukraine", "encrypt", "rl add", "http", "hostname", "files domain", "files related", "related tags", "present jun", "entries", "title error", "all ipv4", "reverse dns", "yara detections", "top source", "top destination", "source source", "sha256 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "canada unknown", "content type", "javascript src", "script script", "x powered", "ipv4 add", "pulse submit", "submit url", "analysis", "url add", "related nids", "files location", "canada flag", "canada hostname", "unknown aaaa", "ascii text", "user agent", "powershell", "agent", "czechia unknown", "domain add", "dynamicloader", "hostname add", "pentagon", "defense" ], "references": [ "sentient.industries affects independent artists. Affects several others.", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "https://link.monetizer101.com/widget/code/dailystaruk.js", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "(Can't access file- Malware infection files)", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "constellation.pcfrpegaservice.net (Pegasus related? idk)", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "Remotewd.com devices", "If you find anything interesting please research it." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "nUFS_inno", "display_name": "nUFS_inno", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious", "display_name": "#Lowfi:HSTR:MSIL/Malicious", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Bibado", "display_name": "ALF:JASYP:PUA:Win32/Bibado", "target": null }, { "id": "Trojan:Win32/Toga", "display_name": "Trojan:Win32/Toga", "target": "/malware/Trojan:Win32/Toga" }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Win.Trojan.Jorik-149", "display_name": "Win.Trojan.Jorik-149", "target": null }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.Jorik-130", "display_name": "Win.Trojan.Jorik-130", "target": null }, { "id": "Win.Trojan.Fakecodecs-119", "display_name": "Win.Trojan.Fakecodecs-119", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Bulz-9860169-0", "display_name": "Win.Trojan.Bulz-9860169-0", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Packed.Razy-9785185-0", "display_name": "Win.Packed.Razy-9785185-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "PWS", "display_name": "PWS", "target": null }, { "id": "DDOS:Win32/Stormser.A", "display_name": "DDOS:Win32/Stormser.A", "target": "/malware/DDOS:Win32/Stormser.A" }, { "id": "ALF:HSTR:DotNET", "display_name": "ALF:HSTR:DotNET", "target": null }, { "id": "DotNET", "display_name": "DotNET", "target": null }, { "id": "Script Exploit", "display_name": "Script Exploit", "target": null }, { "id": "HackTool:Win32/AutoKMS", "display_name": "HackTool:Win32/AutoKMS", "target": "/malware/HackTool:Win32/AutoKMS" }, { "id": "Xanfpezes.A", "display_name": "Xanfpezes.A", "target": null }, { "id": "Trojan:Win32/Gandcrab", "display_name": "Trojan:Win32/Gandcrab", "target": "/malware/Trojan:Win32/Gandcrab" }, { "id": "Win.Trojan.Generic-9862772-0", "display_name": "Win.Trojan.Generic-9862772-0", "target": null }, { "id": "Trojan:Win32/Zbot.SIBL!MTB", "display_name": "Trojan:Win32/Zbot.SIBL!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBL!MTB" }, { "id": "Win32/Nemucod", "display_name": "Win32/Nemucod", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "target": null }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Win.Malware.Kolab-9885903-0", "display_name": "Win.Malware.Kolab-9885903-0", "target": null }, { "id": "Win.Malware (30)", "display_name": "Win.Malware (30)", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "target": null }, { "id": "E5", "display_name": "E5", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6232, "URL": 24908, "hostname": 7993, "FileHash-SHA256": 11128, "email": 6, "FileHash-MD5": 1054, "FileHash-SHA1": 932, "SSLCertFingerprint": 14, "CIDR": 3, "CVE": 3 }, "indicator_count": 52273, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68930449988277cd29c25cb7", "name": "https://firebase.google.com/ - Ransom \u2022 Wiper\u2022 Trojan dropper", "description": "", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:29:13.136000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": "6893032410060f658d862c60", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6893032410060f658d862c60", "name": "Hosting App - Partial research | Emotet Worm", "description": "#firebase #google #dark_web_hosting #ransom #tracking #locate #monitored_targets #worm #emotet #malware #remoted_devices #trojan #reputation\n\n\u2022 Targets likely unaware.\n\n[m.pornsexer.xxx.3.1.adiosfil.roksit.net - reputation tool]", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:24:20.645000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688f1ce317fc8b3f9d5d5f33", "name": "Unknown - Established hacker group. Affects banking, financial and much more.", "description": "Crowdsourced. Identifies as a Dark Web gang stalking entity. Research suggests that this is a very organized, possibly quasi governmental entity with shadowy state figures that social engineer targets. Even though they have been considered scammers and they are grifters, they are very established, dangerous and a very large force with claims of military alignments which has not yet been fully confirmed.\n\nThis group is anything you want them to be, attorney, accountant, technician, nurse, uber driver.", "modified": "2025-09-02T08:02:34.108000", "created": "2025-08-03T08:25:07.135000", "tags": [ "united", "search", "entries", "unknown ns", "ip address", "creation date", "record value", "date", "showing", "moved", "body", "encrypt", "lowfi", "trojanspy", "checkin", "passive dns", "trojan", "next associated", "cryp", "win32", "phishing", "virtool", "hstr", "backdoor", "ipv4", "pulse pulses", "associated urls", "show", "date checked", "url hostname", "server response", "google safe", "results feb", "header http2", "accept encoding", "gmt related", "domains show", "domain related", "response ip", "address google", "safe browsing", "entries http", "scans show", "title", "link", "present mar", "meta", "starfield", "dynamicloader", "qaeaav12", "medium", "high", "malware", "windows wget", "qbeipbdii", "write", "suspicious", "copy", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "unknown", "yara detections", "filehash", "sha256 add", "av detections", "ids detections", "alerts", "analysis date", "file score", "oinetsim", "oudevelopment", "write c", "demo", "mtb sep", "trojandropper", "cookie", "path max", "age86400 set", "win32qqpass sep", "results aug", "script urls", "script domains", "a domains", "cache control", "cache status", "fury", "zenedge", "present jun", "present dec", "present jan", "present nov", "for privacy", "present may", "name servers", "no expiration", "filehashmd5", "filehashsha256", "filehashsha1", "iocs", "extract", "enter source", "url or", "text drag", "drop or", "domain", "expiration", "url http", "hostname", "email abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 459, "FileHash-MD5": 553, "FileHash-SHA256": 1042, "URL": 1426, "hostname": 476, "domain": 521, "email": 3, "SSLCertFingerprint": 1 }, "indicator_count": 4481, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685f4b4fffb18ed52ca9cccb", "name": "Hilix.sh4", "description": "https://www.virustotal.com/gui/file/412a334f231d4a484fd8af0c4f69989d1bb3a751fb16b6e21acab6cdefebff1b/relations\nhttps://www.virustotal.com/gui/file/25dfc07c76e69c0d0e0cc2bcbf52094ad08720c4f16e3e642bd9efe557cc0ec7?nocache=1\nhttps://sandbox.ti.qianxin.com/sandbox/page/url-detail?type=url&id=AZeztp33h6wn_HCyF9EM&url=http%3A%2F%2F202.45.147.116%3A8000%2Fniewolnik", "modified": "2025-09-01T08:39:17.292000", "created": "2025-06-28T01:54:23.331000", "tags": [ "win32", "kryptiklea jan", "kryptikkre jan", "susp", "trojan", "cryp", "virtool", "heim trojan", "kryptikofm", "heim sep", "heim aug", "avatar", "heim jan", "kryptikouh", "ko jun", "heim may", "kryptikkuf", "mpress21x mar", "hstr", "goblinek", "c jan", "kryptikowc", "c oct", "c sep", "ko may", "realtek sdk", "miniigd upnp", "exploit", "activity", "soap command", "upnproxy", "http", "outbound", "ip address", "soap rce" ], "references": [ "http://37.49.224.213/bins/Hilix.sh4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 644, "FileHash-SHA1": 643, "FileHash-SHA256": 851, "URL": 200, "CVE": 2, "domain": 32, "hostname": 94 }, "indicator_count": 2466, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68749644f6a3c092b6ec1b9c", "name": "Hilix.sh4 {Arek-BTC}", "description": "", "modified": "2025-07-28T01:02:27.051000", "created": "2025-07-14T05:31:48.057000", "tags": [ "win32", "kryptiklea jan", "kryptikkre jan", "susp", "trojan", "cryp", "virtool", "heim trojan", "kryptikofm", "heim sep", "heim aug", "avatar", "heim jan", "kryptikouh", "ko jun", "heim may", "kryptikkuf", "mpress21x mar", "hstr", "goblinek", "c jan", "kryptikowc", "c oct", "c sep", "ko may", "realtek sdk", "miniigd upnp", "exploit", "activity", "soap command", "upnproxy", "http", "outbound", "ip address", "soap rce" ], "references": [ "http://37.49.224.213/bins/Hilix.sh4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "685f4b4fffb18ed52ca9cccb", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 644, "FileHash-SHA1": 643, "FileHash-SHA256": 851, "URL": 200, "CVE": 1, "domain": 32, "hostname": 94 }, "indicator_count": 2465, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "265 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669f882c5109175fe742fe58", "name": "(I Cloned Title & Pulse) WHO EVERYONE HAS BEEN LOOKING FOR [Pulse of IoC's Curated by user Streaming Ex]", "description": "", "modified": "2024-07-23T10:38:36.002000", "created": "2024-07-23T10:38:36.002000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65709e14974bdb5d6dbda091", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2066, "URL": 1939, "hostname": 2768, "FileHash-SHA256": 276, "email": 90, "CVE": 47, "CIDR": 1, "FileHash-MD5": 16, "FileHash-SHA1": 4 }, "indicator_count": 7207, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "634 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6663311a8c529069bb34a06f", "name": "Injection | Win.Worm.Mydoom | Ransomware | Android Device attack", "description": "Android device, remotely modified, hidden users, 'zombie' device, targeting, framing, unknown admin.", "modified": "2024-07-07T15:00:25.739000", "created": "2024-06-07T16:11:06.485000", "tags": [ "november", "threat roundup", "axelo", "atkafij0", "referrer", "historical ssl", "dynamicloader", "write c", "yara rule", "delete c", "ms windows", "medium", "yara detections", "show", "search", "united", "write", "copy", "create c", "read c", "flashpix", "high", "template", "persistence", "execution", "next", "unknown", "shared address", "html info", "title rfc", "ipv4 prefix", "space meta", "tags", "prefix", "space", "script tags", "anchor hrefs", "sha256", "vhash", "ssdeep", "html internet", "magic html", "ascii text", "magika html", "file size", "internet", "iana", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "iana special", "detections type", "name", "win32 exe", "runresdll", "android", "trojan", "files", "installer", "10357", "javascript", "malibot", "pe32", "intel", "linux x8664", "khtml", "win32", "process32nextw", "discovery", "discovery t1057", "t1057", "t1045", "memcommit", "regopenkeyexw", "regsetvalueexa", "writeconsolea", "minute tr", "highest f", "regdword", "del f", "start", "memreserve", "dock" ], "references": [ "http://tools.ietf.org/html/rfc6598 | Found in android device| Block: 100:116.200.0/? [Special Use /Non - IANA]", "AV Detection: Win.Downloader.68062-1 | Yara Detections: MS_Visual_Basic_6_0 , Cabinet_Archive", "High Priority Alerts: dead_host network_icmp dumped_buffer2 nolookup_communication modifies_certificates", "Alerts: dumped_buffer network_http allocates_rwx antisandbox_sleep antivm_disk_size exe_appdata antivm_network_adapters privilege_luid_check", "Alerts: antivm_queries_computername checks_debugger recon_fingerprint antivm_memory_available", "Image: https://otx.alienvault.com/otxapi/indicators/file/screenshot/a674df2469cb894b79343bdedfb2068c124746003678826f9281f69887200811", "https://otx.alienvault.com/indicator/file/a674df2469cb894b79343bdedfb2068c124746003678826f9281f69887200811 [Win.Downloader.68062-1]", "https://otx.alienvault.com/indicator/file/0000374bffccbcd54ea9a1c51514b671a8caf732ef3bef2cc8cccd4bf01665cf [Win.Worm.Mydoom-5]", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPX", "High Priority Alerts: procmem_yara network_bind persistence_autorun", "Alerts: dynamic_function_loading powershell_download reads_self suspicious_tld dead_connect", "buildbot.tools.ietf.org [Win32:Malware-gen]", "Yara Detections: MS_Visual_Cpp_2008 | High Priority Alerts: dead_host network_icmp", "Priority Alerts: dumped_buffer network_http suspicious_tld allocates_rwx creates_exe exe_appdata antivm_network_adapters pe_features", "Yara: Detections Skype User-Agent detected, LZMA" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Downloader.68062-1", "display_name": "Win.Downloader.68062-1", "target": null }, { "id": "Win.Worm.Mydoom-5", "display_name": "Win.Worm.Mydoom-5", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Backdoor:Win32/Hera.A!bit", "display_name": "Backdoor:Win32/Hera.A!bit", "target": "/malware/Backdoor:Win32/Hera.A!bit" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 318, "FileHash-SHA256": 1929, "URL": 1885, "hostname": 1600, "domain": 1380, "email": 7, "SSLCertFingerprint": 40 }, "indicator_count": 7509, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "650 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f6f2cd37f508d362c2db", "name": "PegaSystems | Apple iOS iPad | Malicious | Tracking", "description": "", "modified": "2024-07-01T00:23:14.084000", "created": "2024-07-01T00:23:14.084000", "tags": [ "united", "passive dns", "as14449", "moved", "urls", "authority", "body", "object", "certificate", "scan endpoints", "unknown", "date", "as11377", "as16552 tiggee", "as174 cogent", "ireland unknown", "cname", "as11404 wave", "all scoreblue", "pulse pulses", "entries", "ipv4", "pulse submit", "url analysis", "dynamicloader", "port", "destination", "high", "medium", "windows", "cmd c", "default", "document file", "v2 document", "write", "copy", "name verdict", "falcon sandbox", "sha1", "sha256", "misc attack", "mitre att", "et tor", "known tor", "relayrouter", "exit", "node traffic", "ascii text", "hybrid", "starfield", "click", "strings", "core", "contact", "as396982 google", "historical ssl", "referrer", "co20230203", "malware", "discord", "credential", "lunar client", "trendmicro av", "neural netw", "upscayl", "steam game", "server", "domain status", "registrar abuse", "google", "community", "record type", "ttl value", "data", "v3 serial", "number" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": "664fceb9e0acfc0baee851c2", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "URL": 3584, "domain": 836, "hostname": 1749, "FileHash-SHA256": 726, "FileHash-MD5": 88, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 7068, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "657 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "664fceb9e0acfc0baee851c2", "name": "PegaSystems | Apple iOS iPad | Malicious | Tracking", "description": "Tags, findings of this report is auto generated by Level Blue OTX.AlienVault.\nPer my research: \nMalicious Score: 10/10\nAlerts: Alerts\nransomware_file_modifications, script_created_process, stealth_network, infostealer_cookies, suspicious_command_tools,\ndynamic_function_loading, reads_self,\nstealth_window, cmdline_http_link, uses_windows_utilities, antidebug_setunhandledexceptionfilter, cmdline_terminate, stealth_timeout,\n\nAffected Device: Apples iOS Ipad, Update 17.5.1\npegasystems.voicestorm.com -Cisco Umbrella {permanently moved as of 5.23.2024} found in Apple link - http://apps.apple.com/app/, nsis, downloaders,injection, data local, remotewd devices, tracking,", "modified": "2024-06-22T23:05:37.577000", "created": "2024-05-23T23:18:17.563000", "tags": [ "united", "passive dns", "as14449", "moved", "urls", "authority", "body", "object", "certificate", "scan endpoints", "unknown", "date", "as11377", "as16552 tiggee", "as174 cogent", "ireland unknown", "cname", "as11404 wave", "all scoreblue", "pulse pulses", "entries", "ipv4", "pulse submit", "url analysis", "dynamicloader", "port", "destination", "high", "medium", "windows", "cmd c", "default", "document file", "v2 document", "write", "copy", "name verdict", "falcon sandbox", "sha1", "sha256", "misc attack", "mitre att", "et tor", "known tor", "relayrouter", "exit", "node traffic", "ascii text", "hybrid", "starfield", "click", "strings", "core", "contact", "as396982 google", "historical ssl", "referrer", "co20230203", "malware", "discord", "credential", "lunar client", "trendmicro av", "neural netw", "upscayl", "steam game", "server", "domain status", "registrar abuse", "google", "community", "record type", "ttl value", "data", "v3 serial", "number" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "URL": 3584, "domain": 836, "hostname": 1749, "FileHash-SHA256": 726, "FileHash-MD5": 88, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 7068, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "665 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a161f0681f4ff3d67feb", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-12-06T16:29:21.844000", "created": "2023-12-06T16:29:21.844000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a145926a5676de0e2a1a", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-12-06T16:28:53.979000", "created": "2023-12-06T16:28:53.979000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709e245df26a29e78d740a", "name": "WHO IS MOBI GAMES AKA NIC", "description": "", "modified": "2023-12-06T16:15:32.595000", "created": "2023-12-06T16:15:32.595000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2428, "FileHash-MD5": 19, "URL": 2378, "hostname": 3144, "FileHash-SHA256": 307, "email": 87, "CVE": 47, "CIDR": 1, "FileHash-SHA1": 6 }, "indicator_count": 8417, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709e1db42d958b88f07ca8", "name": "WHO IS MOBI GAMES AKA NIC", "description": "", "modified": "2023-12-06T16:15:25.303000", "created": "2023-12-06T16:15:25.303000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2428, "FileHash-MD5": 19, "URL": 2378, "hostname": 3141, "FileHash-SHA256": 307, "email": 87, "CVE": 47, "CIDR": 1, "FileHash-SHA1": 6 }, "indicator_count": 8414, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709e14974bdb5d6dbda091", "name": "WHO EVERYONE HAS BEEN LOOKING FOR", "description": "", "modified": "2023-12-06T16:15:16.406000", "created": "2023-12-06T16:15:16.406000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2066, "URL": 1939, "hostname": 2768, "FileHash-SHA256": 276, "email": 90, "CVE": 47, "CIDR": 1, "FileHash-MD5": 16, "FileHash-SHA1": 4 }, "indicator_count": 7207, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709ca13f7a17df14af4912", "name": "WHO IS NIC", "description": "", "modified": "2023-12-06T16:09:05.625000", "created": "2023-12-06T16:09:05.625000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2485, "FileHash-MD5": 39, "URL": 2407, "hostname": 3208, "FileHash-SHA256": 328, "email": 91, "CVE": 45, "CIDR": 1, "FileHash-SHA1": 26 }, "indicator_count": 8630, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707b9630308cb99a817277", "name": "Pool's Closed", "description": "", "modified": "2023-12-06T13:48:06.514000", "created": "2023-12-06T13:48:06.514000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64944a718c48be8bb9d2c315", "name": "WHO IS NIC", "description": "", "modified": "2023-11-14T06:01:29.027000", "created": "2023-06-22T13:19:45.357000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5199, "domain": 4162, "hostname": 5260, "email": 105, "FileHash-SHA256": 761, "FileHash-MD5": 40, "CVE": 97, "FileHash-SHA1": 28, "CIDR": 1 }, "indicator_count": 15653, "is_author": false, "is_subscribing": null, "subscriber_count": 96, "modified_text": "887 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c0e9db04ed02765f336f16", "name": "Who is Joel lesperance", "description": "", "modified": "2023-09-23T01:05:28.173000", "created": "2023-07-26T09:39:39.925000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64944a718c48be8bb9d2c315", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3852, "domain": 2401, "hostname": 3458, "email": 127, "FileHash-SHA256": 637, "FileHash-MD5": 16, "CVE": 108, "FileHash-SHA1": 6 }, "indicator_count": 10605, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f37719db054ccde25aa9df", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-09-02T17:55:37.269000", "created": "2023-09-02T17:55:37.269000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7851, "URL": 23098, "hostname": 9521, "domain": 4595, "SSLCertFingerprint": 22, "FileHash-MD5": 564, "FileHash-SHA1": 432, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 46120, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "959 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f3771616d9a9891947e4df", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-09-02T17:55:34.095000", "created": "2023-09-02T17:55:34.095000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7851, "URL": 23098, "hostname": 9521, "domain": 4595, "SSLCertFingerprint": 22, "FileHash-MD5": 564, "FileHash-SHA1": 432, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 46120, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "959 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c8267397a7cce9adeecaa0", "name": "SAV.COM WHO IS SOURCEADULT.COM", "description": "", "modified": "2023-08-31T20:05:29.053000", "created": "2023-07-31T21:24:03.974000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64c0e9db04ed02765f336f16", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3868, "domain": 2452, "hostname": 3586, "email": 134, "FileHash-SHA256": 668, "FileHash-MD5": 17, "CVE": 109, "FileHash-SHA1": 7 }, "indicator_count": 10841, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "961 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c826748caebf09e24fbd12", "name": "SAV.COM WHO IS SOURCEADULT.COM", "description": "", "modified": "2023-08-31T19:04:41.183000", "created": "2023-07-31T21:24:04.985000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64c0e9db04ed02765f336f16", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3904, "domain": 2435, "hostname": 3625, "email": 131, "FileHash-SHA256": 637, "FileHash-MD5": 16, "CVE": 109, "FileHash-SHA1": 6 }, "indicator_count": 10863, "is_author": false, "is_subscribing": null, "subscriber_count": 83, "modified_text": "961 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c3210e7bb5f0a9972175ba", "name": "WHO EVERYONE HAS BEEN LOOKING FOR", "description": "", "modified": "2023-08-31T00:02:54.189000", "created": "2023-07-28T01:59:42.114000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64944a718c48be8bb9d2c315", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4204, "domain": 3263, "hostname": 4282, "email": 103, "FileHash-SHA256": 638, "FileHash-MD5": 17, "CVE": 97, "FileHash-SHA1": 6, "CIDR": 1 }, "indicator_count": 12611, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c446dacd742b956b571f9a", "name": "WHO IS MOBI GAMES AKA NIC", "description": "", "modified": "2023-08-30T00:00:55.061000", "created": "2023-07-28T22:53:14.751000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64944a718c48be8bb9d2c315", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5170, "domain": 4104, "hostname": 5186, "email": 100, "FileHash-SHA256": 740, "FileHash-MD5": 20, "CVE": 98, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 15427, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "963 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c446d9fa11016096a06f61", "name": "WHO IS MOBI GAMES AKA NIC", "description": "", "modified": "2023-08-30T00:00:55.061000", "created": "2023-07-28T22:53:13.536000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64944a718c48be8bb9d2c315", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5170, "domain": 4105, "hostname": 5183, "email": 100, "FileHash-SHA256": 740, "FileHash-MD5": 20, "CVE": 97, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 15424, "is_author": false, "is_subscribing": null, "subscriber_count": 83, "modified_text": "963 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://securityaffairs.com/112637/cyber-crime/the-hospital-group-revil.html", "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "t-iot.de \u2022 dockerregistry.xlab.t-iot.de\t \u2022 netbox.nic.xlab.t-iot.de", "IDS Detection: Observed Cloudflare DNS over HTTPS \u2022 Domain (cloudflare-dns .com in TLS SNI)", "Alerts: dynamic_function_loading resumethread_remote_process stealth_hiddenreg", "https://webclientshellserver-prod-trafficmanager-net.s-0005.dual-s-msedge.net", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "https://www.redpacketsecurity.com/cve-alert-cve-2025-59230-microsoft-windows-10-version-1809/", "https://www.redpacketsecurity.com/cve_alert_cve-2025-45492/", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://www.matchsticksandgasoline.com/2018/11/2/18051280/the-morning-after-colorado-if-you-want-to-be-a-goalie-skip-these-highlights-mark-giordano", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "https://www.redpacketsecurity.com/cve_alert_cve-2025-4135/", "search.roi.ros.gov.uk", "families.google/intl/pt-PT_ALL/familylink \u2022 cameyo.google \u2022 googlecampaigns.com \u2022. chrome.com.bh", "codewiki.google", "constellation.pcfrpegaservice.net (Pegasus related? idk)", "Yara: Detections Skype User-Agent detected, LZMA", "https://otx.alienvault.com/indicator/file/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "https://www.redpacketsecurity.com/cve_alert_cve-2025-4142/", "(Can't access file- Malware infection files)", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "IP\u2019s Contacted: 208.91.196.46 209.197.3.8 216.239.32.29 35.186.238.101", "https://link.monetizer101.com/widget/code/dailystaruk.js", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "Image: https://otx.alienvault.com/otxapi/indicators/file/screenshot/a674df2469cb894b79343bdedfb2068c124746003678826f9281f69887200811", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html", "IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.", "Yara Detections: MS_Visual_Cpp_2008 | High Priority Alerts: dead_host network_icmp", "https://www.redpacketsecurity.com/cve_alert_cve-2025-4140/", "Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN", "AV Detection: Win.Downloader.68062-1 | Yara Detections: MS_Visual_Basic_6_0 , Cabinet_Archive", "Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "https://otx.alienvault.com/indicator/file/0000374bffccbcd54ea9a1c51514b671a8caf732ef3bef2cc8cccd4bf01665cf [Win.Worm.Mydoom-5]", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "Win.Malware.Unruy-6912804-0 IDS Detections: Win32/Unruy.C Activity 403 Forbidden", "PE Version Information : TJprojMain.exe", "High Priority Alerts: procmem_yara network_bind persistence_autorun", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "Alerts: antiav_detectreg antivm_bochs_keys antivm_generic_disk infostealer_mail injection_write", "If you find anything interesting please research it.", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "IDS Detections Win32/Unruy.C Activity \u2022 403 Forbidden", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Phishing: https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav/", "High Priority Alerts: dead_host network_icmp dumped_buffer2 nolookup_communication modifies_certificates", "https://securityaffairs.com/", "Pool's Closed", "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "Remotewd.com devices", "Priority Alerts: dumped_buffer network_http suspicious_tld allocates_rwx creates_exe exe_appdata antivm_network_adapters pe_features", "Alerts: persistence_autorun_tasks polymorphic procmem_yara static_pe_anomaly antiav_detectfile", "Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)", "SERVICE NAME: SSDPSRV \u2022 Delete upnphost\tDelete \u2022 GoogleChromeElevationService", "https://www.redpacketsecurity.com/cve_alert_cve-2024-12847/", "Alerts: injection_process_search protection_rx", "Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN", "Alerts: dumped_buffer network_http allocates_rwx antisandbox_sleep antivm_disk_size exe_appdata antivm_network_adapters privilege_luid_check", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "Denver, US 80211 http://library.verizon.onereach.ai", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "accounts.google.com \u2022 apis.google.com clients2.google.com \u2022 clients2.googleusercontent.com", "https://securityaffairs.com/139472/data-breach/commonspirit-data-breach-623k-patients.html", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "update.googleapis.com \u2022 www.google.com \u2022 clientservices.googleapis.com", "itunes.apple.com \u2022 api.amazon.com", "Alerts: network_http antisandbox_sleep creates_exe dropper stealth_window", "Alerts: suspicious_command_tools anomalous_deletefile mouse_movement_detect", "https://unicef.se/assets/apple", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "Pool Closed", "http://tools.ietf.org/html/rfc6598 | Found in android device| Block: 100:116.200.0/? [Special Use /Non - IANA]", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "http://37.49.224.213/bins/Hilix.sh4", "Alerts: suspicious_iocontrol_codes infostealer_cookies persistence_autorun antisandbox_sleep", "https://securityaffairs.com/109224/data-breach/food-delivery-service-chowbus-hack.html", "ogads-pa.clients6.google.com \u2022 optimizationguide-pa.googleapis.com \u2022 play.google.com", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht", "Domains Contacted: d38psrni17bvxu.cloudfront.net www2.megawebfind.com www6.megawebfind.com", "sentient.industries affects independent artists. Affects several others.", "Worm:Win32/Mofksys.RND!MTB | Yara Detections: SUSP_Imphash_Mar23_2", "Domains Contacted: ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com", "https://securityaffairs.com/115693/apt/chinese-hackers-5g.html", "Found in : https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPX", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "https://securityaffairs.com/107190/data-breach/sodinokibi-ransomware-brown-forman.html", "Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "https://www.redpacketsecurity.com/firefox-0day-cve-2015-4495/", "http://s.vebnox.com \u2022 vebnox.com \u2022 http://stulancer.vebnox.com \u2022 vebnox.com \u2022 http://vedonate.vebnox.com \u2022 vebnox.com \u2022 https://home.vebnox.com vebnox.com \u2022 https://vedonate.vebnox.com", "pegasuspartners.followupboss.com", "IP\u2019s Contacted: 142.250.74.68 142.250.74.99 18.66.121.69 185.53.179.170 2.22.41.134 204.79.197.200", "www.n-helix.com - Foundry remnant", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "https://securityaffairs.com/106770/deep-web/ubereats-data-leaked-dark-web.html", "https://otx.alienvault.com/indicator/file/a674df2469cb894b79343bdedfb2068c124746003678826f9281f69887200811 [Win.Downloader.68062-1]", "142.251.9.95 \u2022 https://clients2.google.com/cr/report \u2022 accounts.google.com \u2022", "Fastly Error and Palantir blocked several times over the last few months.", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "Alerts: dynamic_function_loading powershell_download reads_self suspicious_tld dead_connect", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "buildbot.tools.ietf.org [Win32:Malware-gen]", "Contacted Google services", "Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage", "Multiple other undocumented malware", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com www.google.com", "Alerts: antivm_queries_computername checks_debugger recon_fingerprint antivm_memory_available" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Coinbase Cartel", "Hoc Working" ], "malware_families": [ "Win.trojan.jorik-149", "Cve-2025-42957", "Pws", "Win.trojan.fakecodecs-119", "Win.trojan.vundo-7170412-0", "Win.malware.urelas-9863836-0", "Alf:heraklezeval:trojan:msil/gravityrat!rfn", "Darkmoon", "Win.malware (30)", "Win.packed.eyestye-9754938-0", "Cve-2015-4495", "Cve-2025-4135", "Trojandropper:win32/muldrop", "Exploit:linux/cve-2017-17215", "Trojan:win32/neconyd.a", "Win32/nemucod", "Polyransom", "Win.downloader.109205-1", "Malware", "Nufs_inno", "Dotnet", "Alf:heraklezeval:trojandownloader:html/adodb!rfn", "Cve-2025-11727", "Win32:trojan-gen", "Cve-2024-12847", "Worm:win32/mofksys.rnd!mtb", "Unruy", "Win.worm.mydoom-5", "Trojan:win32/zbot.sibl!mtb", "Backdoor:win32/hera.a!bit", "Alf:jasyp:pua:win32/bibado", "Pegasus", "Script exploit", "Pws:win32/ymacco.aa50", "Hacktool:win32/autokms", "Cve-2025-4140", "Trojandropper:win32/vb.il", "Cassini", "Trojan:win32/zombie.a", "Alf:hstr:dotnet", "Alf:heraklezeval:pua:win32/4shared", "Trojan:win32/gandcrab", "#lowfi:hstr:msil/malicious", "Win32:downloader-gjk\\ [trj]", "Win.trojan.bulz-9860169-0", "Cve-2025-45492", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Win.malware.snojan", "Win.malware.zusy", "Xanfpezes.a", "Exploit:js/cve-2014-0322", "Trojan:win32/glupteba.mt!mtb", "Cve-2025-59230", "#lowfi:hstr:msil/possibledownloader.s01", "\"prepending (enc) ransomware\" (not an official name)", "#lowfienabledtcontinueafterunpacking", "Win.packed", "Tofsee", "Alf:trojan:win32/agent.wtk!mtb", "Trojan:win32/qqpass", "Cve-2023-27997", "Trojan:win32/blihan.a", "Malware packed", "Sova", "Win.downloader.68062-1", "Win.trojan.generic-9862772-0", "#lowfidetectsvmware", "Autorun", "!#lowfiwritemzinunusualextension", "Win.malware.kolab-9885903-0", "Trojan:win32/eyestye.t", "Win.malware.unruy-6912804-0", "Win.packed.razy-9785185-0", "E5", "Pws:win32/qqpass.fc", ".a , alf:heraklezeval:pws:win32/ldpinch!rfn", "Alf:heraklezeval:trojan:win32/salgorea!rfn", "Mydoom", "Win.malware.midie-6847892-0", "#lowfi:suspicioussectionname", "Multiple malware\u2019s , trojans and rats", "Ddos:win32/stormser.a", "#lowfi:hstr:msil/malicious.decryption", "Win.trojan.jorik-130", "Alf:heraklezeval:trojan:win32/clipbanker", "Upatre", "Trojan:win32/toga", "!#addscopytostartup", "Trojandropper:win32/muldrop.v!mtb", "Custom malware", "Cve-2025-4142", "Other malware", "Ransom", "Eyestye" ], "industries": [ "Education", "Media", "Critical infrastructure", "Manufacturing", "Government", "Ad fraud" ], "unique_indicators": 190933 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/docs-planet.site", "whois": "http://whois.domaintools.com/docs-planet.site", "domain": "docs-planet.site", "hostname": "openldap02.docs-planet.site" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 39, "pulses": [ { "id": "69a9cd444aa144401d0c4988", "name": "Pools Open", "description": "", "modified": "2026-04-15T19:21:28.851000", "created": "2026-03-05T18:36:52.014000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23428, "hostname": 9592, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47103, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a3c685d4b7c139ffe62930", "name": "Clone Pulse Reference", "description": "", "modified": "2026-04-01T00:44:45.494000", "created": "2026-03-01T04:54:29.384000", "tags": [ "ipv4", "active related", "trojandropper", "mtb jun", "lowfi", "trojan", "mtb jan", "fastly error", "please", "united", "ttl value", "get na", "total", "delete", "search", "yara detections", "sinkhole cookie", "value snkz", "write", "suspicious", "ransom", "malware", "Ransom.Win32.Birele.gsg Checkin", "AnubisNetworks Sinkhole Cookie Value Snkz", "Possible Compromised Host", "dynamicloader", "delete c", "default", "medium", "write c", "settingswpad", "intel", "ms windows", "users", "number", "title", "installer", "top source", "top destination", "source source", "port", "filehash", "av detections", "ids detections", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "ids signatures", "exploits", "sid name", "malware cve", "dns query", "dnsbin demo", "data exfil", "exif data", "DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr", "DNSBin Demo (requestbin .net) - Data Exfitration", "source port", "destination", "present sep", "script urls", "script script", "a domains", "script domains", "ip address", "meta", "present nov", "passive dns", "next associated", "domain add", "pe executable", "entries", "show", "msie", "windows nt", "wow64", "copy", "present jan", "present feb", "domain", "pulse pulses", "urls", "files", "tam legal", "christopher ahmann", "https://unicef.se/assets/apple", "treece alfrey", "hours ago", "information", "report spam", "ahmann colorado", "state", "special cousel", "created", "expiro", "capture" ], "references": [ "Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN", "Fastly Error and Palantir blocked several times over the last few months.", "Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)", "IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.", "Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN", "Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT", "Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName", "Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage", "https://unicef.se/assets/apple" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "PWS:Win32/QQpass.FC", "display_name": "PWS:Win32/QQpass.FC", "target": "/malware/PWS:Win32/QQpass.FC" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Urelas-9863836-0", "display_name": "Win.Malware.Urelas-9863836-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Win.Trojan.Vundo-7170412-0", "display_name": "Win.Trojan.Vundo-7170412-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Multiple Malware\u2019s , Trojans and Rats", "display_name": "Multiple Malware\u2019s , Trojans and Rats", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "6906bd99cadbd4140014c6af", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 909, "domain": 454, "hostname": 1404, "URL": 3557, "CIDR": 1, "FileHash-MD5": 242, "FileHash-SHA1": 185, "email": 1, "CVE": 1 }, "indicator_count": 6754, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac438a696c993b672106d", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:28.261000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac4327b5bc2e8be34f78a", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:22.323000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac416596cd89cf76bce55", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:04:53.997000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69642a749490c0bf404aa8ac", "name": "Google Services - Malware Packed Google Branded Services", "description": "Contacted Google services | Service (1 of 3) || GoogleChromeElevationService | Mofksys \u2022 Unruy | Relationship: https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b | \n#affilliated #worm _#exploit #alternate_google #infection #spyware", "modified": "2026-02-10T22:01:54.041000", "created": "2026-01-11T22:55:48.308000", "tags": [ "write c", "write", "delete c", "ms windows", "pe32 executable", "globalc", "united", "worm", "malware", "defender", "united states", "google", "google account", "mtb ids", "cloudflare dns", "https domain", "tls sni", "medium priority", "yara detections", "alerts", "google play", "google api", "google chrome", "mofksys", "exploit", "process32nextw", "msie", "windows nt", "wow64", "slcc2", "media center", "search", "precreate read", "read c", "dock", "unknown", "suspicious", "alt google", "execution att", "lowfi", "mtb jan", "trojandropper", "passive dns", "backdoor", "win32upatre jan", "origin trial", "gmt cache", "443 ma2592000", "possible", "trojan", "title", "mtb dec", "ipv4 add", "state", "trojan", "dropper", "phishing", "ransom", "of colorado" ], "references": [ "accounts.google.com \u2022 apis.google.com clients2.google.com \u2022 clients2.googleusercontent.com", "142.251.9.95 \u2022 https://clients2.google.com/cr/report \u2022 accounts.google.com \u2022", "ogads-pa.clients6.google.com \u2022 optimizationguide-pa.googleapis.com \u2022 play.google.com", "update.googleapis.com \u2022 www.google.com \u2022 clientservices.googleapis.com", "Worm:Win32/Mofksys.RND!MTB | Yara Detections: SUSP_Imphash_Mar23_2", "IDS Detection: Observed Cloudflare DNS over HTTPS \u2022 Domain (cloudflare-dns .com in TLS SNI)", "Alerts: suspicious_iocontrol_codes infostealer_cookies persistence_autorun antisandbox_sleep", "Alerts: persistence_autorun_tasks polymorphic procmem_yara static_pe_anomaly antiav_detectfile", "Alerts: antiav_detectreg antivm_bochs_keys antivm_generic_disk infostealer_mail injection_write", "Alerts: suspicious_command_tools anomalous_deletefile mouse_movement_detect", "Alerts: dynamic_function_loading resumethread_remote_process stealth_hiddenreg", "Contacted Google services", "SERVICE NAME: SSDPSRV \u2022 Delete upnphost\tDelete \u2022 GoogleChromeElevationService", "https://otx.alienvault.com/indicator/file/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "codewiki.google", "Win.Malware.Unruy-6912804-0 IDS Detections: Win32/Unruy.C Activity 403 Forbidden", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction", "Alerts: network_http antisandbox_sleep creates_exe dropper stealth_window", "Alerts: injection_process_search protection_rx", "IP\u2019s Contacted: 142.250.74.68 142.250.74.99 18.66.121.69 185.53.179.170 2.22.41.134 204.79.197.200", "IP\u2019s Contacted: 208.91.196.46 209.197.3.8 216.239.32.29 35.186.238.101", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com www.google.com", "Domains Contacted: ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com", "Domains Contacted: d38psrni17bvxu.cloudfront.net www2.megawebfind.com www6.megawebfind.com", "PE Version Information : TJprojMain.exe", "Found in : https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b", "IDS Detections Win32/Unruy.C Activity \u2022 403 Forbidden" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Unruy-6912804-0", "display_name": "Win.Malware.Unruy-6912804-0", "target": null }, { "id": "Win.Packed.Eyestye-9754938-0", "display_name": "Win.Packed.Eyestye-9754938-0", "target": null }, { "id": "Eyestye", "display_name": "Eyestye", "target": null }, { "id": "AutoRun", "display_name": "AutoRun", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "ALF:HeraklezEval:PUA:Win32/4Shared", "display_name": "ALF:HeraklezEval:PUA:Win32/4Shared", "target": null }, { "id": "Cassini", "display_name": "Cassini", "target": null }, { "id": "DarkMoon", "display_name": "DarkMoon", "target": null }, { "id": "PolyRansom", "display_name": "PolyRansom", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1078.003", "name": "Local Accounts", "display_name": "T1078.003 - Local Accounts" }, { "id": "T1078.001", "name": "Default Accounts", "display_name": "T1078.001 - Default Accounts" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1090.004", "name": "Domain Fronting", "display_name": "T1090.004 - Domain Fronting" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 198, "FileHash-SHA1": 165, "FileHash-SHA256": 867, "URL": 1461, "hostname": 429, "domain": 221, "SSLCertFingerprint": 1 }, "indicator_count": 3342, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6935d7d4979c94d296e4b033", "name": "New Exploits | CVE\u2019s | 12.07.2025", "description": "", "modified": "2026-01-06T00:03:32.099000", "created": "2025-12-07T19:39:00.258000", "tags": [], "references": [ "Phishing: https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav/", "https://www.redpacketsecurity.com/cve-alert-cve-2025-59230-microsoft-windows-10-version-1809/", "https://www.redpacketsecurity.com/cve_alert_cve-2024-12847/", "https://www.redpacketsecurity.com/cve_alert_cve-2025-4135/", "https://www.redpacketsecurity.com/cve_alert_cve-2025-4140/", "https://www.redpacketsecurity.com/cve_alert_cve-2025-4142/", "https://www.redpacketsecurity.com/cve_alert_cve-2025-45492/", "https://www.redpacketsecurity.com/firefox-0day-cve-2015-4495/" ], "public": 1, "adversary": "Coinbase Cartel", "targeted_countries": [ "United States of America", "Bangladesh", "Sweden", "Japan" ], "malware_families": [ { "id": "Exploit:Linux/CVE-2017-17215", "display_name": "Exploit:Linux/CVE-2017-17215", "target": "/malware/Exploit:Linux/CVE-2017-17215" }, { "id": "Exploit:JS/CVE-2014-0322", "display_name": "Exploit:JS/CVE-2014-0322", "target": "/malware/Exploit:JS/CVE-2014-0322" }, { "id": "CVE-2015-4495", "display_name": "CVE-2015-4495", "target": null }, { "id": "CVE-2024-12847", "display_name": "CVE-2024-12847", "target": null }, { "id": "CVE-2025-11727", "display_name": "CVE-2025-11727", "target": null }, { "id": "CVE-2025-4135", "display_name": "CVE-2025-4135", "target": null }, { "id": "CVE-2025-4140", "display_name": "CVE-2025-4140", "target": null }, { "id": "CVE-2025-4142", "display_name": "CVE-2025-4142", "target": null }, { "id": "CVE-2025-45492", "display_name": "CVE-2025-45492", "target": null }, { "id": "CVE-2025-59230", "display_name": "CVE-2025-59230", "target": null } ], "attack_ids": [ { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" } ], "industries": [ "Education" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 523, "CVE": 10, "domain": 44, "hostname": 149, "FileHash-MD5": 30, "FileHash-SHA1": 21, "FileHash-SHA256": 133 }, "indicator_count": 910, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "5fa57698ac0f6638b7b9a8ba", "name": "Pool's Closed", "description": "Two paupers from the meadow spring forth an upheaval of nasty sites on the world wide web.", "modified": "2025-12-27T05:02:34.910000", "created": "2020-11-06T16:15:20.139000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23426, "hostname": 9590, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47099, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6906bd99cadbd4140014c6af", "name": "Espionage - Gravity RAT + | Legal entities are State owned. Attacking severely injured PT\u2019s SA victim.", "description": "Fastly CDN for Palantir (Verizon) unless updated. Very malicious IoC\u2019s found evaluating IoC\u2019 from Christopher Ahmann - TAM Legal link.\n- Made contact with victim several times.\n- Illegal contact made with attorneys considering representing Tsara. \n- https://unicef.se/assets/apple - link related to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage.\n\nAhmann is named as special counsel but he , like Brian Sabey are \u2018ONLY\u2019 cyber attacking Tsara Brashears.\n\n- protecting Jeffrey Reimer DPT, multiple doctors, Concentra, blocked and denied care , hired a hitman/men and it would have. Even cheaper to pay her for the injuries she never sought compensation for due to aggressive attacks and threats.", "modified": "2025-12-02T01:05:30.331000", "created": "2025-11-02T02:10:33.546000", "tags": [ "ipv4", "active related", "trojandropper", "mtb jun", "lowfi", "trojan", "mtb jan", "fastly error", "please", "united", "ttl value", "get na", "total", "delete", "search", "yara detections", "sinkhole cookie", "value snkz", "write", "suspicious", "ransom", "malware", "Ransom.Win32.Birele.gsg Checkin", "AnubisNetworks Sinkhole Cookie Value Snkz", "Possible Compromised Host", "dynamicloader", "delete c", "default", "medium", "write c", "settingswpad", "intel", "ms windows", "users", "number", "title", "installer", "top source", "top destination", "source source", "port", "filehash", "av detections", "ids detections", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "ids signatures", "exploits", "sid name", "malware cve", "dns query", "dnsbin demo", "data exfil", "exif data", "DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr", "DNSBin Demo (requestbin .net) - Data Exfitration", "source port", "destination", "present sep", "script urls", "script script", "a domains", "script domains", "ip address", "meta", "present nov", "passive dns", "next associated", "domain add", "pe executable", "entries", "show", "msie", "windows nt", "wow64", "copy", "present jan", "present feb", "domain", "pulse pulses", "urls", "files", "tam legal", "christopher ahmann", "https://unicef.se/assets/apple", "treece alfrey", "hours ago", "information", "report spam", "ahmann colorado", "state", "special cousel", "created", "expiro", "capture" ], "references": [ "Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN", "Fastly Error and Palantir blocked several times over the last few months.", "Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)", "IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.", "Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN", "Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT", "Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName", "Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage", "https://unicef.se/assets/apple" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "PWS:Win32/QQpass.FC", "display_name": "PWS:Win32/QQpass.FC", "target": "/malware/PWS:Win32/QQpass.FC" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Urelas-9863836-0", "display_name": "Win.Malware.Urelas-9863836-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Win.Trojan.Vundo-7170412-0", "display_name": "Win.Trojan.Vundo-7170412-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Multiple Malware\u2019s , Trojans and Rats", "display_name": "Multiple Malware\u2019s , Trojans and Rats", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 909, "domain": 449, "hostname": 1403, "URL": 3552, "CIDR": 1, "FileHash-MD5": 242, "FileHash-SHA1": 185, "email": 1 }, "indicator_count": 6742, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "138 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "145 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://openldap02.docs-planet.site", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://openldap02.docs-planet.site", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776591789.049717 }