{
"type": "URL",
"indicator": "https://opmlmanager.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://opmlmanager.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 2965845538,
"indicator": "https://opmlmanager.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 10,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a9b4296442cc8db50a264f",
"name": "Maui Ransomware ",
"description": "",
"modified": "2024-02-17T23:00:21.788000",
"created": "2024-01-18T23:28:41.569000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "653977171f690fb9ab978bf3",
"export_count": 35,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2470,
"FileHash-MD5": 656,
"FileHash-SHA256": 8634,
"hostname": 2629,
"email": 4,
"URL": 5605,
"CVE": 12
},
"indicator_count": 20651,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "833 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a9b87d2d435bdad9ce80a3",
"name": "Racoon Stealer ",
"description": "",
"modified": "2024-02-17T23:00:21.788000",
"created": "2024-01-18T23:47:09.818000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65a9b4296442cc8db50a264f",
"export_count": 38,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2470,
"FileHash-MD5": 656,
"FileHash-SHA256": 8634,
"hostname": 2629,
"email": 4,
"URL": 5605,
"CVE": 12
},
"indicator_count": 20651,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "833 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65aab8eb55243c504a2cb4c0",
"name": "Maui Ransomware",
"description": "",
"modified": "2024-02-17T23:00:21.788000",
"created": "2024-01-19T18:01:15.365000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65a9b4296442cc8db50a264f",
"export_count": 44,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2470,
"FileHash-MD5": 656,
"FileHash-SHA256": 8634,
"hostname": 2629,
"email": 4,
"URL": 5605,
"CVE": 12
},
"indicator_count": 20651,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "833 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65afcb842689eb776c0737e5",
"name": "Maui Ransomware",
"description": "",
"modified": "2024-02-17T23:00:21.788000",
"created": "2024-01-23T14:21:56.725000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65aab8eb55243c504a2cb4c0",
"export_count": 51,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2470,
"FileHash-MD5": 656,
"FileHash-SHA256": 8634,
"hostname": 2629,
"email": 4,
"URL": 5605,
"CVE": 12
},
"indicator_count": 20651,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "833 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653960d6d09796c4ba4c1e90",
"name": "CVE JAR Found | Massive active Malicious | unlatched issues",
"description": "Monitoring Tsara Brashears - Extreme cyber attack against documented as alleged SA victim. Non-Adversarial Tsara Brashears inflicted with highly malicious Malware auto populated. Massive online attack on Tsara Brashears defaced digital profile. Attacks primarily by Adversarial Tulach malware.\nDaisy Coleman [deceased] moderate malware attack against target a documented SA survivor.\nThis is a revenge attacker. \nPhysical harm imminence [HIGH] SOS\nEdward Snowden speaks of similar attacks against American citizen. Was target warned of malware status or massive attack. Made aware of Botnet by any authority?",
"modified": "2023-11-24T12:03:49.398000",
"created": "2023-10-25T18:39:18.723000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 61,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2295,
"FileHash-MD5": 656,
"FileHash-SHA256": 7727,
"hostname": 2252,
"email": 3,
"URL": 4406,
"CVE": 10
},
"indicator_count": 17990,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "919 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653977171f690fb9ab978bf3",
"name": "Speechless | Critical",
"description": "Cyber threat. Target Tsara Brashears is now Tsara Brashears Malware. Looks like an investigation, might be a legitimate investigation. I have no insight as to whether investigation is warranted, staged, or silencing?? \nVerdict:\nAdversarial monitoring, harassment, Libel, cyber crime by a genius exploiting regulations and escalation privileges. Target at high risk.",
"modified": "2023-11-24T12:03:49.398000",
"created": "2023-10-25T20:14:14.532000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 57,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2457,
"FileHash-MD5": 656,
"FileHash-SHA256": 8455,
"hostname": 2605,
"email": 3,
"URL": 5548,
"CVE": 12
},
"indicator_count": 20377,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "919 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f2100b535d359accfc3a6",
"name": "CVE JAR Found | Massive active Malicious | Tulach & AIG associated | Scam",
"description": "",
"modified": "2023-11-24T12:03:49.398000",
"created": "2023-10-30T03:20:32.349000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "653960d6d09796c4ba4c1e90",
"export_count": 43,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2295,
"FileHash-MD5": 656,
"FileHash-SHA256": 7727,
"hostname": 2252,
"email": 3,
"URL": 4406,
"CVE": 10
},
"indicator_count": 17990,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "919 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f219ce051cf01e9a6be8b",
"name": "Speechless | Critical",
"description": "",
"modified": "2023-11-24T12:03:49.398000",
"created": "2023-10-30T03:23:08.790000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "653977171f690fb9ab978bf3",
"export_count": 46,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2457,
"FileHash-MD5": 656,
"FileHash-SHA256": 8455,
"hostname": 2605,
"email": 3,
"URL": 5548,
"CVE": 12
},
"indicator_count": 20377,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "919 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"newrelic.se [Apple Collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://es.pornhat.com/models/the-sex-creator/",
"I am very upset. Whoever is doing this is sick.",
"nr-data.net [ Hidden private Apple data collection]",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"104.200.22.130 Command and Control",
"https://pin.it/ [SQLi Dumper]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"apple-dns.net. [Apple email collection]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"msftconnecttest.com",
"There is fear in silence or speaking out",
"Target agreed and complied with all lie detector measures.",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"If someone is believed to be a threat they have right to due process.",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://meumundogay-com.sexogratis.page/locker",
"init-p01st.push.apple.com",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"tulach.cc [Adversarial Malware Attack Source]",
"iamrobert.com Y.A.S.",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"103.224.212.34 scanning_host",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"0-1.duckdns.org [malicious]",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"aig.com",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"Can the DoD no questions asked target a SA victim",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz."
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Azorult",
"Agent tesla - s0331",
"Malware",
"Raccoon",
"Trojan:win32/detplock",
"Daisy coleman",
"Tulach malware",
"Twitter malware",
"Ransomexx",
"Remcos",
"Tsara brashears",
"Webtoolbar",
"Lockbit",
"Swisyn",
"Crack",
"Apnic",
"Death bitches",
"Quasar rat",
"Fusioncore",
"Qakbot",
"Pwndlocker",
"Dnspionage",
"Apple malware",
"Dark power",
"Maui ransomware",
"Chaos",
"Trojanspy",
"Trickbot - s0266",
"Fonepaw",
"Emotet",
"Lolkek",
"Bit rat",
"Zbot",
"Gootloader",
"Formbook",
"Facebook ht",
"Networm",
"Vidar",
"Artemis",
"Dapato",
"Amazon aes",
"Cve jar"
],
"industries": [],
"unique_indicators": 39992
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/opmlmanager.com",
"whois": "http://whois.domaintools.com/opmlmanager.com",
"domain": "opmlmanager.com",
"hostname": "Unavailable"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 10,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a9b4296442cc8db50a264f",
"name": "Maui Ransomware ",
"description": "",
"modified": "2024-02-17T23:00:21.788000",
"created": "2024-01-18T23:28:41.569000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "653977171f690fb9ab978bf3",
"export_count": 35,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2470,
"FileHash-MD5": 656,
"FileHash-SHA256": 8634,
"hostname": 2629,
"email": 4,
"URL": 5605,
"CVE": 12
},
"indicator_count": 20651,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "833 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a9b87d2d435bdad9ce80a3",
"name": "Racoon Stealer ",
"description": "",
"modified": "2024-02-17T23:00:21.788000",
"created": "2024-01-18T23:47:09.818000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65a9b4296442cc8db50a264f",
"export_count": 38,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2470,
"FileHash-MD5": 656,
"FileHash-SHA256": 8634,
"hostname": 2629,
"email": 4,
"URL": 5605,
"CVE": 12
},
"indicator_count": 20651,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "833 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65aab8eb55243c504a2cb4c0",
"name": "Maui Ransomware",
"description": "",
"modified": "2024-02-17T23:00:21.788000",
"created": "2024-01-19T18:01:15.365000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65a9b4296442cc8db50a264f",
"export_count": 44,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2470,
"FileHash-MD5": 656,
"FileHash-SHA256": 8634,
"hostname": 2629,
"email": 4,
"URL": 5605,
"CVE": 12
},
"indicator_count": 20651,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "833 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65afcb842689eb776c0737e5",
"name": "Maui Ransomware",
"description": "",
"modified": "2024-02-17T23:00:21.788000",
"created": "2024-01-23T14:21:56.725000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65aab8eb55243c504a2cb4c0",
"export_count": 51,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2470,
"FileHash-MD5": 656,
"FileHash-SHA256": 8634,
"hostname": 2629,
"email": 4,
"URL": 5605,
"CVE": 12
},
"indicator_count": 20651,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "833 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653960d6d09796c4ba4c1e90",
"name": "CVE JAR Found | Massive active Malicious | unlatched issues",
"description": "Monitoring Tsara Brashears - Extreme cyber attack against documented as alleged SA victim. Non-Adversarial Tsara Brashears inflicted with highly malicious Malware auto populated. Massive online attack on Tsara Brashears defaced digital profile. Attacks primarily by Adversarial Tulach malware.\nDaisy Coleman [deceased] moderate malware attack against target a documented SA survivor.\nThis is a revenge attacker. \nPhysical harm imminence [HIGH] SOS\nEdward Snowden speaks of similar attacks against American citizen. Was target warned of malware status or massive attack. Made aware of Botnet by any authority?",
"modified": "2023-11-24T12:03:49.398000",
"created": "2023-10-25T18:39:18.723000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 61,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2295,
"FileHash-MD5": 656,
"FileHash-SHA256": 7727,
"hostname": 2252,
"email": 3,
"URL": 4406,
"CVE": 10
},
"indicator_count": 17990,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "919 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653977171f690fb9ab978bf3",
"name": "Speechless | Critical",
"description": "Cyber threat. Target Tsara Brashears is now Tsara Brashears Malware. Looks like an investigation, might be a legitimate investigation. I have no insight as to whether investigation is warranted, staged, or silencing?? \nVerdict:\nAdversarial monitoring, harassment, Libel, cyber crime by a genius exploiting regulations and escalation privileges. Target at high risk.",
"modified": "2023-11-24T12:03:49.398000",
"created": "2023-10-25T20:14:14.532000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 57,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2457,
"FileHash-MD5": 656,
"FileHash-SHA256": 8455,
"hostname": 2605,
"email": 3,
"URL": 5548,
"CVE": 12
},
"indicator_count": 20377,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "919 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f2100b535d359accfc3a6",
"name": "CVE JAR Found | Massive active Malicious | Tulach & AIG associated | Scam",
"description": "",
"modified": "2023-11-24T12:03:49.398000",
"created": "2023-10-30T03:20:32.349000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "653960d6d09796c4ba4c1e90",
"export_count": 43,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2295,
"FileHash-MD5": 656,
"FileHash-SHA256": 7727,
"hostname": 2252,
"email": 3,
"URL": 4406,
"CVE": 10
},
"indicator_count": 17990,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "919 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f219ce051cf01e9a6be8b",
"name": "Speechless | Critical",
"description": "",
"modified": "2023-11-24T12:03:49.398000",
"created": "2023-10-30T03:23:08.790000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "653977171f690fb9ab978bf3",
"export_count": 46,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2457,
"FileHash-MD5": 656,
"FileHash-SHA256": 8455,
"hostname": 2605,
"email": 3,
"URL": 5548,
"CVE": 12
},
"indicator_count": 20377,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "919 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://opmlmanager.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://opmlmanager.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780255800.5081294
}