{
"type": "URL",
"indicator": "https://p.d.m80fg.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://p.d.m80fg.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 2859724403,
"indicator": "https://p.d.m80fg.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "69d4ea4cd61063d5bfa2228a",
"name": "Floki",
"description": "",
"modified": "2026-04-07T19:22:26.637000",
"created": "2026-04-07T11:28:12.812000",
"tags": [
"html document",
"ascii text",
"html"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 61,
"FileHash-SHA1": 61,
"FileHash-SHA256": 68,
"IPv4": 28,
"domain": 34,
"hostname": 219,
"URL": 145
},
"indicator_count": 616,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "11 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a836104ede1963b0502042",
"name": "Not even Google",
"description": "https://shadow.googlecnapps.cn\njoshuajenkinslaw.com",
"modified": "2024-02-16T17:02:44.115000",
"created": "2024-01-17T20:18:24.316000",
"tags": [
"ssl certificate",
"threat roundup",
"whois record",
"march",
"october",
"contacted",
"july",
"april",
"june",
"roundup",
"august",
"copy",
"execution",
"plugx",
"goldfinder",
"sibot",
"hacktool",
"february",
"ransomexx",
"ermac",
"emotet",
"agent tesla",
"nokoyawa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1315,
"URL": 1384,
"domain": 327,
"hostname": 516,
"FileHash-MD5": 19,
"FileHash-SHA1": 19
},
"indicator_count": 3580,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "792 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a958f96f9b29641ea020",
"name": "Fitbit app link IoC's",
"description": "",
"modified": "2023-12-06T17:03:20.219000",
"created": "2023-12-06T17:03:20.219000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 17,
"FileHash-SHA256": 3730,
"hostname": 1052,
"domain": 446,
"URL": 2806,
"FileHash-MD5": 173,
"FileHash-SHA1": 168,
"email": 1
},
"indicator_count": 8393,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a927b24b94cdd5d344d1",
"name": "Fitbit app link IoC's",
"description": "",
"modified": "2023-12-06T17:02:31.854000",
"created": "2023-12-06T17:02:31.854000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 17,
"FileHash-SHA256": 3730,
"hostname": 1052,
"domain": 446,
"URL": 2806,
"FileHash-MD5": 173,
"FileHash-SHA1": 168,
"email": 1
},
"indicator_count": 8393,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a91b1702fdce6c496a1e",
"name": "note.html [Pulse by OctoSeek]",
"description": "",
"modified": "2023-12-06T17:02:19.096000",
"created": "2023-12-06T17:02:19.096000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 909,
"CVE": 2,
"FileHash-SHA256": 1422,
"domain": 481,
"URL": 2694,
"FileHash-MD5": 31,
"FileHash-SHA1": 29
},
"indicator_count": 5568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 112,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a8d167202b93ee502ff8",
"name": "Apple iTunes| Malicious site | Anonyization | Siphoning | Trojan Downloader",
"description": "",
"modified": "2023-12-06T17:01:05.291000",
"created": "2023-12-06T17:01:05.291000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 12,
"URL": 3839,
"hostname": 1331,
"FileHash-SHA256": 2976,
"domain": 757,
"FileHash-MD5": 250,
"FileHash-SHA1": 80
},
"indicator_count": 9245,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a8bf416a1c314819ea53",
"name": "Remote Access Related | APK attack targets independent artists",
"description": "",
"modified": "2023-12-06T17:00:47.888000",
"created": "2023-12-06T17:00:47.888000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 5,
"FileHash-SHA256": 2385,
"hostname": 1054,
"domain": 713,
"URL": 3595,
"FileHash-MD5": 1104,
"FileHash-SHA1": 585,
"FilePath": 1
},
"indicator_count": 9442,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a69b0f11713d9e4d0153",
"name": "note.html",
"description": "",
"modified": "2023-12-06T16:51:39.617000",
"created": "2023-12-06T16:51:39.617000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 909,
"CVE": 2,
"FileHash-SHA256": 1422,
"domain": 481,
"URL": 2694,
"FileHash-MD5": 31,
"FileHash-SHA1": 29
},
"indicator_count": 5568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a647bca43f24b4a05a97",
"name": "note.html",
"description": "",
"modified": "2023-12-06T16:50:15.239000",
"created": "2023-12-06T16:50:15.239000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 909,
"CVE": 2,
"FileHash-SHA256": 1422,
"domain": 481,
"URL": 2694,
"FileHash-MD5": 31,
"FileHash-SHA1": 29
},
"indicator_count": 5568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708db0c7b19b62c501601b",
"name": "DDOS Attack",
"description": "",
"modified": "2023-12-06T15:05:20.038000",
"created": "2023-12-06T15:05:20.038000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 182,
"FileHash-SHA256": 519,
"domain": 190,
"URL": 528,
"FileHash-SHA1": 2
},
"indicator_count": 1421,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708a0bc7609ce090cb33e5",
"name": "lapsus known associations",
"description": "",
"modified": "2023-12-06T14:49:47.058000",
"created": "2023-12-06T14:49:47.058000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 182,
"FileHash-SHA256": 519,
"domain": 190,
"URL": 528,
"FileHash-SHA1": 2
},
"indicator_count": 1421,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657089f0a9a109319e652f2e",
"name": "Democracy.works_3.23.22",
"description": "",
"modified": "2023-12-06T14:49:20.276000",
"created": "2023-12-06T14:49:20.276000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"FileHash-SHA256": 3788,
"URL": 10812,
"hostname": 2537,
"domain": 1018,
"FileHash-MD5": 2,
"FileHash-SHA1": 1
},
"indicator_count": 18160,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657089d7a9a109319e652f2d",
"name": "DEMOCRACY.WORKS",
"description": "",
"modified": "2023-12-06T14:48:55.889000",
"created": "2023-12-06T14:48:55.889000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 1,
"FileHash-SHA256": 3611,
"URL": 9861,
"hostname": 2031,
"domain": 945,
"FileHash-MD5": 2,
"FileHash-SHA1": 1
},
"indicator_count": 16452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65707f02354c2493b26aca12",
"name": "Neustar.biz",
"description": "",
"modified": "2023-12-06T14:02:42.071000",
"created": "2023-12-06T14:02:42.071000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 584,
"domain": 248,
"URL": 1305,
"hostname": 656,
"CVE": 1,
"email": 7,
"FileHash-SHA1": 6,
"FileHash-MD5": 5
},
"indicator_count": 2812,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65707e5b7df6f60133e8fb50",
"name": "Jeeng / Powerbox",
"description": "",
"modified": "2023-12-06T13:59:55.129000",
"created": "2023-12-06T13:59:55.129000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 3,
"FileHash-SHA256": 9072,
"domain": 2500,
"hostname": 3584,
"URL": 13548,
"FileHash-MD5": 197,
"FileHash-SHA1": 162,
"email": 19,
"CIDR": 20,
"SSLCertFingerprint": 2,
"BitcoinAddress": 1
},
"indicator_count": 29108,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65707bf3841fe9f857870735",
"name": "Jack Posobiec\u2019s Pay-share.com Bonanza",
"description": "",
"modified": "2023-12-06T13:49:39.465000",
"created": "2023-12-06T13:49:39.465000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3887,
"hostname": 1423,
"domain": 675,
"FileHash-SHA256": 2044,
"FileHash-MD5": 245,
"FileHash-SHA1": 212,
"CIDR": 18,
"email": 10,
"CVE": 3,
"SSLCertFingerprint": 6
},
"indicator_count": 8523,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65401dbe47ce126e7468a2dc",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I'm actually uncomfortable finding this.",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:18:54.411000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 85,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4603,
"hostname": 4187,
"CIDR": 2,
"CVE": 23
},
"indicator_count": 25940,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6544cbbca7610e92e4262c47",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Targeting",
"description": "",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-11-03T10:30:20.965000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": "654140bae73f795aa914e8de",
"export_count": 108,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "654140bae73f795aa914e8de",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-31T18:00:26.439000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": "65401d73e96dd70037ed22a7",
"export_count": 98,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65403022038832e42175601f",
"name": "CRITICAL!!! | Health Insurance Cyber threat Matrix - Darkside 2020 Ecosystem .BEware ",
"description": "",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T22:37:22.425000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": "65402a8dec948bec8b0a0372",
"export_count": 95,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4604,
"hostname": 4187,
"CIDR": 2,
"CVE": 23,
"URI": 1
},
"indicator_count": 25942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65402a8dec948bec8b0a0372",
"name": "24 CVE's | Health Liability bDarkside 2020 Ecosystem .BEware",
"description": "Matrix of cyber crime attacks appears to involved legal entities and a division of Workers Compensation Colorado, possibly used nationally. Targeting, monitoring, tracking, malvertizing, cyber attacks, CNC. Critical.\nCould probably be disputed $$$$ though undisputable. \nEd Said. \nhttp://1.116.132.182/weblogic_CVE_2020_2551.jar\t\t\t\nCVE-2020-0601\t\t\t\t\t\nCVE-2018-8174\t\t\t\nCVE-2018-4893\t\t\t\nCVE-2018-0802\t\t\t\nCVE-2017-8759\t\t\t\t\t\t\nCVE-2017-8464\t\t\t\nCVE-2017-1188\t\t\t\t\nCVE-2017-0143\t\t\t\nCVE-2016-7262\t\t\t\nCVE-2014-6352\t\t\t\nCVE-2013-2465\t\t\t\nCVE-2011-2110\t\t\t\nCVE-2011-0609\t\t\t\nCVE-2010-2568\t\t\t\nCVE-2018-8453\t\t\t\nCVE-2013-1331\nCVE-2012-1856\t\t\t\t\nCVE-2012-0158\t\t\t\t\t\t\nCVE-2017-8570\t\t\t\nCVE-2017-11882\t\t\t\nCVE-2017-0199\t\t\t\t\t\t\nCVE-2017-0147\t\t\t\t\t\t\nCVE-2014-3153",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T22:13:33.427000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 92,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4603,
"hostname": 4187,
"CIDR": 2,
"CVE": 23
},
"indicator_count": 25940,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65401fddb74fe1ea8506132d",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "Law Enforcement? DOJ? ACLU? Help? This is CRAZY.\nSilencing.\nI like her song clicked on link but it was malicious. I was redirected to an Indian link that looked like YouTube.\nI am a professional, awarded researcher in many areas, parent, security researcher, graphic designer, supplier, music lover , disabled. overly curious and hacked. HELP. SCARED",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:27:57.026000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 92,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4603,
"hostname": 4187,
"CIDR": 2,
"CVE": 23
},
"indicator_count": 25940,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65401fcb063a0a34fa323603",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "Law Enforcement? DOJ? ACLU? Help? This is CRAZY.\nSilencing.\nI like her song clicked on link but it was malicious. I was redirected to an Indian link that looked like YouTube.\nI am a professional, awarded researcher in many areas, parent, security researcher, graphic designer, supplier, music lover , disabled. overly curious and hacked. HELP. SCARED",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:27:39.980000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 87,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4603,
"hostname": 4187,
"CIDR": 2,
"CVE": 23
},
"indicator_count": 25940,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65401da888067e7f6379d23e",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I'm actually uncomfortable finding this.",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:18:32.141000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 84,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4603,
"hostname": 4187,
"CIDR": 2,
"CVE": 23
},
"indicator_count": 25940,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65401d8480e4a9ed725f6458",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:17:56.820000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 83,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65401d76b057b79aaf7ba4a7",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:17:40.239000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 84,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65401d73e96dd70037ed22a7",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:17:39.802000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 82,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65401d5ee5a7359a5e815a6a",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:17:18.712000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 82,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653bf3b076e4dbcd0c099992",
"name": "Remote Access | DeepScan | Dumping | DNS | Internal System Infiltration",
"description": "DeepScan run (absolute overkill). I witnessed excessive data use, device is completely practically unusable, many black pages, denial of most services. CNC. Browser bar became a malicious app that returns 0 searches. Attack directed towards my devices.\nNo stone left unturned. Passwords taken. Apps installed to device Covered can on device takes pictures/flash at will. Evasive. Very talented hackers. \nBravo! Very intrusive. Constantly attacking.\nTarget: Tsara Brashears and researcher",
"modified": "2023-11-26T14:04:04.692000",
"created": "2023-10-27T17:30:24.926000",
"tags": [
"ssl certificate",
"historical ssl",
"resolutions",
"referrer",
"collections",
"contacted",
"efr1",
"parent domain",
"amazon 02",
"metro",
"crypto",
"cisco umbrella",
"site",
"safe site",
"heur",
"malware",
"alexa top",
"million",
"malicious url",
"malware site",
"malicious site",
"opencandy",
"riskware",
"unsafe",
"phishing",
"zbot",
"team",
"exploit",
"agent",
"mimikatz",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"downldr",
"presenoker",
"fusioncore",
"cleaner",
"wacatac",
"artemis",
"blacknet rat",
"stealer",
"trojanspy",
"blacklist https",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"tag count",
"tsara brashears",
"self",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"whois record",
"contacted urls",
"siblings domain",
"execution",
"goldmax",
"goldfinder",
"sibot",
"emotet",
"united",
"phishing site",
"maltiverse",
"adware",
"phishtank",
"xtrat",
"xrat",
"redline stealer",
"xtreme",
"crack",
"genkryptik",
"deepscan",
"win64",
"quasar rat",
"fareit",
"downloader",
"trojan",
"alexa",
"iframe",
"cve201711882",
"phish",
"genpack",
"suspicious",
"magazine",
"applicunwnt",
"cobalt strike",
"malicious",
"pattern match",
"file",
"web open",
"font format",
"truetype",
"indicator",
"windows nt",
"ascii text",
"mitre att",
"ck id",
"date",
"unknown",
"hybrid",
"accept",
"local",
"stream",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"pmejdjsu12",
"Royal Bank of Scotland",
"Phishing Bank of America Corporation",
"Phishing Netflix",
"Phishing Wells Fargo",
"Phishing RuneScape",
"Phishing Internal Revenue Service",
"Phtarget unspecified phishing",
"PAYPAL phishing",
"Phishing Indeed",
"Phishing eBay, Inc",
"PhisSafe",
"mobigame",
"Phishing Facebook",
"remote",
"mitm",
"tower",
"worm",
"firm",
"privilege",
"attacker",
"monitoring",
"cyber threat",
"apple",
"illegal",
"DNS_PROBE_STARTED",
"insurance",
"revenge",
"legal entities",
"https://boxofporn.com"
],
"references": [],
"public": 1,
"adversary": "[Unnamed group]",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Trojan.Hotkeychick",
"display_name": "Trojan.Hotkeychick",
"target": null
},
{
"id": "CVE Exploits",
"display_name": "CVE Exploits",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Generic.ASMalwS",
"display_name": "Generic.ASMalwS",
"target": null
},
{
"id": "HackTool.CheatEngine",
"display_name": "HackTool.CheatEngine",
"target": null
},
{
"id": "HackTool.BruteForce",
"display_name": "HackTool.BruteForce",
"target": null
},
{
"id": "Virus.Sality",
"display_name": "Virus.Sality",
"target": null
},
{
"id": "W32.Malware",
"display_name": "W32.Malware",
"target": null
},
{
"id": "TSGeneric",
"display_name": "TSGeneric",
"target": null
},
{
"id": "Trojan.OTNR",
"display_name": "Trojan.OTNR",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "BlackNET RAT",
"display_name": "BlackNET RAT",
"target": null
},
{
"id": "Mimikatz - S0002",
"display_name": "Mimikatz - S0002",
"target": null
},
{
"id": "GoldFinder",
"display_name": "GoldFinder",
"target": null
},
{
"id": "GoldMax - S0588",
"display_name": "GoldMax - S0588",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Sibot",
"display_name": "Sibot",
"target": null
},
{
"id": "Downloader.OpenCandy",
"display_name": "Downloader.OpenCandy",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "GoogleToolbar",
"display_name": "GoogleToolbar",
"target": null
},
{
"id": "BScope.Adware.MSIL",
"display_name": "BScope.Adware.MSIL",
"target": null
},
{
"id": "Application.Auslogics",
"display_name": "Application.Auslogics",
"target": null
},
{
"id": "PE.Heur",
"display_name": "PE.Heur",
"target": null
},
{
"id": "Gen:Variant.Application.Bundler.DownloadGuide",
"display_name": "Gen:Variant.Application.Bundler.DownloadGuide",
"target": null
},
{
"id": "Trojan:Win32/Xtrat",
"display_name": "Trojan:Win32/Xtrat",
"target": "/malware/Trojan:Win32/Xtrat"
},
{
"id": "Xtreme RAT",
"display_name": "Xtreme RAT",
"target": null
},
{
"id": "ML.Attribute",
"display_name": "ML.Attribute",
"target": null
},
{
"id": "AGEN.1045143",
"display_name": "AGEN.1045143",
"target": null
},
{
"id": "Hoax.DeceptPCClean",
"display_name": "Hoax.DeceptPCClean",
"target": null
},
{
"id": "Packed.Themida",
"display_name": "Packed.Themida",
"target": null
},
{
"id": "MSIL_Bladabindi.G.gen",
"display_name": "MSIL_Bladabindi.G.gen",
"target": null
},
{
"id": "Gen:NN.ZexaF.34090",
"display_name": "Gen:NN.ZexaF.34090",
"target": null
},
{
"id": "Unsafe.AI_Score_95% 2",
"display_name": "Unsafe.AI_Score_95% 2",
"target": null
},
{
"id": "BScope.Trojan",
"display_name": "BScope.Trojan",
"target": null
},
{
"id": "JS:Trojan.HideLink 2",
"display_name": "JS:Trojan.HideLink 2",
"target": null
},
{
"id": "Gen:Variant.Symmi",
"display_name": "Gen:Variant.Symmi",
"target": null
},
{
"id": "Gen:Heur.MSIL.Inject",
"display_name": "Gen:Heur.MSIL.Inject",
"target": null
},
{
"id": "Application.BitCoinMiner",
"display_name": "Application.BitCoinMiner",
"target": null
},
{
"id": "WebToolbar.Asparnet",
"display_name": "WebToolbar.Asparnet",
"target": null
},
{
"id": "W32.HfsAutoB",
"display_name": "W32.HfsAutoB",
"target": null
},
{
"id": "Gen:Variant.Ursu",
"display_name": "Gen:Variant.Ursu",
"target": null
},
{
"id": "HW32.Packed",
"display_name": "HW32.Packed",
"target": null
},
{
"id": "Application.Deceptor",
"display_name": "Application.Deceptor",
"target": null
},
{
"id": "Backdoor.Androm",
"display_name": "Backdoor.Androm",
"target": null
},
{
"id": "HEUR:Hoax.PCFixer",
"display_name": "HEUR:Hoax.PCFixer",
"target": null
},
{
"id": "Gen:Variant.Jacard",
"display_name": "Gen:Variant.Jacard",
"target": null
},
{
"id": "Tool.Patcher",
"display_name": "Tool.Patcher",
"target": null
},
{
"id": "Trojan.Khalesi 2\tAdware 2",
"display_name": "Trojan.Khalesi 2\tAdware 2",
"target": null
},
{
"id": "RiskWare.HackTool.Agent",
"display_name": "RiskWare.HackTool.Agent",
"target": null
},
{
"id": "Unsafe.AI_Score_94%",
"display_name": "Unsafe.AI_Score_94%",
"target": null
},
{
"id": "Trojan.WisdomEyes.16070401.9500",
"display_name": "Trojan.WisdomEyes.16070401.9500",
"target": null
},
{
"id": "RiskWare.Crack",
"display_name": "RiskWare.Crack",
"target": null
},
{
"id": "Gen:Variant.Bulz",
"display_name": "Gen:Variant.Bulz",
"target": null
},
{
"id": "VB:Trojan.Valyria",
"display_name": "VB:Trojan.Valyria",
"target": null
},
{
"id": "TrojanBanker.Banbra",
"display_name": "TrojanBanker.Banbra",
"target": null
},
{
"id": "DriverReviver.A potentially unwanted",
"display_name": "DriverReviver.A potentially unwanted",
"target": null
},
{
"id": "Warezov.gen3",
"display_name": "Warezov.gen3",
"target": null
},
{
"id": "JS:Trojan.Clicker",
"display_name": "JS:Trojan.Clicker",
"target": null
},
{
"id": "Nemucod.21C8",
"display_name": "Nemucod.21C8",
"target": null
},
{
"id": "Asparnet.P",
"display_name": "Asparnet.P",
"target": null
},
{
"id": "InstallCore.Gen7",
"display_name": "InstallCore.Gen7",
"target": null
},
{
"id": "CsQKHtaAI",
"display_name": "CsQKHtaAI",
"target": null
},
{
"id": "Clicker.VB",
"display_name": "Clicker.VB",
"target": null
},
{
"id": "Exploit.Zip.Heuristic",
"display_name": "Exploit.Zip.Heuristic",
"target": null
},
{
"id": "Trojan.Ransom.GandCrab",
"display_name": "Trojan.Ransom.GandCrab",
"target": null
},
{
"id": "ScrInject.B",
"display_name": "ScrInject.B",
"target": null
},
{
"id": "ScrInject.eric",
"display_name": "ScrInject.eric",
"target": null
},
{
"id": "HEUR:Trojan.Diztakun",
"display_name": "HEUR:Trojan.Diztakun",
"target": null
},
{
"id": "Agent.OCJ",
"display_name": "Agent.OCJ",
"target": null
},
{
"id": "Vdehu.A",
"display_name": "Vdehu.A",
"target": null
},
{
"id": "Hacktool.Crack",
"display_name": "Hacktool.Crack",
"target": null
},
{
"id": "Backdoor.DTR.15",
"display_name": "Backdoor.DTR.15",
"target": null
},
{
"id": "Freemake.A potentially unwanted",
"display_name": "Freemake.A potentially unwanted",
"target": null
},
{
"id": "Absolute Uninstaller",
"display_name": "Absolute Uninstaller",
"target": null
},
{
"id": "HTML:Script",
"display_name": "HTML:Script",
"target": null
},
{
"id": "Trojan.Small",
"display_name": "Trojan.Small",
"target": null
},
{
"id": "HackTool.Crack",
"display_name": "HackTool.Crack",
"target": null
},
{
"id": "Generic.Application.JS.Sobrab.1",
"display_name": "Generic.Application.JS.Sobrab.1",
"target": null
},
{
"id": "Trojan.Rozena",
"display_name": "Trojan.Rozena",
"target": null
},
{
"id": "Trojan.Downloader",
"display_name": "Trojan.Downloader",
"target": null
},
{
"id": "Trojan.Bayrob",
"display_name": "Trojan.Bayrob",
"target": null
},
{
"id": "Adware.OxyPumper",
"display_name": "Adware.OxyPumper",
"target": null
},
{
"id": "Worm.Chir",
"display_name": "Worm.Chir",
"target": null
},
{
"id": "Trojan.Linux.Generic",
"display_name": "Trojan.Linux.Generic",
"target": null
},
{
"id": "Trojan.Ransom.GenericKD",
"display_name": "Trojan.Ransom.GenericKD",
"target": null
},
{
"id": "Heur.BZC.YAX.Boxter.819",
"display_name": "Heur.BZC.YAX.Boxter.819",
"target": null
},
{
"id": "Faceliker.D",
"display_name": "Faceliker.D",
"target": null
},
{
"id": "Adware",
"display_name": "Adware",
"target": null
},
{
"id": "DeepScan:Generic.BrResMon.1",
"display_name": "DeepScan:Generic.BrResMon.1",
"target": null
},
{
"id": "Adware.KuziTui",
"display_name": "Adware.KuziTui",
"target": null
},
{
"id": "Trojan.Brsecmon",
"display_name": "Trojan.Brsecmon",
"target": null
},
{
"id": "SigRiskware.LespeedTechnologyLtd",
"display_name": "SigRiskware.LespeedTechnologyLtd",
"target": null
},
{
"id": "Doplik.J",
"display_name": "Doplik.J",
"target": null
},
{
"id": "Backdoor.Nhopro",
"display_name": "Backdoor.Nhopro",
"target": null
},
{
"id": "TrojanBanker.Banbra",
"display_name": "TrojanBanker.Banbra",
"target": null
},
{
"id": "Gen:NN.ZemsilF.32515",
"display_name": "Gen:NN.ZemsilF.32515",
"target": null
},
{
"id": "Downware",
"display_name": "Downware",
"target": null
},
{
"id": "MxResIcn.Heur",
"display_name": "MxResIcn.Heur",
"target": null
},
{
"id": "Mimikatz",
"display_name": "Mimikatz",
"target": null
},
{
"id": "Magazine phishing",
"display_name": "Magazine phishing",
"target": null
},
{
"id": "ApplicUnwnt@#2n6\tIRS",
"display_name": "ApplicUnwnt@#2n6\tIRS",
"target": null
},
{
"id": "TEL:Trojan:HTML/Phishing",
"display_name": "TEL:Trojan:HTML/Phishing",
"target": null
},
{
"id": "DriverReviver.A potentially unwanted",
"display_name": "DriverReviver.A potentially unwanted",
"target": null
},
{
"id": "Trojan.GandCrypt",
"display_name": "Trojan.GandCrypt",
"target": null
},
{
"id": "Redirector.AN",
"display_name": "Redirector.AN",
"target": null
},
{
"id": "Agent.CUX.gen",
"display_name": "Agent.CUX.gen",
"target": null
},
{
"id": "Gen:Variant.Application.Bundler",
"display_name": "Gen:Variant.Application.Bundler",
"target": null
},
{
"id": "Downloader.Generic",
"display_name": "Downloader.Generic",
"target": null
},
{
"id": "Trojan.ClipBanker",
"display_name": "Trojan.ClipBanker",
"target": null
},
{
"id": "TrojanDropper.Autit",
"display_name": "TrojanDropper.Autit",
"target": null
},
{
"id": "Dropper.Trojan.Agent",
"display_name": "Dropper.Trojan.Agent",
"target": null
},
{
"id": "QVM05.1.08E5.Malware",
"display_name": "QVM05.1.08E5.Malware",
"target": null
},
{
"id": "Trojan.CookiesStealer",
"display_name": "Trojan.CookiesStealer",
"target": null
},
{
"id": "Agent.MU",
"display_name": "Agent.MU",
"target": null
},
{
"id": "Wacatac.B",
"display_name": "Wacatac.B",
"target": null
},
{
"id": "Dropper.Gen",
"display_name": "Dropper.Gen",
"target": null
},
{
"id": "WiseCleaner.A potentially unwanted",
"display_name": "WiseCleaner.A potentially unwanted",
"target": null
},
{
"id": "Gen:Heur.MSIL.Androm",
"display_name": "Gen:Heur.MSIL.Androm",
"target": null
},
{
"id": "Gen:NN.ZemsilF.34170",
"display_name": "Gen:NN.ZemsilF.34170",
"target": null
},
{
"id": "Gen:Variant.MSILHeracles",
"display_name": "Gen:Variant.MSILHeracles",
"target": null
},
{
"id": "Trojan.DownLoader33",
"display_name": "Trojan.DownLoader33",
"target": null
},
{
"id": "Trojan.MSIL",
"display_name": "Trojan.MSIL",
"target": null
},
{
"id": "Program.Freemake",
"display_name": "Program.Freemake",
"target": null
},
{
"id": "Kryptik.dawvk",
"display_name": "Kryptik.dawvk",
"target": null
},
{
"id": "AdwareSig [Adw]",
"display_name": "AdwareSig [Adw]",
"target": null
},
{
"id": "Phishing JPMorgan Chase and Co.",
"display_name": "Phishing JPMorgan Chase and Co.",
"target": null
},
{
"id": "Adware.BrowseFoxCRTD",
"display_name": "Adware.BrowseFoxCRTD",
"target": null
},
{
"id": "Suspici.1F4405D1",
"display_name": "Suspici.1F4405D1",
"target": null
},
{
"id": "PUA.Wombat",
"display_name": "PUA.Wombat",
"target": null
},
{
"id": "AdWare.DealPly",
"display_name": "AdWare.DealPly",
"target": null
},
{
"id": "Injector.CUAM",
"display_name": "Injector.CUAM",
"target": null
},
{
"id": "Downldr.gen",
"display_name": "Downldr.gen",
"target": null
},
{
"id": "Troj_Gen.F04IE00CI19",
"display_name": "Troj_Gen.F04IE00CI19",
"target": null
},
{
"id": "Worm.Autorun",
"display_name": "Worm.Autorun",
"target": null
},
{
"id": "Worm.Boychi",
"display_name": "Worm.Boychi",
"target": null
},
{
"id": "Worm.Allaple",
"display_name": "Worm.Allaple",
"target": null
},
{
"id": "CVE-2014-3153",
"display_name": "CVE-2014-3153",
"target": null
},
{
"id": "BehavesLike.ICLoader",
"display_name": "BehavesLike.ICLoader",
"target": null
},
{
"id": "BScope.Backdoor",
"display_name": "BScope.Backdoor",
"target": null
},
{
"id": "Trojan.WIN32.PDF.Alien",
"display_name": "Trojan.WIN32.PDF.Alien",
"target": null
},
{
"id": "PUP.Systweak",
"display_name": "PUP.Systweak",
"target": null
},
{
"id": "Sabsik.FL.B",
"display_name": "Sabsik.FL.B",
"target": null
},
{
"id": "malicious.f01f67",
"display_name": "malicious.f01f67",
"target": null
},
{
"id": "AGEN.1144657",
"display_name": "AGEN.1144657",
"target": null
},
{
"id": "Gen:Variant.Tedy HackTool.VulnDriver",
"display_name": "Gen:Variant.Tedy HackTool.VulnDriver",
"target": null
},
{
"id": "Backdoor.Predator",
"display_name": "Backdoor.Predator",
"target": null
},
{
"id": "Kryptik.GKQR",
"display_name": "Kryptik.GKQR",
"target": null
},
{
"id": "DarkKomet.ife",
"display_name": "DarkKomet.ife",
"target": null
},
{
"id": "BehavesLike.Downloader",
"display_name": "BehavesLike.Downloader",
"target": null
},
{
"id": "Trojan.JS.Iframe",
"display_name": "Trojan.JS.Iframe",
"target": null
},
{
"id": "InstallCore.NP",
"display_name": "InstallCore.NP",
"target": null
},
{
"id": "Generic.JS.BlackHole",
"display_name": "Generic.JS.BlackHole",
"target": null
},
{
"id": "Dropper.Wanna",
"display_name": "Dropper.Wanna",
"target": null
},
{
"id": "Remote Utilities",
"display_name": "Remote Utilities",
"target": null
},
{
"id": "W32.InstallCore.AGX",
"display_name": "W32.InstallCore.AGX",
"target": null
},
{
"id": "NetTool.RemoteExec",
"display_name": "NetTool.RemoteExec",
"target": null
},
{
"id": "Bondat.A",
"display_name": "Bondat.A",
"target": null
},
{
"id": "VM201.0.B70B.Malware",
"display_name": "VM201.0.B70B.Malware",
"target": null
},
{
"id": "Riskware.NetFilter",
"display_name": "Riskware.NetFilter",
"target": null
},
{
"id": "Infected.WebPage",
"display_name": "Infected.WebPage",
"target": null
},
{
"id": "HEUR:Exploit.Script",
"display_name": "HEUR:Exploit.Script",
"target": null
},
{
"id": "BScope.TrojanDownloader",
"display_name": "BScope.TrojanDownloader",
"target": null
},
{
"id": "HTML:RedirBA",
"display_name": "HTML:RedirBA",
"target": null
},
{
"id": "Trojan.BAT.Qhost",
"display_name": "Trojan.BAT.Qhost",
"target": null
},
{
"id": "HTML:RedirME",
"display_name": "HTML:RedirME",
"target": null
},
{
"id": "TrojWare.JS.AdWare.Agent",
"display_name": "TrojWare.JS.AdWare.Agent",
"target": null
},
{
"id": "Packed.Dico",
"display_name": "Packed.Dico",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1602.001",
"name": "SNMP (MIB Dump)",
"display_name": "T1602.001 - SNMP (MIB Dump)"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1695,
"FileHash-SHA1": 756,
"FileHash-SHA256": 2029,
"domain": 290,
"URL": 1854,
"hostname": 568,
"CVE": 5
},
"indicator_count": 7197,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "875 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f09785f9ee8aebca2a667",
"name": "Remote Access | DeepScan | Dumping | DNS | Internal System Infiltration",
"description": "",
"modified": "2023-11-26T14:04:04.692000",
"created": "2023-10-30T01:40:08.022000",
"tags": [
"ssl certificate",
"historical ssl",
"resolutions",
"referrer",
"collections",
"contacted",
"efr1",
"parent domain",
"amazon 02",
"metro",
"crypto",
"cisco umbrella",
"site",
"safe site",
"heur",
"malware",
"alexa top",
"million",
"malicious url",
"malware site",
"malicious site",
"opencandy",
"riskware",
"unsafe",
"phishing",
"zbot",
"team",
"exploit",
"agent",
"mimikatz",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"downldr",
"presenoker",
"fusioncore",
"cleaner",
"wacatac",
"artemis",
"blacknet rat",
"stealer",
"trojanspy",
"blacklist https",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"tag count",
"tsara brashears",
"self",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"whois record",
"contacted urls",
"siblings domain",
"execution",
"goldmax",
"goldfinder",
"sibot",
"emotet",
"united",
"phishing site",
"maltiverse",
"adware",
"phishtank",
"xtrat",
"xrat",
"redline stealer",
"xtreme",
"crack",
"genkryptik",
"deepscan",
"win64",
"quasar rat",
"fareit",
"downloader",
"trojan",
"alexa",
"iframe",
"cve201711882",
"phish",
"genpack",
"suspicious",
"magazine",
"applicunwnt",
"cobalt strike",
"malicious",
"pattern match",
"file",
"web open",
"font format",
"truetype",
"indicator",
"windows nt",
"ascii text",
"mitre att",
"ck id",
"date",
"unknown",
"hybrid",
"accept",
"local",
"stream",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"pmejdjsu12",
"Royal Bank of Scotland",
"Phishing Bank of America Corporation",
"Phishing Netflix",
"Phishing Wells Fargo",
"Phishing RuneScape",
"Phishing Internal Revenue Service",
"Phtarget unspecified phishing",
"PAYPAL phishing",
"Phishing Indeed",
"Phishing eBay, Inc",
"PhisSafe",
"mobigame",
"Phishing Facebook",
"remote",
"mitm",
"tower",
"worm",
"firm",
"privilege",
"attacker",
"monitoring",
"cyber threat",
"apple",
"illegal",
"DNS_PROBE_STARTED",
"insurance",
"revenge",
"legal entities",
"https://boxofporn.com"
],
"references": [],
"public": 1,
"adversary": "[Unnamed group]",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Trojan.Hotkeychick",
"display_name": "Trojan.Hotkeychick",
"target": null
},
{
"id": "CVE Exploits",
"display_name": "CVE Exploits",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Generic.ASMalwS",
"display_name": "Generic.ASMalwS",
"target": null
},
{
"id": "HackTool.CheatEngine",
"display_name": "HackTool.CheatEngine",
"target": null
},
{
"id": "HackTool.BruteForce",
"display_name": "HackTool.BruteForce",
"target": null
},
{
"id": "Virus.Sality",
"display_name": "Virus.Sality",
"target": null
},
{
"id": "W32.Malware",
"display_name": "W32.Malware",
"target": null
},
{
"id": "TSGeneric",
"display_name": "TSGeneric",
"target": null
},
{
"id": "Trojan.OTNR",
"display_name": "Trojan.OTNR",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "BlackNET RAT",
"display_name": "BlackNET RAT",
"target": null
},
{
"id": "Mimikatz - S0002",
"display_name": "Mimikatz - S0002",
"target": null
},
{
"id": "GoldFinder",
"display_name": "GoldFinder",
"target": null
},
{
"id": "GoldMax - S0588",
"display_name": "GoldMax - S0588",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Sibot",
"display_name": "Sibot",
"target": null
},
{
"id": "Downloader.OpenCandy",
"display_name": "Downloader.OpenCandy",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "GoogleToolbar",
"display_name": "GoogleToolbar",
"target": null
},
{
"id": "BScope.Adware.MSIL",
"display_name": "BScope.Adware.MSIL",
"target": null
},
{
"id": "Application.Auslogics",
"display_name": "Application.Auslogics",
"target": null
},
{
"id": "PE.Heur",
"display_name": "PE.Heur",
"target": null
},
{
"id": "Gen:Variant.Application.Bundler.DownloadGuide",
"display_name": "Gen:Variant.Application.Bundler.DownloadGuide",
"target": null
},
{
"id": "Trojan:Win32/Xtrat",
"display_name": "Trojan:Win32/Xtrat",
"target": "/malware/Trojan:Win32/Xtrat"
},
{
"id": "Xtreme RAT",
"display_name": "Xtreme RAT",
"target": null
},
{
"id": "ML.Attribute",
"display_name": "ML.Attribute",
"target": null
},
{
"id": "AGEN.1045143",
"display_name": "AGEN.1045143",
"target": null
},
{
"id": "Hoax.DeceptPCClean",
"display_name": "Hoax.DeceptPCClean",
"target": null
},
{
"id": "Packed.Themida",
"display_name": "Packed.Themida",
"target": null
},
{
"id": "MSIL_Bladabindi.G.gen",
"display_name": "MSIL_Bladabindi.G.gen",
"target": null
},
{
"id": "Gen:NN.ZexaF.34090",
"display_name": "Gen:NN.ZexaF.34090",
"target": null
},
{
"id": "Unsafe.AI_Score_95% 2",
"display_name": "Unsafe.AI_Score_95% 2",
"target": null
},
{
"id": "BScope.Trojan",
"display_name": "BScope.Trojan",
"target": null
},
{
"id": "JS:Trojan.HideLink 2",
"display_name": "JS:Trojan.HideLink 2",
"target": null
},
{
"id": "Gen:Variant.Symmi",
"display_name": "Gen:Variant.Symmi",
"target": null
},
{
"id": "Gen:Heur.MSIL.Inject",
"display_name": "Gen:Heur.MSIL.Inject",
"target": null
},
{
"id": "Application.BitCoinMiner",
"display_name": "Application.BitCoinMiner",
"target": null
},
{
"id": "WebToolbar.Asparnet",
"display_name": "WebToolbar.Asparnet",
"target": null
},
{
"id": "W32.HfsAutoB",
"display_name": "W32.HfsAutoB",
"target": null
},
{
"id": "Gen:Variant.Ursu",
"display_name": "Gen:Variant.Ursu",
"target": null
},
{
"id": "HW32.Packed",
"display_name": "HW32.Packed",
"target": null
},
{
"id": "Application.Deceptor",
"display_name": "Application.Deceptor",
"target": null
},
{
"id": "Backdoor.Androm",
"display_name": "Backdoor.Androm",
"target": null
},
{
"id": "HEUR:Hoax.PCFixer",
"display_name": "HEUR:Hoax.PCFixer",
"target": null
},
{
"id": "Gen:Variant.Jacard",
"display_name": "Gen:Variant.Jacard",
"target": null
},
{
"id": "Tool.Patcher",
"display_name": "Tool.Patcher",
"target": null
},
{
"id": "Trojan.Khalesi 2\tAdware 2",
"display_name": "Trojan.Khalesi 2\tAdware 2",
"target": null
},
{
"id": "RiskWare.HackTool.Agent",
"display_name": "RiskWare.HackTool.Agent",
"target": null
},
{
"id": "Unsafe.AI_Score_94%",
"display_name": "Unsafe.AI_Score_94%",
"target": null
},
{
"id": "Trojan.WisdomEyes.16070401.9500",
"display_name": "Trojan.WisdomEyes.16070401.9500",
"target": null
},
{
"id": "RiskWare.Crack",
"display_name": "RiskWare.Crack",
"target": null
},
{
"id": "Gen:Variant.Bulz",
"display_name": "Gen:Variant.Bulz",
"target": null
},
{
"id": "VB:Trojan.Valyria",
"display_name": "VB:Trojan.Valyria",
"target": null
},
{
"id": "TrojanBanker.Banbra",
"display_name": "TrojanBanker.Banbra",
"target": null
},
{
"id": "DriverReviver.A potentially unwanted",
"display_name": "DriverReviver.A potentially unwanted",
"target": null
},
{
"id": "Warezov.gen3",
"display_name": "Warezov.gen3",
"target": null
},
{
"id": "JS:Trojan.Clicker",
"display_name": "JS:Trojan.Clicker",
"target": null
},
{
"id": "Nemucod.21C8",
"display_name": "Nemucod.21C8",
"target": null
},
{
"id": "Asparnet.P",
"display_name": "Asparnet.P",
"target": null
},
{
"id": "InstallCore.Gen7",
"display_name": "InstallCore.Gen7",
"target": null
},
{
"id": "CsQKHtaAI",
"display_name": "CsQKHtaAI",
"target": null
},
{
"id": "Clicker.VB",
"display_name": "Clicker.VB",
"target": null
},
{
"id": "Exploit.Zip.Heuristic",
"display_name": "Exploit.Zip.Heuristic",
"target": null
},
{
"id": "Trojan.Ransom.GandCrab",
"display_name": "Trojan.Ransom.GandCrab",
"target": null
},
{
"id": "ScrInject.B",
"display_name": "ScrInject.B",
"target": null
},
{
"id": "ScrInject.eric",
"display_name": "ScrInject.eric",
"target": null
},
{
"id": "HEUR:Trojan.Diztakun",
"display_name": "HEUR:Trojan.Diztakun",
"target": null
},
{
"id": "Agent.OCJ",
"display_name": "Agent.OCJ",
"target": null
},
{
"id": "Vdehu.A",
"display_name": "Vdehu.A",
"target": null
},
{
"id": "Hacktool.Crack",
"display_name": "Hacktool.Crack",
"target": null
},
{
"id": "Backdoor.DTR.15",
"display_name": "Backdoor.DTR.15",
"target": null
},
{
"id": "Freemake.A potentially unwanted",
"display_name": "Freemake.A potentially unwanted",
"target": null
},
{
"id": "Absolute Uninstaller",
"display_name": "Absolute Uninstaller",
"target": null
},
{
"id": "HTML:Script",
"display_name": "HTML:Script",
"target": null
},
{
"id": "Trojan.Small",
"display_name": "Trojan.Small",
"target": null
},
{
"id": "HackTool.Crack",
"display_name": "HackTool.Crack",
"target": null
},
{
"id": "Generic.Application.JS.Sobrab.1",
"display_name": "Generic.Application.JS.Sobrab.1",
"target": null
},
{
"id": "Trojan.Rozena",
"display_name": "Trojan.Rozena",
"target": null
},
{
"id": "Trojan.Downloader",
"display_name": "Trojan.Downloader",
"target": null
},
{
"id": "Trojan.Bayrob",
"display_name": "Trojan.Bayrob",
"target": null
},
{
"id": "Adware.OxyPumper",
"display_name": "Adware.OxyPumper",
"target": null
},
{
"id": "Worm.Chir",
"display_name": "Worm.Chir",
"target": null
},
{
"id": "Trojan.Linux.Generic",
"display_name": "Trojan.Linux.Generic",
"target": null
},
{
"id": "Trojan.Ransom.GenericKD",
"display_name": "Trojan.Ransom.GenericKD",
"target": null
},
{
"id": "Heur.BZC.YAX.Boxter.819",
"display_name": "Heur.BZC.YAX.Boxter.819",
"target": null
},
{
"id": "Faceliker.D",
"display_name": "Faceliker.D",
"target": null
},
{
"id": "Adware",
"display_name": "Adware",
"target": null
},
{
"id": "DeepScan:Generic.BrResMon.1",
"display_name": "DeepScan:Generic.BrResMon.1",
"target": null
},
{
"id": "Adware.KuziTui",
"display_name": "Adware.KuziTui",
"target": null
},
{
"id": "Trojan.Brsecmon",
"display_name": "Trojan.Brsecmon",
"target": null
},
{
"id": "SigRiskware.LespeedTechnologyLtd",
"display_name": "SigRiskware.LespeedTechnologyLtd",
"target": null
},
{
"id": "Doplik.J",
"display_name": "Doplik.J",
"target": null
},
{
"id": "Backdoor.Nhopro",
"display_name": "Backdoor.Nhopro",
"target": null
},
{
"id": "TrojanBanker.Banbra",
"display_name": "TrojanBanker.Banbra",
"target": null
},
{
"id": "Gen:NN.ZemsilF.32515",
"display_name": "Gen:NN.ZemsilF.32515",
"target": null
},
{
"id": "Downware",
"display_name": "Downware",
"target": null
},
{
"id": "MxResIcn.Heur",
"display_name": "MxResIcn.Heur",
"target": null
},
{
"id": "Mimikatz",
"display_name": "Mimikatz",
"target": null
},
{
"id": "Magazine phishing",
"display_name": "Magazine phishing",
"target": null
},
{
"id": "ApplicUnwnt@#2n6\tIRS",
"display_name": "ApplicUnwnt@#2n6\tIRS",
"target": null
},
{
"id": "TEL:Trojan:HTML/Phishing",
"display_name": "TEL:Trojan:HTML/Phishing",
"target": null
},
{
"id": "DriverReviver.A potentially unwanted",
"display_name": "DriverReviver.A potentially unwanted",
"target": null
},
{
"id": "Trojan.GandCrypt",
"display_name": "Trojan.GandCrypt",
"target": null
},
{
"id": "Redirector.AN",
"display_name": "Redirector.AN",
"target": null
},
{
"id": "Agent.CUX.gen",
"display_name": "Agent.CUX.gen",
"target": null
},
{
"id": "Gen:Variant.Application.Bundler",
"display_name": "Gen:Variant.Application.Bundler",
"target": null
},
{
"id": "Downloader.Generic",
"display_name": "Downloader.Generic",
"target": null
},
{
"id": "Trojan.ClipBanker",
"display_name": "Trojan.ClipBanker",
"target": null
},
{
"id": "TrojanDropper.Autit",
"display_name": "TrojanDropper.Autit",
"target": null
},
{
"id": "Dropper.Trojan.Agent",
"display_name": "Dropper.Trojan.Agent",
"target": null
},
{
"id": "QVM05.1.08E5.Malware",
"display_name": "QVM05.1.08E5.Malware",
"target": null
},
{
"id": "Trojan.CookiesStealer",
"display_name": "Trojan.CookiesStealer",
"target": null
},
{
"id": "Agent.MU",
"display_name": "Agent.MU",
"target": null
},
{
"id": "Wacatac.B",
"display_name": "Wacatac.B",
"target": null
},
{
"id": "Dropper.Gen",
"display_name": "Dropper.Gen",
"target": null
},
{
"id": "WiseCleaner.A potentially unwanted",
"display_name": "WiseCleaner.A potentially unwanted",
"target": null
},
{
"id": "Gen:Heur.MSIL.Androm",
"display_name": "Gen:Heur.MSIL.Androm",
"target": null
},
{
"id": "Gen:NN.ZemsilF.34170",
"display_name": "Gen:NN.ZemsilF.34170",
"target": null
},
{
"id": "Gen:Variant.MSILHeracles",
"display_name": "Gen:Variant.MSILHeracles",
"target": null
},
{
"id": "Trojan.DownLoader33",
"display_name": "Trojan.DownLoader33",
"target": null
},
{
"id": "Trojan.MSIL",
"display_name": "Trojan.MSIL",
"target": null
},
{
"id": "Program.Freemake",
"display_name": "Program.Freemake",
"target": null
},
{
"id": "Kryptik.dawvk",
"display_name": "Kryptik.dawvk",
"target": null
},
{
"id": "AdwareSig [Adw]",
"display_name": "AdwareSig [Adw]",
"target": null
},
{
"id": "Phishing JPMorgan Chase and Co.",
"display_name": "Phishing JPMorgan Chase and Co.",
"target": null
},
{
"id": "Adware.BrowseFoxCRTD",
"display_name": "Adware.BrowseFoxCRTD",
"target": null
},
{
"id": "Suspici.1F4405D1",
"display_name": "Suspici.1F4405D1",
"target": null
},
{
"id": "PUA.Wombat",
"display_name": "PUA.Wombat",
"target": null
},
{
"id": "AdWare.DealPly",
"display_name": "AdWare.DealPly",
"target": null
},
{
"id": "Injector.CUAM",
"display_name": "Injector.CUAM",
"target": null
},
{
"id": "Downldr.gen",
"display_name": "Downldr.gen",
"target": null
},
{
"id": "Troj_Gen.F04IE00CI19",
"display_name": "Troj_Gen.F04IE00CI19",
"target": null
},
{
"id": "Worm.Autorun",
"display_name": "Worm.Autorun",
"target": null
},
{
"id": "Worm.Boychi",
"display_name": "Worm.Boychi",
"target": null
},
{
"id": "Worm.Allaple",
"display_name": "Worm.Allaple",
"target": null
},
{
"id": "CVE-2014-3153",
"display_name": "CVE-2014-3153",
"target": null
},
{
"id": "BehavesLike.ICLoader",
"display_name": "BehavesLike.ICLoader",
"target": null
},
{
"id": "BScope.Backdoor",
"display_name": "BScope.Backdoor",
"target": null
},
{
"id": "Trojan.WIN32.PDF.Alien",
"display_name": "Trojan.WIN32.PDF.Alien",
"target": null
},
{
"id": "PUP.Systweak",
"display_name": "PUP.Systweak",
"target": null
},
{
"id": "Sabsik.FL.B",
"display_name": "Sabsik.FL.B",
"target": null
},
{
"id": "malicious.f01f67",
"display_name": "malicious.f01f67",
"target": null
},
{
"id": "AGEN.1144657",
"display_name": "AGEN.1144657",
"target": null
},
{
"id": "Gen:Variant.Tedy HackTool.VulnDriver",
"display_name": "Gen:Variant.Tedy HackTool.VulnDriver",
"target": null
},
{
"id": "Backdoor.Predator",
"display_name": "Backdoor.Predator",
"target": null
},
{
"id": "Kryptik.GKQR",
"display_name": "Kryptik.GKQR",
"target": null
},
{
"id": "DarkKomet.ife",
"display_name": "DarkKomet.ife",
"target": null
},
{
"id": "BehavesLike.Downloader",
"display_name": "BehavesLike.Downloader",
"target": null
},
{
"id": "Trojan.JS.Iframe",
"display_name": "Trojan.JS.Iframe",
"target": null
},
{
"id": "InstallCore.NP",
"display_name": "InstallCore.NP",
"target": null
},
{
"id": "Generic.JS.BlackHole",
"display_name": "Generic.JS.BlackHole",
"target": null
},
{
"id": "Dropper.Wanna",
"display_name": "Dropper.Wanna",
"target": null
},
{
"id": "Remote Utilities",
"display_name": "Remote Utilities",
"target": null
},
{
"id": "W32.InstallCore.AGX",
"display_name": "W32.InstallCore.AGX",
"target": null
},
{
"id": "NetTool.RemoteExec",
"display_name": "NetTool.RemoteExec",
"target": null
},
{
"id": "Bondat.A",
"display_name": "Bondat.A",
"target": null
},
{
"id": "VM201.0.B70B.Malware",
"display_name": "VM201.0.B70B.Malware",
"target": null
},
{
"id": "Riskware.NetFilter",
"display_name": "Riskware.NetFilter",
"target": null
},
{
"id": "Infected.WebPage",
"display_name": "Infected.WebPage",
"target": null
},
{
"id": "HEUR:Exploit.Script",
"display_name": "HEUR:Exploit.Script",
"target": null
},
{
"id": "BScope.TrojanDownloader",
"display_name": "BScope.TrojanDownloader",
"target": null
},
{
"id": "HTML:RedirBA",
"display_name": "HTML:RedirBA",
"target": null
},
{
"id": "Trojan.BAT.Qhost",
"display_name": "Trojan.BAT.Qhost",
"target": null
},
{
"id": "HTML:RedirME",
"display_name": "HTML:RedirME",
"target": null
},
{
"id": "TrojWare.JS.AdWare.Agent",
"display_name": "TrojWare.JS.AdWare.Agent",
"target": null
},
{
"id": "Packed.Dico",
"display_name": "Packed.Dico",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1602.001",
"name": "SNMP (MIB Dump)",
"display_name": "T1602.001 - SNMP (MIB Dump)"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "653bf3b076e4dbcd0c099992",
"export_count": 28,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1695,
"FileHash-SHA1": 756,
"FileHash-SHA256": 2029,
"domain": 290,
"URL": 1854,
"hostname": 568,
"CVE": 5
},
"indicator_count": 7197,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "875 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "652b2a50c4487060d52346fd",
"name": "Fitbit app link IoC's",
"description": "Critical. Fitbit download link found in Google search results.\n[https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile]\n\nBlackNET is a Remote Access Trojan (RAT) - Advanced Windows Botnet.\nCapabilities: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. \n\nOpenCandy , PUP\nCapabilities: Browser home page hijacker, installs unwanted toolbars, plug-ins, and extensions to web browsers, collects information, user\u2019s surfing habits, distribution to third parties without user consent.\n\nProcess Injection: Privilege escalation adversaries use to inject arbitrary code.",
"modified": "2023-11-13T22:04:06.580000",
"created": "2023-10-14T23:54:55.973000",
"tags": [
"ssl certificate",
"contacted",
"contacted urls",
"referrer",
"march",
"historical ssl",
"whois sslcert",
"suspicious",
"execution",
"malware",
"core",
"name verdict",
"falco",
"pattern match",
"ascii text",
"file",
"png image",
"sdcwhb",
"windows nt",
"jpeg image",
"jfif",
"appdata",
"kg2exe",
"date",
"unknown",
"general",
"hybrid",
"this",
"click",
"strings",
"class",
"critical",
"error",
"zfaoz",
"falcon sandbox",
"exit",
"node tcp",
"traffic",
"et tor",
"known tor",
"relayrouter",
"tor known",
"tor relayrouter",
"detection list",
"ip address",
"cisco umbrella",
"heur",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"malicious url",
"malicious site",
"unsafe",
"riskware",
"swrort",
"downldr",
"artemis",
"team",
"phishing",
"iframe",
"crack",
"xrat",
"installcore",
"facebook",
"bank",
"opencandy",
"nircmd",
"exploit",
"filetour",
"cleaner",
"wacatac",
"win64",
"unruy",
"blacknet rat",
"stealer",
"azorult",
"service",
"runescape",
"download",
"tiggre",
"presenoker",
"conduit",
"xtrat",
"agent",
"patcher",
"adload",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"adaptivebee",
"iobit",
"dropper",
"trojanx",
"webshell",
"adposhel",
"union",
"trojanspy",
"webtoolbar",
"blacklist https",
"blacklist",
"command_and_control",
"Fitbit",
"hidden tear",
"google",
"spyware",
"potentially unwanted progams",
"network",
"bundlers",
"aware"
],
"references": [
"https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile",
"https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ZfAoz",
"display_name": "ZfAoz",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "MediaMagnet",
"display_name": "MediaMagnet",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "WisdomEyes.16070401.9500",
"display_name": "WisdomEyes.16070401.9500",
"target": null
},
{
"id": "Wacatac",
"display_name": "Wacatac",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Unruy",
"display_name": "Unruy",
"target": null
},
{
"id": "BlackNET RAT",
"display_name": "BlackNET RAT",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1052,
"FileHash-MD5": 173,
"FileHash-SHA1": 168,
"FileHash-SHA256": 3730,
"URL": 2806,
"domain": 446,
"CVE": 17,
"email": 1
},
"indicator_count": 8393,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "887 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "652b2a8048e6a285461c4a5d",
"name": "Fitbit app link IoC's",
"description": "Critical. Fitbit download link found in Google search results.\n[https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile]\n\nBlackNET is a Remote Access Trojan (RAT) - Advanced Windows Botnet.\nCapabilities: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. \n\nOpenCandy , PUP\nCapabilities: Browser home page hijacker, installs unwanted toolbars, plug-ins, and extensions to web browsers, collects information, user\u2019s surfing habits, distribution to third parties without user consent.\n\nProcess Injection: Privilege escalation adversaries use to inject arbitrary code.",
"modified": "2023-11-13T22:04:06.580000",
"created": "2023-10-14T23:55:42.972000",
"tags": [
"ssl certificate",
"contacted",
"contacted urls",
"referrer",
"march",
"historical ssl",
"whois sslcert",
"suspicious",
"execution",
"malware",
"core",
"name verdict",
"falco",
"pattern match",
"ascii text",
"file",
"png image",
"sdcwhb",
"windows nt",
"jpeg image",
"jfif",
"appdata",
"kg2exe",
"date",
"unknown",
"general",
"hybrid",
"this",
"click",
"strings",
"class",
"critical",
"error",
"zfaoz",
"falcon sandbox",
"exit",
"node tcp",
"traffic",
"et tor",
"known tor",
"relayrouter",
"tor known",
"tor relayrouter",
"detection list",
"ip address",
"cisco umbrella",
"heur",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"malicious url",
"malicious site",
"unsafe",
"riskware",
"swrort",
"downldr",
"artemis",
"team",
"phishing",
"iframe",
"crack",
"xrat",
"installcore",
"facebook",
"bank",
"opencandy",
"nircmd",
"exploit",
"filetour",
"cleaner",
"wacatac",
"win64",
"unruy",
"blacknet rat",
"stealer",
"azorult",
"service",
"runescape",
"download",
"tiggre",
"presenoker",
"conduit",
"xtrat",
"agent",
"patcher",
"adload",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"adaptivebee",
"iobit",
"dropper",
"trojanx",
"webshell",
"adposhel",
"union",
"trojanspy",
"webtoolbar",
"blacklist https",
"blacklist",
"command_and_control",
"Fitbit",
"hidden tear",
"google",
"spyware",
"potentially unwanted progams",
"network",
"bundlers",
"aware"
],
"references": [
"https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile",
"https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ZfAoz",
"display_name": "ZfAoz",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "MediaMagnet",
"display_name": "MediaMagnet",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "WisdomEyes.16070401.9500",
"display_name": "WisdomEyes.16070401.9500",
"target": null
},
{
"id": "Wacatac",
"display_name": "Wacatac",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Unruy",
"display_name": "Unruy",
"target": null
},
{
"id": "BlackNET RAT",
"display_name": "BlackNET RAT",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1052,
"FileHash-MD5": 173,
"FileHash-SHA1": 168,
"FileHash-SHA256": 3730,
"URL": 2806,
"domain": 446,
"CVE": 17,
"email": 1
},
"indicator_count": 8393,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "887 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f147a7e55dd916fe9e3e2",
"name": "Fitbit app link IoC's",
"description": "",
"modified": "2023-11-13T22:04:06.580000",
"created": "2023-10-30T02:27:06.140000",
"tags": [
"ssl certificate",
"contacted",
"contacted urls",
"referrer",
"march",
"historical ssl",
"whois sslcert",
"suspicious",
"execution",
"malware",
"core",
"name verdict",
"falco",
"pattern match",
"ascii text",
"file",
"png image",
"sdcwhb",
"windows nt",
"jpeg image",
"jfif",
"appdata",
"kg2exe",
"date",
"unknown",
"general",
"hybrid",
"this",
"click",
"strings",
"class",
"critical",
"error",
"zfaoz",
"falcon sandbox",
"exit",
"node tcp",
"traffic",
"et tor",
"known tor",
"relayrouter",
"tor known",
"tor relayrouter",
"detection list",
"ip address",
"cisco umbrella",
"heur",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"malicious url",
"malicious site",
"unsafe",
"riskware",
"swrort",
"downldr",
"artemis",
"team",
"phishing",
"iframe",
"crack",
"xrat",
"installcore",
"facebook",
"bank",
"opencandy",
"nircmd",
"exploit",
"filetour",
"cleaner",
"wacatac",
"win64",
"unruy",
"blacknet rat",
"stealer",
"azorult",
"service",
"runescape",
"download",
"tiggre",
"presenoker",
"conduit",
"xtrat",
"agent",
"patcher",
"adload",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"adaptivebee",
"iobit",
"dropper",
"trojanx",
"webshell",
"adposhel",
"union",
"trojanspy",
"webtoolbar",
"blacklist https",
"blacklist",
"command_and_control",
"Fitbit",
"hidden tear",
"google",
"spyware",
"potentially unwanted progams",
"network",
"bundlers",
"aware"
],
"references": [
"https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile",
"https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ZfAoz",
"display_name": "ZfAoz",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "MediaMagnet",
"display_name": "MediaMagnet",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "WisdomEyes.16070401.9500",
"display_name": "WisdomEyes.16070401.9500",
"target": null
},
{
"id": "Wacatac",
"display_name": "Wacatac",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Unruy",
"display_name": "Unruy",
"target": null
},
{
"id": "BlackNET RAT",
"display_name": "BlackNET RAT",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "652b2a8048e6a285461c4a5d",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1052,
"FileHash-MD5": 173,
"FileHash-SHA1": 168,
"FileHash-SHA256": 3730,
"URL": 2806,
"domain": 446,
"CVE": 17,
"email": 1
},
"indicator_count": 8393,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "887 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f19f703614354a606c382",
"name": "Apple iTunes| Malicious site | Anonyization | Siphoning | Trojan Downloader",
"description": "",
"modified": "2023-11-12T17:01:15.222000",
"created": "2023-10-30T02:50:31.950000",
"tags": [
"ssl certificate",
"historical ssl",
"referrer",
"communicating",
"unlocker",
"legal entities",
"using ip",
"amazon aws",
"apple ios",
"passcode",
"attack",
"verified",
"cyber criminal",
"name verdict",
"falcon sandbox",
"united",
"flag",
"date",
"name server",
"markmonitor",
"contains",
"external",
"new relic",
"logo",
"av detection",
"hybrid",
"general",
"click",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"proxy",
"firehol",
"malware",
"heur",
"cisco umbrella",
"site",
"safe site",
"million",
"alexa top",
"malicious site",
"malware site",
"adware",
"artemis",
"iframe",
"cleaner",
"unsafe",
"riskware",
"opencandy",
"downldr",
"nircmd",
"swrort",
"presenoker",
"wacatac",
"phishing",
"xtrat",
"crack",
"tiggre",
"exploit",
"agent",
"filetour",
"conduit",
"acint",
"systweak",
"behav",
"genkryptik",
"softcnapp",
"fusioncore",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"xrat",
"gamehack",
"webtoolbar",
"trojanspy",
"maltiverse",
"urls",
"detection list",
"blacklist https",
"path",
"maxage31536000",
"expiressat",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"pragma",
"html info",
"title kedence",
"official apk",
"meta tags",
"apk download",
"android",
"google tag",
"utc google",
"utc na",
"phishing site",
"anonymizer",
"malicious host",
"driverpack",
"ransomware",
"installcore",
"suppobox",
"patcher",
"generic",
"dropper",
"fakealert",
"quasar rat",
"applicunwnt",
"mimikatz",
"team",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Verified",
"display_name": "Verified",
"target": null
},
{
"id": "Cyber Criminal",
"display_name": "Cyber Criminal",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65298a6839a49a9aa732bcac",
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 250,
"FileHash-SHA1": 80,
"FileHash-SHA256": 2976,
"domain": 757,
"hostname": 1331,
"URL": 3839,
"CVE": 12
},
"indicator_count": 9245,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "888 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65298a6839a49a9aa732bcac",
"name": "Apple iTunes| Malicious site | Anonyization | Siphoning | Trojan Downloader",
"description": "IC3 attached to links, apple , messaging, Skype.\nIC3 CN?\nChina? Unclear. Possibly intercepting IC3 complaints or linking to FBI to frame targets. Links show attack is Attorney orchestrated. \nSame group of Apple iTune links affected by Java.Trojan.GenericGB, Apple NetWorm Trojan.Buzus, Dropper.Mudrop, GenPack:Trojan.Generic, Worm.Mytob ,Phishing site, Anonymizer , netsky ,worm and other vulnerabilities over time. \u200eSign of the Times \u2013 Album par Dembiak Music \u2013 Apple Music Autonomous Systems: AS714 Apple Inc AS14061 Digital Ocean Inc AS8560 1 1 Internet SE Anonymizer: Proxy - FireHol malicious url, evasive, pua, worm, network, attack, bad actor, targeting",
"modified": "2023-11-12T17:01:15.222000",
"created": "2023-10-13T18:20:24.042000",
"tags": [
"ssl certificate",
"historical ssl",
"referrer",
"communicating",
"unlocker",
"legal entities",
"using ip",
"amazon aws",
"apple ios",
"passcode",
"attack",
"verified",
"cyber criminal",
"name verdict",
"falcon sandbox",
"united",
"flag",
"date",
"name server",
"markmonitor",
"contains",
"external",
"new relic",
"logo",
"av detection",
"hybrid",
"general",
"click",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"proxy",
"firehol",
"malware",
"heur",
"cisco umbrella",
"site",
"safe site",
"million",
"alexa top",
"malicious site",
"malware site",
"adware",
"artemis",
"iframe",
"cleaner",
"unsafe",
"riskware",
"opencandy",
"downldr",
"nircmd",
"swrort",
"presenoker",
"wacatac",
"phishing",
"xtrat",
"crack",
"tiggre",
"exploit",
"agent",
"filetour",
"conduit",
"acint",
"systweak",
"behav",
"genkryptik",
"softcnapp",
"fusioncore",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"xrat",
"gamehack",
"webtoolbar",
"trojanspy",
"maltiverse",
"urls",
"detection list",
"blacklist https",
"path",
"maxage31536000",
"expiressat",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"pragma",
"html info",
"title kedence",
"official apk",
"meta tags",
"apk download",
"android",
"google tag",
"utc google",
"utc na",
"phishing site",
"anonymizer",
"malicious host",
"driverpack",
"ransomware",
"installcore",
"suppobox",
"patcher",
"generic",
"dropper",
"fakealert",
"quasar rat",
"applicunwnt",
"mimikatz",
"team",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Verified",
"display_name": "Verified",
"target": null
},
{
"id": "Cyber Criminal",
"display_name": "Cyber Criminal",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 250,
"FileHash-SHA1": 80,
"FileHash-SHA256": 2976,
"domain": 757,
"hostname": 1331,
"URL": 3839,
"CVE": 12
},
"indicator_count": 9245,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "888 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f1d23d050527b7aa07cfd",
"name": "Remote Access Related | APK attack targets independent artists",
"description": "",
"modified": "2023-11-12T07:01:14.580000",
"created": "2023-10-30T03:04:03.323000",
"tags": [
"alexa top",
"blacklist",
"phishing",
"million",
"site",
"cisco umbrella",
"path",
"maxage31536000",
"expiressat",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"pragma",
"html info",
"title kedence",
"official apk",
"meta tags",
"apk download",
"android",
"google tag",
"utc google",
"utc na",
"whois record",
"contacted",
"ssl certificate",
"communicating",
"referrer",
"historical ssl",
"bundled",
"resolutions",
"contacted urls",
"hackers install",
"malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"united",
"phishing site",
"malware site",
"malicious site",
"heur",
"anonymizer",
"malicious host",
"crack",
"maltiverse",
"driverpack",
"ransomware",
"opencandy",
"artemis",
"riskware",
"installcore",
"suppobox",
"bank",
"agent",
"patcher",
"generic",
"t",
"safe site",
"iframe",
"downldr",
"presenoker",
"exploit",
"genkryptik",
"dropper",
"fakealert",
"quasar rat",
"xtrat",
"softcnapp",
"cleaner",
"xrat",
"applicunwnt",
"mimikatz",
"team",
"azorult",
"service",
"runescape",
"facebook",
"download",
"logo analysis",
"size81b type",
"mime",
"scan10132023",
"results",
"multi scan",
"analysis",
"update",
"view details",
"na visit",
"sansx22",
"3px 3px",
"indicator",
"file",
"general",
"email address",
"pattern match",
"ck id",
"t1114",
"show technique",
"mitre att",
"ck matrix",
"script",
"antivirus",
"svg scalable",
"vector graphics",
"span",
"twitter",
"hybrid",
"ascii text",
"appdata",
"windows nt",
"png image",
"jpeg image",
"jfif",
"date",
"flag",
"markmonitor",
"name server",
"server",
"enom",
"whois privacy",
"cloudflare",
"domain address",
"show",
"osint",
"f8f9fa",
"eeeeee",
"click",
"unknown",
"open",
"error",
"body",
"hosts",
"strings",
"class",
"critical",
"meta",
"scroll",
"atom"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "T",
"display_name": "T",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6528fa2179cc1554d7f434c6",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 713,
"FileHash-MD5": 1104,
"FileHash-SHA1": 585,
"FileHash-SHA256": 2385,
"hostname": 1054,
"URL": 3596,
"CVE": 5,
"FilePath": 1
},
"indicator_count": 9443,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "889 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6528fa2179cc1554d7f434c6",
"name": "Remote Access Related | APK attack targets independent artists",
"description": "Suppression, malware,\nPassword,Exploit/Shellcode *Defacement *Unsafe.AI_Score_ * FileRepMetagen [PUP]\nrevenge-rat,stealer,, Steganos Software GmbH Privacy Suite, Ransom_WannaCrypt.R002C0DJO20,\nWacatac.B, Trojan.HideLink, SuppoBox,Trojan.Downloader.Generic, TrojWare.JS.Obfuscated, Phish.HHH, Phishing_Netflix.EVT, Phishing.Microsoft,Trojan.AvsHepter, HTML:PhishingBank, Phishing.fz, Probably, Heur.HTMLUnescapeF, BehavesLike.HTML.SMSSendPhishing.S23, Gen:Variant.Zbot, BehavesLike.HTML.Faceliker",
"modified": "2023-11-12T07:01:14.580000",
"created": "2023-10-13T08:04:49.722000",
"tags": [
"alexa top",
"blacklist",
"phishing",
"million",
"site",
"cisco umbrella",
"path",
"maxage31536000",
"expiressat",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"pragma",
"html info",
"title kedence",
"official apk",
"meta tags",
"apk download",
"android",
"google tag",
"utc google",
"utc na",
"whois record",
"contacted",
"ssl certificate",
"communicating",
"referrer",
"historical ssl",
"bundled",
"resolutions",
"contacted urls",
"hackers install",
"malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"united",
"phishing site",
"malware site",
"malicious site",
"heur",
"anonymizer",
"malicious host",
"crack",
"maltiverse",
"driverpack",
"ransomware",
"opencandy",
"artemis",
"riskware",
"installcore",
"suppobox",
"bank",
"agent",
"patcher",
"generic",
"t",
"safe site",
"iframe",
"downldr",
"presenoker",
"exploit",
"genkryptik",
"dropper",
"fakealert",
"quasar rat",
"xtrat",
"softcnapp",
"cleaner",
"xrat",
"applicunwnt",
"mimikatz",
"team",
"azorult",
"service",
"runescape",
"facebook",
"download",
"logo analysis",
"size81b type",
"mime",
"scan10132023",
"results",
"multi scan",
"analysis",
"update",
"view details",
"na visit",
"sansx22",
"3px 3px",
"indicator",
"file",
"general",
"email address",
"pattern match",
"ck id",
"t1114",
"show technique",
"mitre att",
"ck matrix",
"script",
"antivirus",
"svg scalable",
"vector graphics",
"span",
"twitter",
"hybrid",
"ascii text",
"appdata",
"windows nt",
"png image",
"jpeg image",
"jfif",
"date",
"flag",
"markmonitor",
"name server",
"server",
"enom",
"whois privacy",
"cloudflare",
"domain address",
"show",
"osint",
"f8f9fa",
"eeeeee",
"click",
"unknown",
"open",
"error",
"body",
"hosts",
"strings",
"class",
"critical",
"meta",
"scroll",
"atom"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "T",
"display_name": "T",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 31,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 713,
"FileHash-MD5": 1104,
"FileHash-SHA1": 585,
"FileHash-SHA256": 2385,
"hostname": 1054,
"URL": 3596,
"CVE": 5,
"FilePath": 1
},
"indicator_count": 9443,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "889 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "652a97aa526adfee6ea546d1",
"name": "note.html [Pulse by OctoSeek]",
"description": "",
"modified": "2023-10-24T17:02:05.352000",
"created": "2023-10-14T13:29:14.460000",
"tags": [
"ssl certificate",
"whois record",
"resolutions",
"communicating",
"referrer",
"apple",
"historical ssl",
"subdomains",
"contacted",
"hacktool",
"united",
"et info",
"flag",
"bad traffic",
"date",
"tls handshake",
"failure",
"misc activity",
"external ip",
"server",
"blacklist",
"unknown malware",
"threatfox",
"ssdeep",
"file type",
"html internet",
"magic html",
"ascii text",
"trid hypertext",
"markup language",
"file size",
"submission",
"analysis",
"rules not",
"not found",
"mitre",
"info ids",
"found sigma",
"found",
"files not",
"found network",
"ja3 mitre",
"ta0007 command",
"Pattern match: \"bootstrap@4.4.1\"",
"Pattern match: \"popper.js@1.16.0\"",
"100.0% (.HTML) HyperText Markup Language",
"Attempts to identify its external IP address",
"0x2b3861",
"0x1f264c",
"0x1e9f6a",
"0x45b62b",
"0xac498a",
"0x574ac1",
"0x4919e6window",
"uint8array",
"0x4919e6",
"html file",
"url https",
"file name",
"tag summary",
"mitre1 iocs8",
"images embedded",
"codes comments0",
"category value",
"url http",
"toolbar",
"evasive"
],
"references": [
"https://www.hybrid-analysis.com/sample/92a5be2893743435b79e94aa64a74233a2240fd790ca948e1cb046da5b4072f1/651057d67b30f0a0990f71ee",
"SHA256 92a5be2893743435b79e94aa64a74233a2240fd790ca948e1cb046da5b4072f1",
"Web Tools",
"Other online research",
"Analysis"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ThreatFox",
"display_name": "ThreatFox",
"target": null
},
{
"id": "HEUR:Trojan.BAT",
"display_name": "HEUR:Trojan.BAT",
"target": null
},
{
"id": "Vdehu.A",
"display_name": "Vdehu.A",
"target": null
},
{
"id": "Trojan.JS.ObfJS",
"display_name": "Trojan.JS.ObfJS",
"target": null
},
{
"id": "Dropper.Dapato",
"display_name": "Dropper.Dapato",
"target": null
}
],
"attack_ids": [
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6510efe0ef29f9f05b4a7dbc",
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1422,
"URL": 2694,
"FileHash-MD5": 31,
"FileHash-SHA1": 29,
"domain": 481,
"hostname": 909,
"CVE": 2
},
"indicator_count": 5568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "907 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "651349097e0dee296da611fc",
"name": "note.html",
"description": "",
"modified": "2023-10-24T17:02:05.352000",
"created": "2023-09-26T21:11:37.530000",
"tags": [
"ssl certificate",
"whois record",
"resolutions",
"communicating",
"referrer",
"apple",
"historical ssl",
"subdomains",
"contacted",
"hacktool",
"united",
"et info",
"flag",
"bad traffic",
"date",
"tls handshake",
"failure",
"misc activity",
"external ip",
"server",
"blacklist",
"unknown malware",
"threatfox",
"ssdeep",
"file type",
"html internet",
"magic html",
"ascii text",
"trid hypertext",
"markup language",
"file size",
"submission",
"analysis",
"rules not",
"not found",
"mitre",
"info ids",
"found sigma",
"found",
"files not",
"found network",
"ja3 mitre",
"ta0007 command",
"Pattern match: \"bootstrap@4.4.1\"",
"Pattern match: \"popper.js@1.16.0\"",
"100.0% (.HTML) HyperText Markup Language",
"Attempts to identify its external IP address",
"0x2b3861",
"0x1f264c",
"0x1e9f6a",
"0x45b62b",
"0xac498a",
"0x574ac1",
"0x4919e6window",
"uint8array",
"0x4919e6",
"html file",
"url https",
"file name",
"tag summary",
"mitre1 iocs8",
"images embedded",
"codes comments0",
"category value",
"url http",
"toolbar",
"evasive"
],
"references": [
"https://www.hybrid-analysis.com/sample/92a5be2893743435b79e94aa64a74233a2240fd790ca948e1cb046da5b4072f1/651057d67b30f0a0990f71ee",
"SHA256 92a5be2893743435b79e94aa64a74233a2240fd790ca948e1cb046da5b4072f1",
"Web Tools",
"Other online research",
"Analysis"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ThreatFox",
"display_name": "ThreatFox",
"target": null
},
{
"id": "HEUR:Trojan.BAT",
"display_name": "HEUR:Trojan.BAT",
"target": null
},
{
"id": "Vdehu.A",
"display_name": "Vdehu.A",
"target": null
},
{
"id": "Trojan.JS.ObfJS",
"display_name": "Trojan.JS.ObfJS",
"target": null
},
{
"id": "Dropper.Dapato",
"display_name": "Dropper.Dapato",
"target": null
}
],
"attack_ids": [
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6510efe0ef29f9f05b4a7dbc",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1422,
"URL": 2694,
"FileHash-MD5": 31,
"FileHash-SHA1": 29,
"domain": 481,
"hostname": 909,
"CVE": 2
},
"indicator_count": 5568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "907 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6510efe0ef29f9f05b4a7dbc",
"name": "note.html",
"description": "Malicious",
"modified": "2023-10-24T17:02:05.352000",
"created": "2023-09-25T02:26:40.583000",
"tags": [
"ssl certificate",
"whois record",
"resolutions",
"communicating",
"referrer",
"apple",
"historical ssl",
"subdomains",
"contacted",
"hacktool",
"united",
"et info",
"flag",
"bad traffic",
"date",
"tls handshake",
"failure",
"misc activity",
"external ip",
"server",
"blacklist",
"unknown malware",
"threatfox",
"ssdeep",
"file type",
"html internet",
"magic html",
"ascii text",
"trid hypertext",
"markup language",
"file size",
"submission",
"analysis",
"rules not",
"not found",
"mitre",
"info ids",
"found sigma",
"found",
"files not",
"found network",
"ja3 mitre",
"ta0007 command",
"Pattern match: \"bootstrap@4.4.1\"",
"Pattern match: \"popper.js@1.16.0\"",
"100.0% (.HTML) HyperText Markup Language",
"Attempts to identify its external IP address",
"0x2b3861",
"0x1f264c",
"0x1e9f6a",
"0x45b62b",
"0xac498a",
"0x574ac1",
"0x4919e6window",
"uint8array",
"0x4919e6",
"html file",
"url https",
"file name",
"tag summary",
"mitre1 iocs8",
"images embedded",
"codes comments0",
"category value",
"url http",
"toolbar",
"evasive"
],
"references": [
"https://www.hybrid-analysis.com/sample/92a5be2893743435b79e94aa64a74233a2240fd790ca948e1cb046da5b4072f1/651057d67b30f0a0990f71ee",
"SHA256 92a5be2893743435b79e94aa64a74233a2240fd790ca948e1cb046da5b4072f1",
"Web Tools",
"Other online research",
"Analysis"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ThreatFox",
"display_name": "ThreatFox",
"target": null
},
{
"id": "HEUR:Trojan.BAT",
"display_name": "HEUR:Trojan.BAT",
"target": null
},
{
"id": "Vdehu.A",
"display_name": "Vdehu.A",
"target": null
},
{
"id": "Trojan.JS.ObfJS",
"display_name": "Trojan.JS.ObfJS",
"target": null
},
{
"id": "Dropper.Dapato",
"display_name": "Dropper.Dapato",
"target": null
}
],
"attack_ids": [
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1422,
"URL": 2694,
"FileHash-MD5": 31,
"FileHash-SHA1": 29,
"domain": 481,
"hostname": 909,
"CVE": 2
},
"indicator_count": 5568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "907 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "620c3b1f8af7ea0dcf2c1218",
"name": "Jeeng / Powerbox",
"description": "",
"modified": "2022-06-12T22:01:23.105000",
"created": "2022-02-15T23:45:35.234000",
"tags": [
"Jeeng",
"tim pool",
"timcast"
],
"references": [
"cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scnrscnr",
"id": "126475",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 9072,
"domain": 2500,
"URL": 13548,
"hostname": 3584,
"FileHash-MD5": 197,
"FileHash-SHA1": 162,
"CVE": 3,
"CIDR": 20,
"SSLCertFingerprint": 2,
"email": 19,
"BitcoinAddress": 1
},
"indicator_count": 29108,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 97,
"modified_text": "1406 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "60e6c1075f3f5592cb7d80d2",
"name": "Jack Posobiec\u2019s Pay-share.com Bonanza",
"description": "Looks like a dead site, talks like a dead site, walks like a dead site, isn\u2019t a dead nor parked site.",
"modified": "2022-06-09T00:00:13.607000",
"created": "2021-07-08T09:10:31.087000",
"tags": [
"enable javascript",
"browser",
"internet explorer",
"firefox",
"chrome",
"safari",
"opera",
"codes fire",
"stick tricks",
"coupons knoji",
"discount codes",
"best uk",
"hosting omega",
"media hoekbank",
"leasen",
"writers per",
"hour frskrat"
],
"references": [
"https://www.pay-share.com/",
"http://www.enable-javascript.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scnrscnr",
"id": "126475",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3887,
"hostname": 1423,
"FileHash-SHA256": 2044,
"domain": 675,
"FileHash-MD5": 245,
"FileHash-SHA1": 212,
"CIDR": 18,
"email": 10,
"CVE": 3,
"SSLCertFingerprint": 6
},
"indicator_count": 8523,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 99,
"modified_text": "1410 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "627b806be644fbc56410ea90",
"name": "DDOS Attack",
"description": "",
"modified": "2022-05-11T09:22:51.290000",
"created": "2022-05-11T09:22:51.290000",
"tags": [
"soap-demo.xyz",
"associations",
"lapsus"
],
"references": [
"soap-demo.xyz"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "623d1ab277bbaca57464872b",
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ALSHOBAKI",
"id": "192458",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 519,
"hostname": 182,
"domain": 190,
"URL": 528,
"FileHash-SHA1": 2
},
"indicator_count": 1421,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 42,
"modified_text": "1439 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "623d1ab277bbaca57464872b",
"name": "lapsus known associations",
"description": "",
"modified": "2022-04-24T00:01:15.470000",
"created": "2022-03-25T01:28:18.545000",
"tags": [
"soap-demo.xyz",
"associations",
"lapsus"
],
"references": [
"soap-demo.xyz"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 519,
"hostname": 182,
"domain": 190,
"URL": 528,
"FileHash-SHA1": 2
},
"indicator_count": 1421,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 392,
"modified_text": "1456 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "623b7febb8bc01a01e42ab3d",
"name": "Democracy.works_3.23.22",
"description": "",
"modified": "2022-04-22T00:03:50.614000",
"created": "2022-03-23T20:15:39.720000",
"tags": [],
"references": [
"Democracy.works_3.23.22..pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10812,
"hostname": 2537,
"domain": 1018,
"FileHash-SHA256": 3788,
"CVE": 2,
"FileHash-MD5": 2,
"FileHash-SHA1": 1
},
"indicator_count": 18160,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 412,
"modified_text": "1458 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "623920a2146150d2d8525a73",
"name": "DEMOCRACY.WORKS",
"description": "",
"modified": "2022-04-20T00:02:21.571000",
"created": "2022-03-22T01:04:34.472000",
"tags": [],
"references": [
"DEMOCRACY.WORKS.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 9861,
"domain": 945,
"hostname": 2031,
"FileHash-SHA256": 3611,
"CVE": 1,
"FileHash-MD5": 2,
"FileHash-SHA1": 1
},
"indicator_count": 16452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 414,
"modified_text": "1460 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62310336c0071a6c73cd7c34",
"name": "AppleAutoUpdate",
"description": "",
"modified": "2022-04-14T00:01:40.805000",
"created": "2022-03-15T21:20:54.633000",
"tags": [
"WannaCry",
"Apple Zero Day"
],
"references": [
"AppleAutoUpdate.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Ransomware.WannaCry-9856297-0",
"display_name": "Win.Ransomware.WannaCry-9856297-0",
"target": null
}
],
"attack_ids": [],
"industries": [
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4607,
"hostname": 1953,
"domain": 619,
"FileHash-SHA256": 2226
},
"indicator_count": 9405,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 411,
"modified_text": "1466 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6216651300b16bc2a50500e6",
"name": "Neustar.biz",
"description": "",
"modified": "2022-03-25T00:03:52.440000",
"created": "2022-02-23T16:47:15.827000",
"tags": [
"whois record",
"ssl certificate",
"whois",
"registry",
"biz registry",
"operator",
"historical ssl",
"graph summary",
"atreya",
"neustar",
"july",
"am manos",
"antonakakis",
"burke",
"joffe",
"foster",
"dejong",
"robinson",
"steve dejong",
"mark robinson",
"win32 exe",
"microsoft",
"date",
"subdomains",
"communicating",
"detections type",
"name",
"server",
"redacted for",
"domain status",
"privacy tech",
"privacy admin",
"algorithm",
"key identifier",
"x509v3 subject",
"country",
"umbrella",
"code"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 656,
"URL": 1305,
"domain": 248,
"FileHash-SHA256": 584,
"CVE": 1,
"email": 7,
"FileHash-SHA1": 6,
"FileHash-MD5": 5
},
"indicator_count": 2812,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 407,
"modified_text": "1486 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"soap-demo.xyz",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"https://es.pornhat.com/models/the-sex-creator/",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile",
"http://www.enable-javascript.com/",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"Democracy.works_3.23.22..pdf",
"Can the DoD no questions asked target a SA victim",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"iamrobert.com Y.A.S.",
"Other online research",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"If someone is believed to be a threat they have right to due process.",
"There is fear in silence or speaking out",
"https://www.hybrid-analysis.com/sample/92a5be2893743435b79e94aa64a74233a2240fd790ca948e1cb046da5b4072f1/651057d67b30f0a0990f71ee",
"https://meumundogay-com.sexogratis.page/locker",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"I am very upset. Whoever is doing this is sick.",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://www.pay-share.com/",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"Target agreed and complied with all lie detector measures.",
"Analysis",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0",
"Web Tools",
"DEMOCRACY.WORKS.pdf",
"AppleAutoUpdate.pdf",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"SHA256 92a5be2893743435b79e94aa64a74233a2240fd790ca948e1cb046da5b4072f1",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"[Unnamed group]"
],
"malware_families": [
"Zfaoz",
"Riskware.crack",
"Trojan.rozena",
"Redline stealer",
"Downloader.generic",
"Trojan.ransom.generickd",
"Sigriskware.lespeedtechnologyltd",
"Vm201.0.b70b.malware",
"Xtreme rat",
"Downldr.gen",
"Trojan.otnr",
"Trojan.brsecmon",
"Unsafe.ai_score_95% 2",
"Vdehu.a",
"Generic.asmalws",
"Trojan.gandcrypt",
"Emotet",
"Hacktool.cheatengine",
"Quasar rat",
"Trojan.js.iframe",
"Generic.js.blackhole",
"Goldmax - s0588",
"Riskware.netfilter",
"Msil_bladabindi.g.gen",
"Trojandropper.autit",
"Darkkomet.ife",
"Heur:trojan.bat",
"Gen:nn.zemsilf.32515",
"W32.malware",
"Gen:heur.msil.inject",
"Behaveslike.downloader",
"Gen:variant.symmi",
"Virus.sality",
"Worm.autorun",
"Bscope.trojan",
"Cyber criminal",
"Magazine phishing",
"Agent.cux.gen",
"Trojan.msil",
"Driverreviver.a potentially unwanted",
"Installcore.gen7",
"Deepscan:generic.brresmon.1",
"Gen:nn.zemsilf.34170",
"Trojan.downloader33",
"Cve-2014-3153",
"Backdoor.nhopro",
"Gen:variant.ursu",
"Trojanbanker.banbra",
"Maltiverse",
"Scrinject.b",
"Trojan.bayrob",
"Packed.dico",
"Goldfinder",
"Agen.1045143",
"Tel:trojan:html/phishing",
"Behaveslike.icloader",
"Azorult",
"Phishing jpmorgan chase and co.",
"Hw32.packed",
"Trojan.clipbanker",
"Kryptik.dawvk",
"Html:script",
"Kryptik",
"Worm.allaple",
"Trojan.khalesi 2\tadware 2",
"Applicunwnt@#2n6\tirs",
"Csqkhtaai",
"Pup.systweak",
"W32.installcore.agx",
"Generic.application.js.sobrab.1",
"Gen:heur.msil.androm",
"Clicker.vb",
"Backdoor.predator",
"Heur:hoax.pcfixer",
"Dropper.gen",
"Adwaresig [adw]",
"Hoax.deceptpcclean",
"Redirector.an",
"Trojan.cookiesstealer",
"Heur.bzc.yax.boxter.819",
"Riskware.hacktool.agent",
"Bscope.adware.msil",
"Gen:variant.jacard",
"Downware",
"Sabsik.fl.b",
"Trojan.wisdomeyes.16070401.9500",
"Gen:variant.bulz",
"Bscope.trojandownloader",
"Trojan.downloader",
"Injector.cuam",
"Downloader.opencandy",
"Blacknet rat",
"Gen:nn.zexaf.34090",
"Backdoor.androm",
"Application.auslogics",
"Dropper.trojan.agent",
"Verified",
"Gen:variant.application.bundler",
"Bscope.backdoor",
"Bondat.a",
"Googletoolbar",
"Absolute uninstaller",
"Installcore.np",
"Asparnet.p",
"Webtoolbar.asparnet",
"Freemake.a potentially unwanted",
"Scrinject.eric",
"Remote utilities",
"Packed.themida",
"Vb:trojan.valyria",
"Gen:variant.tedy hacktool.vulndriver",
"Trojan:win32/tiggre",
"W32.hfsautob",
"Kryptik.gkqr",
"Dropper.wanna",
"Mxresicn.heur",
"Gen:variant.application.bundler.downloadguide",
"Worm.boychi",
"Gen:variant.msilheracles",
"Worm.chir",
"Trojan.js.obfjs",
"Application.bitcoinminer",
"Exploit.zip.heuristic",
"Qvm05.1.08e5.malware",
"Trojan.small",
"Sibot",
"Heur:exploit.script",
"T",
"Apnic",
"Program.freemake",
"Nettool.remoteexec",
"Cve exploits",
"Agen.1144657",
"Trojan.bat.qhost",
"Tool.patcher",
"Unsafe.ai_score_94%",
"Trojan:win32/xtrat",
"Pua.wombat",
"Html:redirme",
"Agent.mu",
"Adware.dealply",
"Trojan.win32.pdf.alien",
"Js:trojan.hidelink 2",
"Warezov.gen3",
"Adware",
"Trojan.hotkeychick",
"Trojan.linux.generic",
"Js:trojan.clicker",
"Malicious.f01f67",
"Trojan.ransom.gandcrab",
"Mimikatz",
"Tsgeneric",
"Backdoor.dtr.15",
"Application.deceptor",
"Wisecleaner.a potentially unwanted",
"Webtoolbar",
"Faceliker.d",
"Hacktool.bruteforce",
"Adware.kuzitui",
"Mediamagnet",
"Wacatac.b",
"Doplik.j",
"Suspici.1f4405d1",
"Pe.heur",
"Win.ransomware.wannacry-9856297-0",
"Threatfox",
"Hacktool.crack",
"Nemucod.21c8",
"Agent.ocj",
"Infected.webpage",
"Zbot",
"Wisdomeyes.16070401.9500",
"Adware.oxypumper",
"Dropper.dapato",
"Unruy",
"Troj_gen.f04ie00ci19",
"Adware.browsefoxcrtd",
"Ml.attribute",
"Gamehack",
"Html:redirba",
"Wacatac",
"Malware",
"Cobalt strike",
"Heur:trojan.diztakun",
"Trojanspy",
"Mimikatz - s0002",
"Trojware.js.adware.agent"
],
"industries": [
"Health",
"Technology"
],
"unique_indicators": 163220
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/m80fg.com",
"whois": "http://whois.domaintools.com/m80fg.com",
"domain": "m80fg.com",
"hostname": "p.d.m80fg.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "69d4ea4cd61063d5bfa2228a",
"name": "Floki",
"description": "",
"modified": "2026-04-07T19:22:26.637000",
"created": "2026-04-07T11:28:12.812000",
"tags": [
"html document",
"ascii text",
"html"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 61,
"FileHash-SHA1": 61,
"FileHash-SHA256": 68,
"IPv4": 28,
"domain": 34,
"hostname": 219,
"URL": 145
},
"indicator_count": 616,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "11 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a836104ede1963b0502042",
"name": "Not even Google",
"description": "https://shadow.googlecnapps.cn\njoshuajenkinslaw.com",
"modified": "2024-02-16T17:02:44.115000",
"created": "2024-01-17T20:18:24.316000",
"tags": [
"ssl certificate",
"threat roundup",
"whois record",
"march",
"october",
"contacted",
"july",
"april",
"june",
"roundup",
"august",
"copy",
"execution",
"plugx",
"goldfinder",
"sibot",
"hacktool",
"february",
"ransomexx",
"ermac",
"emotet",
"agent tesla",
"nokoyawa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1315,
"URL": 1384,
"domain": 327,
"hostname": 516,
"FileHash-MD5": 19,
"FileHash-SHA1": 19
},
"indicator_count": 3580,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "792 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a958f96f9b29641ea020",
"name": "Fitbit app link IoC's",
"description": "",
"modified": "2023-12-06T17:03:20.219000",
"created": "2023-12-06T17:03:20.219000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 17,
"FileHash-SHA256": 3730,
"hostname": 1052,
"domain": 446,
"URL": 2806,
"FileHash-MD5": 173,
"FileHash-SHA1": 168,
"email": 1
},
"indicator_count": 8393,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a927b24b94cdd5d344d1",
"name": "Fitbit app link IoC's",
"description": "",
"modified": "2023-12-06T17:02:31.854000",
"created": "2023-12-06T17:02:31.854000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 17,
"FileHash-SHA256": 3730,
"hostname": 1052,
"domain": 446,
"URL": 2806,
"FileHash-MD5": 173,
"FileHash-SHA1": 168,
"email": 1
},
"indicator_count": 8393,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a91b1702fdce6c496a1e",
"name": "note.html [Pulse by OctoSeek]",
"description": "",
"modified": "2023-12-06T17:02:19.096000",
"created": "2023-12-06T17:02:19.096000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 909,
"CVE": 2,
"FileHash-SHA256": 1422,
"domain": 481,
"URL": 2694,
"FileHash-MD5": 31,
"FileHash-SHA1": 29
},
"indicator_count": 5568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 112,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a8d167202b93ee502ff8",
"name": "Apple iTunes| Malicious site | Anonyization | Siphoning | Trojan Downloader",
"description": "",
"modified": "2023-12-06T17:01:05.291000",
"created": "2023-12-06T17:01:05.291000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 12,
"URL": 3839,
"hostname": 1331,
"FileHash-SHA256": 2976,
"domain": 757,
"FileHash-MD5": 250,
"FileHash-SHA1": 80
},
"indicator_count": 9245,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a8bf416a1c314819ea53",
"name": "Remote Access Related | APK attack targets independent artists",
"description": "",
"modified": "2023-12-06T17:00:47.888000",
"created": "2023-12-06T17:00:47.888000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 5,
"FileHash-SHA256": 2385,
"hostname": 1054,
"domain": 713,
"URL": 3595,
"FileHash-MD5": 1104,
"FileHash-SHA1": 585,
"FilePath": 1
},
"indicator_count": 9442,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a69b0f11713d9e4d0153",
"name": "note.html",
"description": "",
"modified": "2023-12-06T16:51:39.617000",
"created": "2023-12-06T16:51:39.617000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 909,
"CVE": 2,
"FileHash-SHA256": 1422,
"domain": 481,
"URL": 2694,
"FileHash-MD5": 31,
"FileHash-SHA1": 29
},
"indicator_count": 5568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://p.d.m80fg.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://p.d.m80fg.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776615364.89786
}