{ "type": "URL", "indicator": "https://pay.c127.decagonsoftware.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://pay.c127.decagonsoftware.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4117572728, "indicator": "https://pay.c127.decagonsoftware.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "696ac438a696c993b672106d", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:28.261000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac4327b5bc2e8be34f78a", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:22.323000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac416596cd89cf76bce55", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:04:53.997000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6961a8ed7b492f9e0ba38990", "name": "HeartSender.A and other Malware attacks originating from Palantirs Pahamify Pegasus", "description": "Pahamify Pegasus : HackTool \u2022 Speedcat \u2022 HeartSender.A \u2022 Zbot and other malware found.\nSearc begins with single FileHash referenced below. \nI\u2019m checking the processes and sharing it here one group at a time. Too much research at once could bring Amazon AWS down. Again.", "modified": "2026-02-09T00:04:37.974000", "created": "2026-01-10T01:18:36.999000", "tags": [ "read c", "write c", "port", "destination", "united", "medium", "as16509", "memcommit", "write", "execution", "dock", "persistence", "next executed", "commands graph", "tree", "sample hash", "passive dns", "present jan", "title error", "urls", "files", "date hash", "avast avg", "dynamicloader", "host", "utf8", "unicode text", "crlf line", "binary resource", "ms windows", "search", "intel", "pcspeedcat", "win32", "internal", "malware", "local", "unknown", "get na", "http", "okrnserver", "ip address", "http traffic", "guard", "powershell", "ipv4 add", "servers", "name servers", "capture", "link", "gateway", "tofsee att", "ck ids", "t1055", "injection", "t1071", "protocol", "t1573", "target", "url http", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1480 execution", "discovery att", "mitre att", "ck matrix", "ascii text", "hybrid", "general", "path", "click", "strings", "high", "etpro malware", "next", "stack", "format", "error", "unicode", "head http", "regsetvalueexa", "qt binary", "resource file", "pe32", "hostile", "unknown aaaa", "unknown ns", "x content", "gmt cache", "domain add", "title", "present sep", "a td", "td tr", "dir td", "td td", "present may", "present jun", "present apr", "present aug", "present oct", "head body", "gmt server", "index", "main", "accept", "status", "th tr", "moved", "record value", "expiration date", "germany unknown", "present dec", "cache control", "present nov", "max age1000000", "cookie", "hosting", "reverse dns", "location france", "france asn", "as16276", "trojandropper", "next associated", "mtb jan", "exploit", "emails", "trojan", "pegasus", "hostname add", "url analysis", "domain", "files ip", "address", "france unknown", "asn as16276", "backdoor", "entries", "setcookie", "twitter", "refloadapihash", "virtool", "show", "displayname", "windows", "rndhex", "tofsee", "stream", "encrypt", "push", "creation date", "france", "date", "body", "pup", "amazon", "amazon aws", "salesforce", "herokuappdev", "google", "igoogle", "monitored target", "cats" ], "references": [ "FileHash-SHA256\t9f66cab9d7c581cf2dd28b6ae3178bb3d38975ff257c3ffb67c3e89d0f7135ee", "https://otx.alienvault.com/indicator/ip/3.163.24.10", "External Hosts: 52.57.183.74\t access.pcspeedcat.com\taccess.pcspeedcat.com\tGermany\tAS16509 amazon.com inc\taccess.pcspeedcat.com Germany AS16509 amazon.", "External Hosts: 3.163.24.10\t www.pcspeedcat.com\twww.pcspeedcat.com\tUnited States ASNone", "https://otx.alienvault.com/indicator/hostname/pegasus.pahamify.com", "https://otx.alienvault.com/indicator/url/https://pegasus.pahamify.com/", "https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "http://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "biblegateway.comwww.biblegateway.com \u2022 www.biblegateway.com", "Malicious Application Development: herokuappdev.com (Patter match 8 years +)", "direwolf-8b1a1bc476.staging.herokuappdev.com", "Malicious Application Development: herokuappdev.com (pattern matching spans 8+ years)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Generic-9871124-0", "display_name": "Win.Malware.Generic-9871124-0", "target": null }, { "id": "ALF:HackTool:MSIL/HeartSender.A", "display_name": "ALF:HackTool:MSIL/HeartSender.A", "target": null }, { "id": "Win.Malware.Speedcat-6957425", "display_name": "Win.Malware.Speedcat-6957425", "target": null }, { "id": "Tofsee Attack", "display_name": "Tofsee Attack", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 404, "FileHash-SHA1": 286, "FileHash-SHA256": 1419, "SSLCertFingerprint": 7, "domain": 441, "URL": 4233, "hostname": 1217, "email": 10 }, "indicator_count": 8017, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "69 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6958780c8479a9d69920c3d8", "name": "Telnet - Mirai \u2022 Dark Nexus BusyBox iOS Attack", "description": "There\u2019s enough here to cause an outage. I will stop here. Illegal activities to silence victim and block her from financial settlement award for permanent injuries under workers compensation in a premise and healthcare worker assault scenario. Attorneys estimated her case to be above $100 million but knew she\u2019d be tampered with. Mark Montano MD forewarned her but is culpable. Still attacking family of victim.\n[ True- otx auto generated: Adversaries may be able to gain access to a victim's network through a drive-by attack, as well as using a short-term SSL certificate, in order to target the victim.] |||\nPositive:\nT1140 - Deobfuscate/Decode Files or Information\nSuspicious IP Address\n104.21.51.140, 172.67.181.41\nLocation United States ASN\nModif AS13335 cloudflare\nAutomate Nameservers:\nns1.colocrossing.com.", "modified": "2026-02-02T01:02:46.327000", "created": "2026-01-03T01:59:40.530000", "tags": [ "united", "moved", "title", "passive dns", "ipv4 add", "urls", "files", "hosting", "reverse dns", "location united", "hash avast", "avg clamav", "msdefender mar", "read c", "create c", "medium", "search", "memcommit", "high", "checks", "windows", "execution", "dock", "write", "persistence", "capture", "local", "ref b", "wed may", "backdoor", "mtb aug", "next associated", "mtb dec", "twitter", "smoke loader", "malware", "virtool", "hacktool", "data upload", "present dec", "mtb apr", "win32", "trojan", "worm", "lowfi", "cybota", "expiration date", "name servers", "ipv4", "url analysis", "port", "destination", "telnet login", "bad login", "gpl telnet", "suspicious path", "busybox", "tcp syn", "et telnet", "path", "mirai", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "america", "ck id", "name tactics", "suspicious", "informative", "learn", "t1179 hooking", "installs", "t1035 service", "adversaries", "msie", "windows nt", "slcc2", "media center", "y013", "flag", "span", "accept", "core", "february", "hybrid", "malicious", "general", "click", "strings", "roboto", "next", "usa windows", "finished", "queueprogress", "timestamp input", "threat level", "october", "september", "hwp support", "fresh", "win64", "khtml", "gecko", "brand", "microsoft edge", "programfiles", "comspec", "model", "iframe", "form", "listeners", "initial access", "t1590 gather", "victim network", "ssl certificate", "quasi government", "jeffrey reimer", "palantir", "Regis university", "otx hp", "apple", "pegasus", "h5 data center", "florence colorado", "brian sabey", "target : Tsara Brasheaers", "aig", "industry and commerce", "united states", "State of Colorado.", "date", "status", "domain", "hostname add", "pulse pulses", "files ip", "address", "url https", "url http", "hostname", "show", "type indicator", "source hostname", "entries", "Prometheus Intelligence Technology", "pulse submit", "america flag", "body", "dynamicloader", "microsoft azure", "tls issuing", "named pipe", "json", "ascii text", "lredmond", "Apple", "Telnet", "BusyBox", "Pegasus", "Colorado State Fixer: Christopher P. Ahmann", "Hijacker: Brian Sabey", "For: Concentra", "Protecting Assaulter: Jeffrey Reimer", "For: AIG", "For Industry and Commerce", "For: Quasi Government", "For: Workers Compensation", "Authorities", "Law Enforcement Dark", "Silencing", "Tampering with a Victim", "Meta", "Palantir", "Google", "Bing", "Microsoft", "ColoCrossing", "Associates", "hit men" ], "references": [ "ET Telnet | https://www.colocrossing.com | velocity servers", "https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives", "TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host", "Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)", "(legitimate services will remain up-and-running usually) High | ID dead_host", "ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0", "IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login", "Yara Detections is__elf", "Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , ELFHighEntropy , elf_empty_sections", "http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/", "https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l", "https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!", "https://www.colocrossing.com/", "(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.", "In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov", "104.21.51.140, 172.67.181.41", "Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot", "stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe", "Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download", "Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration", "IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192", "IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82", "Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com", "This is hard to comprehend or put into indelible words." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "HackTool:MSIL/Boilod.C!bit", "display_name": "HackTool:MSIL/Boilod.C!bit", "target": "/malware/HackTool:MSIL/Boilod.C!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1462", "name": "Malicious Software Development Tools", "display_name": "T1462 - Malicious Software Development Tools" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Technology", "Healthcare", "Insurance", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6390, "domain": 723, "hostname": 1978, "FileHash-SHA256": 1912, "FileHash-MD5": 410, "FileHash-SHA1": 306, "email": 3, "SSLCertFingerprint": 28, "CVE": 3 }, "indicator_count": 11753, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "76 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6935c92c5fc93fd873c6aa6d", "name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)", "description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727", "modified": "2026-01-06T18:04:02.620000", "created": "2025-12-07T18:36:28.055000", "tags": [ "memcommit", "read c", "t1082", "cryptexportkey", "invalid pointer", "write", "msil", "malware", "media", "autorun", "countries", "united", "america", "high defense", "evasion", "t1055", "ck technique", "technique id", "allocates", "potential code", "attempts", "threatintel", "dark web", "coinbasecartel", "ransomware", "osint", "tor", "data breach", "cinvestav", "ai generated", "ransomware leak", "page", "november", "investigacin y", "nacional", "mexican", "mexico", "present nov", "verdana", "td tr", "passive dns", "ip address", "urls", "aaaa", "present may", "present oct", "present jul", "virtool", "present sep", "present jun", "win32", "default", "unicode", "png image", "rgba", "high", "dock", "execution", "xport", "unknown", "data upload", "extraction", "will", "data", "name cloudflare", "hostmaster name", "org cloudflare", "townsend st", "city san", "us creation", "kelihos", "ipv4", "present dec", "files", "domain", "search", "hostname", "verdict", "location united", "asn as16625", "akamai", "urls show", "date checked", "url hostname", "server response", "google safe", "results nov", "present aug", "backdoor", "msie", "chrome", "trojan", "mtb aug", "worm", "cryp", "junkpoly", "twitter", "trojandropper", "title", "germany unknown", "ipv4 add", "pulse pulses", "hosting", "reverse dns", "cologne", "search engine", "gse compromised", "redacted for", "privacy admin", "privacy tech", "server", "organization", "street", "city", "stateprovince", "postal code", "country", "resolver domain", "cape sa", "virustot", "type pdf", "name", "lookups", "email abuse", "historical ssl", "certificates", "first", "graph summary", "cname", "address", "ip2location", "bogon ip", "admin", "network", "wifi password", "ssid", "demo", "details", "failed", "include review", "exclude sugges", "onlv", "x try", "find s", "typ url", "url data", "severity att", "module load", "icmp traffic", "dns query", "t1055 jseval", "windows nt", "port", "entries", "destination", "medium", "show", "pecompact", "june", "service", "next", "xserver", "encrypt", "t1129", "windows module", "dlls", "convention", "windows native" ], "references": [ "Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS", "Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "hallplan.vm05.iveins.de", "https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c", "Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx", "Name : iveins.de Service : connect", "https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com", "phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com", "https://otx.alienvault.com/indicator/cve/CVE-2025-11727" ], "public": 1, "adversary": "COINBASECARTEL", "targeted_countries": [ "United States of America", "Sweden", "Bangladesh", "Japan" ], "malware_families": [ { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "MSIL:Agent-DQ\\ [Trj]", "display_name": "MSIL:Agent-DQ\\ [Trj]", "target": null }, { "id": "VirTool:MSIL/Covent.A", "display_name": "VirTool:MSIL/Covent.A", "target": "/malware/VirTool:MSIL/Covent.A" }, { "id": "Trojan:Win32/Pynamer!rfn", "display_name": "Trojan:Win32/Pynamer!rfn", "target": "/malware/Trojan:Win32/Pynamer!rfn" }, { "id": "Win64:TrojanX", "display_name": "Win64:TrojanX", "target": null }, { "id": "VirTool:MSIL/Covent", "display_name": "VirTool:MSIL/Covent", "target": "/malware/VirTool:MSIL/Covent" }, { "id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "CVE-2025-11727", "display_name": "CVE-2025-11727", "target": null }, { "id": "Exploit:JS/CVE-2014-0322", "display_name": "Exploit:JS/CVE-2014-0322", "target": "/malware/Exploit:JS/CVE-2014-0322" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 117, "FileHash-SHA256": 1746, "URL": 5018, "hostname": 1827, "domain": 1072, "CVE": 3, "email": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9938, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e2d950ac7d1e2a3454a4f", "name": "Gooogle Accounts | Drive-by Compromise \u2022 Ransomware \u2022 Phishing Attack", "description": "Google accounts Drive-by Compromise. Affected Google accounts redirects to a suspicious non - Google homepage. |\nRansomware | Adware | Phishing | Injection | \nExploits seen affecting both OS and iOS devices. Threat actors able to remotely access iOS device, unlock, access iCloud. System root control, fully infected devices, Attackers continue to ravage devices w/ drive by compromise, unsafe adware, malware text, etc., Seeks to remove malicious IoC\u2019s on mock accounts , password stealers", "modified": "2025-12-31T23:04:59.378000", "created": "2025-12-02T00:06:45.807000", "tags": [ "iocs", "drop", "network traffic", "ck id", "mitre att", "ck matrix", "network related", "detected", "t1566", "t1204", "united", "click", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "learn", "suspicious", "informative", "name tactics", "adversaries", "command", "initial access", "spawns", "found", "binary file", "t1189", "regsetvalueexa", "regdword", "post http", "medium", "high", "regbinary", "loader", "dock", "write", "malware", "unknown", "romania unknown", "present may", "msie", "chrome", "body", "passive dns", "ip address", "present jun", "welcome", "accept", "encrypt", "gmt content", "ipv4 add", "url analysis", "urls", "files", "reverse dns", "unknown aaaa", "certificate", "hostname add", "error", "flag", "domain address", "contacted hosts", "type", "india unknown", "record value", "body html", "head title", "title", "entries", "read c", "high defense", "evasion", "yara detections", "virtool", "win32", "ahmann", "hacker group", "law firm", "order", "google", "smart assembly" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool:MSIL/Injector.BF", "display_name": "VirTool:MSIL/Injector.BF", "target": "/malware/VirTool:MSIL/Injector.BF" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 112, "FileHash-SHA256": 589, "URL": 1795, "SSLCertFingerprint": 3, "domain": 319, "hostname": 847, "email": 1 }, "indicator_count": 3781, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692d400f81164107d98922db", "name": "Injector.BO : DNS Reply Sinkhole via Phishing emails , texts , drives or malicious links", "description": "\"Phishing threat: This is a phishing website that impersonates a trusted website to trick you into revealing personal or financial information.\";var L_MalwareThreat_TEXT = \"Malicious software threat: This site contains links to viruses or other software programs that can reveal personal information stored or typed on your computer to malicious persons", "modified": "2025-12-31T06:01:00.551000", "created": "2025-12-01T07:13:19.659000", "tags": [ "url http", "url https", "urls", "files", "address", "asn as400519", "united states", "info geo", "united", "as400519", "us note", "route", "ipv4", "live", "superdata", "viet nam", "cisco umbrella", "sectigo rsa", "secure", "google safe", "browsing", "current dns", "a record", "input", "closenotify", "phpsessid value", "source level", "url text", "general full", "protocol h2", "security tls", "ecdhersa", "asn45544", "reverse dns", "resource", "hash", "as45544", "vn note", "backdoor", "generic", "cnc activity", "passive dns", "ipv4 add", "company limited", "dnssec", "hostname add", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "t1480 execution", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "vietnam", "location viet", "nam flag", "urlhttp", "extracted files", "unicode text", "utf8 text", "lowfihstr", "trojan", "mtb trojan", "spawns", "found", "process details", "flag", "contacted", "xb6x04x00", "t1055", "search", "read c", "cnlolcat", "microsoft", "medium", "entries", "unknown", "virtool", "malware", "copy", "write", "win32", "next", "url add", "http", "hostname", "files domain", "files related", "related tags", "china unknown", "creation date", "body", "please", "x msedge", "tracking" ], "references": [ "anonsecbotnet.cameraddns.net", "https://api.playit.gg/agents/routing/get", "http://www.google.com-viruswall1-source-cloud-computing-services-distribution.cpdev.dyson.cn/", "https://www.endgamesystems.com/", "IDS Detections : DNS Rep Sinkhole - Microsoft - 199.2.137.0/24" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:MSIL/Ranos.A", "display_name": "Trojan:MSIL/Ranos.A", "target": "/malware/Trojan:MSIL/Ranos.A" }, { "id": "Trojan:MSIL/ClipBanker.GC!MTB", "display_name": "Trojan:MSIL/ClipBanker.GC!MTB", "target": "/malware/Trojan:MSIL/ClipBanker.GC!MTB" }, { "id": "Win.Packed.Msilperseus-9956592-0", "display_name": "Win.Packed.Msilperseus-9956592-0", "target": null }, { "id": "ALF:Backdoor:MSIL/Noancooe.", "display_name": "ALF:Backdoor:MSIL/Noancooe.", "target": null }, { "id": "Win.Trojan.Generic-6417450-0", "display_name": "Win.Trojan.Generic-6417450-0", "target": null }, { "id": "Win.Packed.Bladabindi-6872770-0", "display_name": "Win.Packed.Bladabindi-6872770-0", "target": null }, { "id": "#LowFiHSTR:MSIL/Confuser", "display_name": "#LowFiHSTR:MSIL/Confuser", "target": "/malware/#LowFiHSTR:MSIL/Confuser" }, { "id": "Win.Dropper.njRAT-10015886-0", "display_name": "Win.Dropper.njRAT-10015886-0", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AP", "display_name": "Backdoor:MSIL/Bladabindi.AP", "target": "/malware/Backdoor:MSIL/Bladabindi.AP" }, { "id": "Win.Packed.Generic-9795615-0", "display_name": "Win.Packed.Generic-9795615-0", "target": null }, { "id": "Win.Packed.Generic-9795615-0", "display_name": "Win.Packed.Generic-9795615-0", "target": null }, { "id": "Win.Packed.Fecn-7077459-0", "display_name": "Win.Packed.Fecn-7077459-0", "target": null }, { "id": "Win.Packed.Marsilia-10021147-0", "display_name": "Win.Packed.Marsilia-10021147-0", "target": null }, { "id": "VirTool:Win32/Injector.BO", "display_name": "VirTool:Win32/Injector.BO", "target": "/malware/VirTool:Win32/Injector.BO" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1578.001", "name": "Create Snapshot", "display_name": "T1578.001 - Create Snapshot" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1610, "domain": 147, "hostname": 501, "FileHash-SHA256": 384, "CIDR": 3, "FileHash-MD5": 79, "FileHash-SHA1": 77, "email": 3, "SSLCertFingerprint": 1 }, "indicator_count": 2805, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916dc43beba2f3839fd7c36", "name": "Ransomware | FIREEYE.COM redirects to www.TRELLIX.com", "description": "FireEye appears to have been a Cybersecurity that now redirects to www.trellix.com. Seen before in a malicious MO.gov w/names of 2 \u2018alleged\u2019 female SA victims. I researched was without realizing it was a CySec.We have researched Trellix , found it to be malicious ; reported false information / documentation. FEDNS1.FIREEYE.COM URL is still found in several searches. So we researched it.\nRe: Safebae the other Mo. Gov SA URL found a\u2019. \u2018non profit\u2019 for Catherine \u2018Daisy\u2019 Coleman that isn\u2019t in any way related to her. It makes me believe it\u2019s could be related to Bae systems a collaboration with Peter Thiel's company Palantir, which provides data analytics software to governments and militaries. Significance: This partnership showcases the convergence of American tech innovation and traditional defense contracting, involving companies like Palantir and BAE Systems. \n\n#foundry #josht _ca #hostile #advesarial #contacted_hosts #safebae_or_bae_systems? #honeypotbot # fireeye #trellix", "modified": "2025-12-14T05:04:31.480000", "created": "2025-11-14T07:37:39.794000", "tags": [ "gmt content", "related tags", "found title", "cache control", "x request", "runtime", "vary", "reverse dns", "ashburn", "resource", "verdict", "address", "read c", "unicode", "high", "memcommit", "delete", "dock", "write", "execution", "next associated", "server response", "port", "destination", "crlf line", "malware", "png image", "rgba", "united states", "medium", "encrypt", "america", "msie", "unknown", "present jan", "name servers", "present oct", "present may", "present mar", "present dec", "present nov", "united", "present apr", "present jun", "urls show", "url hostname", "ip address", "google safe", "results jun", "canada unknown", "passive dns", "canada", "meta name", "robots content", "x ua", "ieedge chrome1", "twitter", "chrome", "urls", "files", "asn as13335", "dns resolutions", "trojan", "trojanspy", "win32", "title", "servers", "unknown ns", "domain", "present aug", "present sep", "files domain", "files related", "none google", "safe browsing", "unknown aaaa", "moved", "cloudfront x", "meta", "ip whois", "registrar", "hostname", "files ip", "ipv4 add", "location united", "america flag", "america asn", "present jul", "virtool", "record value", "dnssec", "meta http", "content", "gmt server", "litespeed x", "present feb", "write c", "as62597 nsone", "as16509", "module load", "t1129", "service", "dynamicloader", "windows", "tofsee", "stream", "hostile", "win64", "delete c", "all ipv4", "url analysis", "status", "error", "aaaa", "ireland unknown", "asn as14618", "backdoor", "a domains", "russia", "mtb nov", "ransom", "displayname", "push", "yara rule", "loaderid", "lidfileupd", "localcfg", "rndhex", "rndchar", "checks", "checks system", "filehash", "av detections", "ids detections", "yara detections", "learn", "command", "adversaries", "ck id", "name tactics", "suspicious", "informative", "spawns", "found", "ssl certificate", "flag", "server", "cloudflare", "csc corporate", "domains", "fireeye", "contacted hosts", "mitre att", "pattern match", "ck matrix", "hybrid", "local", "path", "click", "strings", "foundry", "josht.ca", "paid parking", "parking crews" ], "references": [ "Fireye - FEDNS1.FIREEYE.COM", "http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==", "http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356", "http://p2d.josht.ca/assets/content-delivery/depots/download", "test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca", "http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/", "https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022", "https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/", "https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg", "https://p2d.josht.ca/api/depots/info/?depot=", "https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/", "Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.", "According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021", "Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?", "Daisy was allegedly brutally assaulted by Matthew Barnett,", "Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.", "Is that where they\u2019re getting these names? Rexxfield.com. SMH", "There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.", "According to accounts she was afraid for her life , found to be safe then took her own life?", "Typing a suicide note on social media is suspicious since it could come from your murderer.", "So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?", "Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.", "and our limited information, is Daisy a victim or a crisis actor?", "Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me", "Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.", "Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)", "Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.", "FireEye was there in 2 year old pulse now removed? I\u2019ll find it." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7617, "domain": 1127, "hostname": 3591, "email": 9, "FileHash-SHA256": 1160, "FileHash-MD5": 481, "FileHash-SHA1": 404, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 14403, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69138421066f81131da59cc5", "name": "Malicious Legal Google Botnet - Treece Alfrey Musat P.C.\u2022 Christopher P. Ahmann Spam - Malicious ", "description": "", "modified": "2025-12-03T00:01:23.660000", "created": "2025-11-11T18:44:49.343000", "tags": [ "status", "date", "name servers", "lowfi", "passive dns", "urls", "domain", "susp", "win32", "search", "win64", "error", "url https", "url http", "ipv4", "type indicator", "role title", "added active", "related pulses", "morocco", "united kingdom", "united", "present nov", "aaaa", "present oct", "cname", "brazil", "malaysia", "title", "present jun", "ip address", "creation date", "record value", "emails", "unknown aaaa", "body", "url add", "pulse pulses", "http", "related nids", "files location", "flag united", "trojan", "trojandropper", "virtool", "entries", "next associated", "ipv4 add", "unknown ns", "present jul", "present sep", "present aug", "win32upatre nov", "candyopen", "tlsv1", "port", "destination", "ogoogle trust", "cngts ca", "show", "read c", "youtube", "copy", "dock", "write", "next", "malware", "persistence", "execution", "filehashmd5", "hostname", "filehashsha256", "types of", "germany", "poland", "indicator role", "title added", "active related", "pulses url", "p1377925676", "gaz1", "sid1696503456", "sct1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6907f7e98289b75f3e5ecaba", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 400, "URL": 2857, "FileHash-MD5": 217, "FileHash-SHA1": 172, "FileHash-SHA256": 1426, "email": 6, "hostname": 1019, "SSLCertFingerprint": 6 }, "indicator_count": 6103, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6907f7e98289b75f3e5ecaba", "name": "- Treece Alfrey Musat P.C. - Malicious Legal Google Botnet", "description": "Christopher P.\nAhmann\u2019s Google Botnet. Defense attorneys fighting worker\u2019s compensation case and ruining a targets life for years. Malicious.[OTX auto popular-HOSTNAME: Google Video.com (GOOGlevideo.COM), an unauthorised website, has been blocked by the internet service regulator, the regulator of the domain registry.]\n\n#pulsed_by_otx #private_google #legal_goigle #malicious_practices", "modified": "2025-12-03T00:01:23.660000", "created": "2025-11-03T00:31:37.396000", "tags": [ "status", "date", "name servers", "lowfi", "passive dns", "urls", "domain", "susp", "win32", "search", "win64", "error", "url https", "url http", "ipv4", "type indicator", "role title", "added active", "related pulses", "morocco", "united kingdom", "united", "present nov", "aaaa", "present oct", "cname", "brazil", "malaysia", "title", "present jun", "ip address", "creation date", "record value", "emails", "unknown aaaa", "body", "url add", "pulse pulses", "http", "related nids", "files location", "flag united", "trojan", "trojandropper", "virtool", "entries", "next associated", "ipv4 add", "unknown ns", "present jul", "present sep", "present aug", "win32upatre nov", "candyopen", "tlsv1", "port", "destination", "ogoogle trust", "cngts ca", "show", "read c", "youtube", "copy", "dock", "write", "next", "malware", "persistence", "execution", "filehashmd5", "hostname", "filehashsha256", "types of", "germany", "poland", "indicator role", "title added", "active related", "pulses url", "p1377925676", "gaz1", "sid1696503456", "sct1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 400, "URL": 2857, "FileHash-MD5": 217, "FileHash-SHA1": 172, "FileHash-SHA256": 1426, "email": 6, "hostname": 1019, "SSLCertFingerprint": 6 }, "indicator_count": 6103, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e32dd0c55bf224eb99dd58", "name": "Appspot.com - Google account fraud & infostealing", "description": "Fake Google email accounts. I\u2019ve reviewed a handful of targets with this issue. If starting with a new device, signed up for a new google account,\nthe users are automatically logged out, forced to sign in again, checked security features where you can see an unauthorized autonomous general\nphone, or iPhone or MacBook was also signed in in a different location. Even if you delete the device or email account, I\u2019ve seen the intruder handle CnC of all backups of photos and clouds. \n\n\n\n[OTX auto populated - The full list of domain names: APPSPot.COM.com, which was created on the same day as the Google search engine, has been published by the internet regulator, the IANA.]", "modified": "2025-11-05T01:01:26.928000", "created": "2025-10-06T02:47:44.098000", "tags": [ "aaaa", "susp", "trojan", "google", "server", "domain status", "registrar abuse", "domain name", "us registrant", "email", "contact email", "rdap database", "google app", "google hosted", "please", "vulnerabilities", "join", "bring", "api explorer", "engine", "admin sdk", "info", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "ssl certificate", "ascii text", "united", "pattern match", "mitre att", "general", "local", "path", "click", "strings", "porn", "phishing", "fraud", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "apt", "ansi", "dumps", "file string", "seen", "disabled hash", "close", "hosts", "contact", "tellwise", "passive dns", "urls", "pulse pulses", "files", "verdict", "domain", "files ip", "address", "location united", "asn as15169", "extraction", "data upload", "extra", "referen http", "changed data", "failed", "include review", "t07 exclude", "extri data", "changed", "exclude", "find s", "tvnes data", "status", "present nov", "name servers", "entries", "geoid no", "present dec", "date", "error", "title", "sugges", "typ no", "no entrieotound", "scam", "foundry", "sabey type", "denver", "quasi", "phoenix", "australia" ], "references": [ "appspot.com \u2022 hyper7install.appspot.com", "https://hybrid-analysis.com/sample/c61237fcb798f05e6af32a6aa13f8e795aac47559d601eb7f93ad65bcf58b418/68e30c476b91a8000b0dd786", "http://acounts.google.com/v/signin/identifier?continue=hts%253%252F2Fconsole.cloud.google.com2Fapengine&dsh=5-1106814258%2539876543210", "Changed last several digits of gmail account # In example", "http://console.cloud.google.com/appengine", "https://310940000.android.com.twitter.android.adsenseformobileapps.com/", "https://www.netify.ai/resources/domains \u2022 192-168-0-21.3pt3m9ng2hf.ddns.manage.alta.inc", "device-local-de06e551-6b23-4aa3-bb67-6972ae6d30b5.remotewd.com 192.168.0.21", "116e33e0-8832-11ec-aef5-99a1d044639a-local.solinkcloud.com", "jaycobundaberg.eclipseaurahub.com.au 192.168.0.21", "grafana.ledocloud.com\u2022 192.168.0.21", "192-168-0-21.siliconevalley1.direct.quickconnect.to" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32/Madang", "display_name": "Win32/Madang", "target": null }, { "id": "Win.Downloader.Small-1966", "display_name": "Win.Downloader.Small-1966", "target": null }, { "id": "Win32:SaliCode", "display_name": "Win32:SaliCode", "target": null }, { "id": "Virtool:Win32/Vbinder.CO", "display_name": "Virtool:Win32/Vbinder.CO", "target": "/malware/Virtool:Win32/Vbinder.CO" }, { "id": "!Themida", "display_name": "!Themida", "target": null }, { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "Win32/Scrarev.C", "display_name": "Win32/Scrarev.C", "target": null }, { "id": "Trojan:MSIL/RapidStealer.A", "display_name": "Trojan:MSIL/RapidStealer.A", "target": "/malware/Trojan:MSIL/RapidStealer.A" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 222, "FileHash-MD5": 146, "FileHash-SHA1": 317, "FileHash-SHA256": 1120, "email": 3, "hostname": 881, "URL": 1338, "SSLCertFingerprint": 7 }, "indicator_count": 4034, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "165 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dd9423f9208dcc8701e12e", "name": "Maktub Locker TOR Status Check \u2022 Cab \\ Drive by( dbi.com) Malicious pic", "description": "After 911 told me I was bounced to the Denver, Co Station 5 , located 45 & Peoria in Denver , Colorado , not even close. \nThe phone number changed, only 911 access. Clue: I saw an Amber alert in n target phone when I powered it on. No all notices always turned off. Made a call\non contact list and screen changed to a plain faced interface. \n\nAfter finding a mother foundry link on targets phone I grew curious about a CEO\u2019s strange story of Palantir\u2019s Karp Theil roommate situation in Law School but I could only find one picture on of them on a campus in their late 40\u2019s. He\u2019s African American mixed. The picture of his mother in hacked phone is 215 yo. No information federal oversight as CEO right? Or limited information on crazy hacked device? \n\nClicked on link then OMGness\n\n#whatIfind #onhackeddevice #targeting", "modified": "2025-10-31T19:03:21.338000", "created": "2025-10-01T20:50:43.002000", "tags": [ "iocs", "logo", "passive dns", "related tags", "none google", "ipv4", "gogle", "twitter", "x.com", "ransomware", "fbi \u2019site\u2019", "python", "cloud", "regopenkeyexw", "read c", "port", "destination", "cryptexportkey", "count read", "tor get", "malware", "write", "format", "redacted for", "server", "privacy tech", "privacy admin", "country", "postal code", "organization", "date", "email", "code", "aaaa", "value a", "key identifier", "v3 serial", "number", "cus ogoogle", "trust", "cnwe1 validity", "subject public", "key info", "key algorithm", "ec oid", "maktub", "cnc", "python-projekt", "x post", "link", "android", "iphone", "google", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "ssl certificate", "spawns", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "mitre att", "show technique", "ck matrix", "title", "path", "hybrid", "general", "local", "form", "click", "strings", "body" ], "references": [ "FBI.GOV - VT I\u2019m looking @ says website is legitimate & not misused - hmm", "Entity CLOUD14", "CLOUDFLARENET - 104.16.148.244 , 104.19.148.244", "https://otx.alienvault.com/indicator/file/ba30376f915afa868763f84299fae5d2", "https://hybrid-analysis.com/sample/f2b943e81f1b284cf9dabb4ff156526a02ecca485ac117714867d92b262c8fdd/68dd867e3bc50d9068072c05", "Hashtags left on Hybrid Analysis (above) weren\u2019t posted by me", "Maktub Locker TOR Status Check \u2022 TOR Consensus Data Requested \u2022 TOR 1.0 Server Key Retrieval", "Tor Get Server Request \u2022 TLS Handshake Failure High Priority", "Yara Detections: stack_string Alerts: dead_host", "Alerts: network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters", "Alerts: packer_entropy queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name raises_exception" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Code Virus Ransomware", "display_name": "Code Virus Ransomware", "target": null }, { "id": "AVAST- Win32:Filecoder-AD\\ [Trj]", "display_name": "AVAST- Win32:Filecoder-AD\\ [Trj]", "target": null }, { "id": "CLAMAV - Win.Malware.Cabby-6803812", "display_name": "CLAMAV - Win.Malware.Cabby-6803812", "target": null }, { "id": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn", "display_name": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn", "target": "/malware/Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 574, "domain": 147, "FileHash-MD5": 156, "FileHash-SHA1": 130, "FileHash-SHA256": 539, "URL": 982, "SSLCertFingerprint": 4, "email": 2 }, "indicator_count": 2534, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bbdb22e3d606ae8fb5cda8", "name": "HCPF | Department of Health Care Policy and Financing", "description": "Project Nemesis - Affects Department of Health Care Policy and Financing | Family representative repeatedly told past bills aren\u2019t being paid by United Healthcare. Argus Insurance (unknown entity) was Policy on record target never had. FR was given information regarding HCPF which was being viewed by past vendor seen in (https://otx.alienvault.com/pulse/68bbb31f6d91989d7fcd9592) | Issues with HCPF have been an issue for some time in isolated scenarios. It\u2019s unclear how at least one person keeps getting their name, bills and life pulled into this. Target PURCHASED a Healthcare policy via agent before major social engineering attacks. Same entity literally robs targets. Gift cards, phone services, cloud storage, account, insurance policies, bank account access, tax refunds, paid claims reversed & taken from target\u2019s account.\nMore research needed. Flaws in new system could jeopardize many. \n#trulymissed #rip #techbrohell #palantir", "modified": "2025-10-06T05:01:18.794000", "created": "2025-09-06T06:56:34.649000", "tags": [ "federal changes", "health first", "colorado", "child health", "plan plus", "newimpact", "medicaidour", "impact", "medicaid page", "medicaid", "beware", "text/html", "trackers", "iframes", "external-resources", "new relic", "g1gv3h3sxc0", "utc gcw970gh4gg", "android", "known exploited", "google", "salesloft drift", "sap s4hana", "cve202542957", "cisa", "sitecore", "linux", "france", "meta", "rokrat", "lizar", "project nemesis", "carbanak", "cobalt strike", "domino", "no expiration", "url https", "type indicator", "role title", "related pulses", "hostname https", "m4e5930", "hostname", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "ascii text", "search", "ogoogle trust", "cngts ca", "execution", "next", "dock", "write", "capture", "persistence", "malware", "roboto", "present feb", "united", "a domains", "present dec", "passive dns", "moved", "script domains", "script urls", "urls", "title", "date", "resolved ips", "http traffic", "http get", "match info", "downloads", "info", "https http", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "endgame systems" ], "references": [ "Researched: https://hcpf.colorado.gov/", "www.onyx-ware.com \u2022 https://www.endgamesystems.com/", "millet-usgc-1.palantirfedstart.com", "https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html", "https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms", "https://passwords.google/?utm_medium=hpp&utm", "https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html", "Researched publicly available information provided by representative of a target\u2019s estate", "System has placed affected on multiple policies cancelling private policy without notice.", "Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)", "Provided documented evidence of appealed state issued plan and disclosed financials.", "Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes", "I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.", "State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.", "Target also owned an online brokerage & lead company, was agent & insurance marketer for years.", "September began with false information, defaulted claims , denials from authorized services rendered years prior.", "If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lizar", "display_name": "Lizar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Hospitality", "Financial", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1395, "URL": 4304, "CVE": 1, "domain": 694, "FileHash-SHA256": 1790, "FileHash-MD5": 183, "FileHash-SHA1": 103, "SSLCertFingerprint": 5 }, "indicator_count": 8475, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c54659742e10df0e2dd0ec", "name": "Archive.ph - Mirai", "description": "", "modified": "2025-10-03T00:01:12.616000", "created": "2025-09-13T10:24:25.814000", "tags": [ "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "javascript", "spawns", "united", "present aug", "div div", "meta", "fffae1", "xml title", "drag", "div form", "form div", "a li", "encrypt", "russia", "passive dns", "urls", "aaaa", "netherlands", "your ip", "panama", "russia unknown", "present mar", "present jun", "moved", "present jul", "present sep", "ip address", "present jan", "body", "title", "domain", "files", "content type", "body doctype", "as16509", "intel mac", "os x", "ipv4 add", "port", "destination", "read c", "medium", "entries", "et info", "execution", "next", "dock", "write", "persistence", "malware", "url analysis", "files ip", "name server", "domain address", "algorithm", "key identifier", "v3 serial", "number", "cus olet", "encrypt cne6", "validity", "subject public", "key info", "us as15169", "us as396982", "mitre att", "pattern match", "form", "onload", "general", "local", "path", "click", "strings", "verify", "asnone", "china as4134", "resolverror", "high", "dns query", "as7018 att", "japan as4713", "south korea", "little \u2018endian\u2019", "mirai", "dod", "endgame systems", "government overreach", "sabey type", "foundry type", "apple", "cve" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135858-0", "display_name": "Unix.Dropper.Mirai-7135858-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": "68b798c0a419c49eeb4e2a13", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2069, "domain": 406, "FileHash-SHA256": 1498, "hostname": 811, "FileHash-MD5": 150, "FileHash-SHA1": 138, "SSLCertFingerprint": 8, "CIDR": 1, "CVE": 1 }, "indicator_count": 5082, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b798c0a419c49eeb4e2a13", "name": "Archive.ph - Mirai", "description": "Outdated archiving domain of questionable origin can expose or has exposed monitored target/s to\nUnix.Dropper.Mirai-7135858-0.\n\nThe domain seems to want to appear as if it originates from Russia. There is a DoD & Endgame systems relationship. Multiple archived pages have been injected and deleted.\n(Little Endian) is a name seen often related to an innocent known to be targeted by a pro male entity who utilizes Pegasus, Palantir, Gotham, Foundry , Tulach, for silencing.\n#trulymissed #mirai #malicious", "modified": "2025-10-03T00:01:12.616000", "created": "2025-09-03T01:24:16.418000", "tags": [ "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "javascript", "spawns", "united", "present aug", "div div", "meta", "fffae1", "xml title", "drag", "div form", "form div", "a li", "encrypt", "russia", "passive dns", "urls", "aaaa", "netherlands", "your ip", "panama", "russia unknown", "present mar", "present jun", "moved", "present jul", "present sep", "ip address", "present jan", "body", "title", "domain", "files", "content type", "body doctype", "as16509", "intel mac", "os x", "ipv4 add", "port", "destination", "read c", "medium", "entries", "et info", "execution", "next", "dock", "write", "persistence", "malware", "url analysis", "files ip", "name server", "domain address", "algorithm", "key identifier", "v3 serial", "number", "cus olet", "encrypt cne6", "validity", "subject public", "key info", "us as15169", "us as396982", "mitre att", "pattern match", "form", "onload", "general", "local", "path", "click", "strings", "verify", "asnone", "china as4134", "resolverror", "high", "dns query", "as7018 att", "japan as4713", "south korea", "little \u2018endian\u2019", "mirai", "dod", "endgame systems", "government overreach", "sabey type", "foundry type", "apple", "cve" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135858-0", "display_name": "Unix.Dropper.Mirai-7135858-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2069, "domain": 406, "FileHash-SHA256": 1498, "hostname": 811, "FileHash-MD5": 150, "FileHash-SHA1": 138, "SSLCertFingerprint": 8, "CIDR": 1, "CVE": 1 }, "indicator_count": 5082, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ae5b9ef87646927a236b61", "name": "Privacy - Google Videos Search - Web Applications Stack Exchange = WannaCry", "description": "Description: dfir.blog - A blog about Digital Forensics & Incident Response\ndfir.blog\nDigital forensics, web browsers, visualizations, & open source tools.\n#monitoring #dod(?) #chinacache #crypt #ransom#infectedsystems", "modified": "2025-09-26T00:01:12.214000", "created": "2025-08-27T01:13:02.780000", "tags": [ "google", "mullvad browser", "value", "incognito mode", "mine", "unix time", "friday", "january", "does", "tor browser", "search", "show", "langchinese", "packing t1045", "t1045", "medium", "pe resource", "module load", "t1129", "service", "trojan", "copy", "dock", "write", "malware", "clock", "united", "passive dns", "urls", "next associated", "gmt cache", "ipv4 add", "pulse pulses", "files", "reverse dns", "win32", "title", "location united", "america flag", "america asn", "as15169 google", "dns resolutions", "domains top", "level", "unique tlds", "present aug", "china unknown", "creation date", "date", "domain", "ip address", "domain name", "expiration date", "status ok", "nanjing", "accept", "body", "div td", "td tr", "div div", "span span", "a li", "span p", "p div", "moved", "a domains", "open", "span", "uuupupu", "t1055", "process32nextw", "high", "windows", "high defense", "evasion", "delphi", "google gmail", "images sign", "advanced search", "solutions", "privacy", "store gmail", "delete delete", "report", "how search", "applying ai", "settings search", "advanced", "search search", "search help", "domainabuse", "showing", "hostname add", "url add", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "read c", "tlsv1", "whitelisted", "port", "destination", "ascii text", "next", "encrypt", "script urls", "msie", "chrome", "bad gateway", "script domains", "present feb", "link", "meta", "digital", "language", "body doctype", "ghost", "present jun", "aaaa", "present jul", "present oct", "record value", "yara detections", "dock zone", "top source", "top destination", "source source", "filehash", "code", "error", "windows nt", "wow64", "slcc2", "media center", "execution", "persistence", "tulach", "brian sabey", "dod network", "orgtechref", "address range", "cidr", "network name", "allocation type", "whois server", "entity dnic", "handle", "whois lookup", "dod", "et trojan", "server header", "suspicious", "et info", "unknown", "virustotal", "specified", "download", "et", "please", "type size", "first seen", "loading", "python wheel", "dynamicloader", "intel", "ms windows", "pe32", "entries", "user agent", "powershell", "agent", "yara rule", "checks", "levelblue", "open threat", "observed dns", "query", "dns lookup", "msdos", "wannacry dns", "lookup", "wannacry", "worm", "explorer", "msil", "darkcomet", "ping", "tools", "capture", "hallrender", "dga domains", "unfurl sites", "honey net", "bot", "nxdomain", "potential-c2" ], "references": [ "Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems", "DoD Network Information Center (DNIC)", "DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}", "Python Wheel package", "https://www.google.com/search", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Magania.DSK!MTB", "display_name": "Trojan:Win32/Magania.DSK!MTB", "target": "/malware/Trojan:Win32/Magania.DSK!MTB" }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "a variant of Win32/Kryptik.DEOA", "display_name": "a variant of Win32/Kryptik.DEOA", "target": null }, { "id": "ALF:Exploit:Win32/gSharedInfoRef.A", "display_name": "ALF:Exploit:Win32/gSharedInfoRef.A", "target": null }, { "id": "Wannacry", "display_name": "Wannacry", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Telecommunications", "Technology", "Civilian" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8221, "domain": 1216, "FileHash-SHA256": 2434, "FileHash-MD5": 296, "FileHash-SHA1": 155, "hostname": 2939, "email": 7, "SSLCertFingerprint": 8, "CIDR": 2 }, "indicator_count": 15278, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "System has placed affected on multiple policies cancelling private policy without notice.", "https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html", "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "Python Wheel package", "https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l", "http://www.google.com-viruswall1-source-cloud-computing-services-distribution.cpdev.dyson.cn/", "https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com", "I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.", "and our limited information, is Daisy a victim or a crisis actor?", "Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)", "Maktub Locker TOR Status Check \u2022 TOR Consensus Data Requested \u2022 TOR 1.0 Server Key Retrieval", "https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/", "FBI.GOV - VT I\u2019m looking @ says website is legitimate & not misused - hmm", "https://otx.alienvault.com/indicator/ip/3.163.24.10", "https://www.netify.ai/resources/domains \u2022 192-168-0-21.3pt3m9ng2hf.ddns.manage.alta.inc", "http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "jaycobundaberg.eclipseaurahub.com.au 192.168.0.21", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.", "This is hard to comprehend or put into indelible words.", "Entity CLOUD14", "search.roi.ros.gov.uk", "millet-usgc-1.palantirfedstart.com", "There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.", "http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==", "IDS Detections : DNS Rep Sinkhole - Microsoft - 199.2.137.0/24", "CLOUDFLARENET - 104.16.148.244 , 104.19.148.244", "Daisy was allegedly brutally assaulted by Matthew Barnett,", "(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.", "https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356", "Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "https://www.endgamesystems.com/", "stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters", "https://310940000.android.com.twitter.android.adsenseformobileapps.com/", "https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c", "http://console.cloud.google.com/appengine", "Alerts: packer_entropy queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name raises_exception", "Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.", "Target also owned an online brokerage & lead company, was agent & insurance marketer for years.", "Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com", "Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit", "https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "appspot.com \u2022 hyper7install.appspot.com", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host", "https://api.playit.gg/agents/routing/get", "FireEye was there in 2 year old pulse now removed? I\u2019ll find it.", "https://www.google.com/search", "https://p2d.josht.ca/api/depots/info/?depot=", "http://acounts.google.com/v/signin/identifier?continue=hts%253%252F2Fconsole.cloud.google.com2Fapengine&dsh=5-1106814258%2539876543210", "104.21.51.140, 172.67.181.41", "http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/", "According to accounts she was afraid for her life , found to be safe then took her own life?", "https://otx.alienvault.com/indicator/hostname/pegasus.pahamify.com", "test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "September began with false information, defaulted claims , denials from authorized services rendered years prior.", "https://otx.alienvault.com/indicator/file/ba30376f915afa868763f84299fae5d2", "Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration", "Tor Get Server Request \u2022 TLS Handshake Failure High Priority", "Malicious Application Development: herokuappdev.com (Patter match 8 years +)", "Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me", "https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html", "Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems", "Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.", "If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI", "http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)", "Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)", "http://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "Malicious Application Development: herokuappdev.com (pattern matching spans 8+ years)", "Researched: https://hcpf.colorado.gov/", "Yara Detections: stack_string Alerts: dead_host", "Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download", "Denver, US 80211 http://library.verizon.onereach.ai", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com", "192-168-0-21.siliconevalley1.direct.quickconnect.to", "www.onyx-ware.com \u2022 https://www.endgamesystems.com/", "https://otx.alienvault.com/indicator/cve/CVE-2025-11727", "Researched publicly available information provided by representative of a target\u2019s estate", "Yara Detections is__elf", "hallplan.vm05.iveins.de", "https://www.colocrossing.com/", "DoD Network Information Center (DNIC)", "Typing a suicide note on social media is suspicious since it could come from your murderer.", "So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?", "ET Telnet | https://www.colocrossing.com | velocity servers", "Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot", "Hashtags left on Hybrid Analysis (above) weren\u2019t posted by me", "Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0", "Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "direwolf-8b1a1bc476.staging.herokuappdev.com", "In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov", "device-local-de06e551-6b23-4aa3-bb67-6972ae6d30b5.remotewd.com 192.168.0.21", "External Hosts: 52.57.183.74\t access.pcspeedcat.com\taccess.pcspeedcat.com\tGermany\tAS16509 amazon.com inc\taccess.pcspeedcat.com Germany AS16509 amazon.", "https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022", "https://hybrid-analysis.com/sample/f2b943e81f1b284cf9dabb4ff156526a02ecca485ac117714867d92b262c8fdd/68dd867e3bc50d9068072c05", "biblegateway.comwww.biblegateway.com \u2022 www.biblegateway.com", "https://passwords.google/?utm_medium=hpp&utm", "Name : iveins.de Service : connect", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht", "Provided documented evidence of appealed state issued plan and disclosed financials.", "Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.", "Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.", "Yara Detections is__elf , ELFHighEntropy , elf_empty_sections", "116e33e0-8832-11ec-aef5-99a1d044639a-local.solinkcloud.com", "Is that where they\u2019re getting these names? Rexxfield.com. SMH", "Changed last several digits of gmail account # In example", "According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021", "(legitimate services will remain up-and-running usually) High | ID dead_host", "https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes", "https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!", "grafana.ledocloud.com\u2022 192.168.0.21", "Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx", "FileHash-SHA256\t9f66cab9d7c581cf2dd28b6ae3178bb3d38975ff257c3ffb67c3e89d0f7135ee", "External Hosts: 3.163.24.10\t www.pcspeedcat.com\twww.pcspeedcat.com\tUnited States ASNone", "IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login", "pegasuspartners.followupboss.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/indicator/url/https://pegasus.pahamify.com/", "Fireye - FEDNS1.FIREEYE.COM", "phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com", "Alerts: network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http", "https://hybrid-analysis.com/sample/c61237fcb798f05e6af32a6aa13f8e795aac47559d601eb7f93ad65bcf58b418/68e30c476b91a8000b0dd786", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/", "anonsecbotnet.cameraddns.net", "http://p2d.josht.ca/assets/content-delivery/depots/download", "https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}", "http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca", "Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.", "https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192", "Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS", "IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "COINBASECARTEL" ], "malware_families": [ "Clamav - win.malware.cabby-6803812", "Win.downloader.small-1966", "!themida", "Virtool:msil/covent", "Zbot", "Tofsee", "Ms defender - trojandownloader:win32/dalexis!rfn!rfn", "Win.packed.msilperseus-9956592-0", "Win.malware.speedcat-6957425", "Virtool:msil/covent.a", "#lowfihstr:msil/confuser", "Pegasus", "Domino", "Win32:salicode", "Cobalt strike", "Virtool:msil/injector.bf", "Trojan:msil/clipbanker.gc!mtb", "Ransomware", "Backdoor:msil/bladabindi.ap", "Win32/madang", "Unix.dropper.mirai-7135858-0", "Et", "Win.packed.marsilia-10021147-0", "Lizar", "Alf:heraklezeval:trojan:win32/clipbanker", "Trojan:win32/pynamer!rfn", "Hacktool:msil/boilod.c!bit", "Win32:malware", "Virtool:win32/vbinder.co", "Win64:trojanx", "Trojan:msil/rapidstealer.a", "Win.malware.generic-9871124-0", "Kelihos", "Virtool:win32/injector.bo", "Trojan:win32/magania.dsk!mtb", "Unix.trojan.darknexus-7679166-0", "Mirai", "Project nemesis", "Alf:backdoor:msil/noancooe.", "Code virus ransomware", "#lowfi:hstr:msil/obfuscator.deepsea", "A variant of win32/kryptik.deoa", "Win32/scrarev.c", "Carbanak", "Trojan:win32/zusy", "Avast- win32:filecoder-ad\\ [trj]", "Cve-2025-11727", "Trojan:msil/ranos.a", "Tofsee attack", "Wannacry", "Alf:exploit:win32/gsharedinforef.a", "Win.trojan.generic-6417450-0", "Exploit:js/cve-2014-0322", "Virus:win32/sality.at", "Win.packed.bladabindi-6872770-0", "Win.packed.generic-9795615-0", "Other malware", "Trojan:win32/tiggre!rfn", "Win.packed.fecn-7077459-0", "Alf:hacktool:msil/heartsender.a", "Msil:agent-dq\\ [trj]", "Win.dropper.njrat-10015886-0" ], "industries": [ "Civil society", "Technology", "Civilian", "Education", "Government", "Hospitality", "Telecommunications", "Healthcare", "Insurance", "Financial" ], "unique_indicators": 101617 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/decagonsoftware.com", "whois": "http://whois.domaintools.com/decagonsoftware.com", "domain": "decagonsoftware.com", "hostname": "pay.c127.decagonsoftware.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 17, "pulses": [ { "id": "696ac438a696c993b672106d", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:28.261000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac4327b5bc2e8be34f78a", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:22.323000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac416596cd89cf76bce55", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:04:53.997000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6961a8ed7b492f9e0ba38990", "name": "HeartSender.A and other Malware attacks originating from Palantirs Pahamify Pegasus", "description": "Pahamify Pegasus : HackTool \u2022 Speedcat \u2022 HeartSender.A \u2022 Zbot and other malware found.\nSearc begins with single FileHash referenced below. \nI\u2019m checking the processes and sharing it here one group at a time. Too much research at once could bring Amazon AWS down. Again.", "modified": "2026-02-09T00:04:37.974000", "created": "2026-01-10T01:18:36.999000", "tags": [ "read c", "write c", "port", "destination", "united", "medium", "as16509", "memcommit", "write", "execution", "dock", "persistence", "next executed", "commands graph", "tree", "sample hash", "passive dns", "present jan", "title error", "urls", "files", "date hash", "avast avg", "dynamicloader", "host", "utf8", "unicode text", "crlf line", "binary resource", "ms windows", "search", "intel", "pcspeedcat", "win32", "internal", "malware", "local", "unknown", "get na", "http", "okrnserver", "ip address", "http traffic", "guard", "powershell", "ipv4 add", "servers", "name servers", "capture", "link", "gateway", "tofsee att", "ck ids", "t1055", "injection", "t1071", "protocol", "t1573", "target", "url http", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1480 execution", "discovery att", "mitre att", "ck matrix", "ascii text", "hybrid", "general", "path", "click", "strings", "high", "etpro malware", "next", "stack", "format", "error", "unicode", "head http", "regsetvalueexa", "qt binary", "resource file", "pe32", "hostile", "unknown aaaa", "unknown ns", "x content", "gmt cache", "domain add", "title", "present sep", "a td", "td tr", "dir td", "td td", "present may", "present jun", "present apr", "present aug", "present oct", "head body", "gmt server", "index", "main", "accept", "status", "th tr", "moved", "record value", "expiration date", "germany unknown", "present dec", "cache control", "present nov", "max age1000000", "cookie", "hosting", "reverse dns", "location france", "france asn", "as16276", "trojandropper", "next associated", "mtb jan", "exploit", "emails", "trojan", "pegasus", "hostname add", "url analysis", "domain", "files ip", "address", "france unknown", "asn as16276", "backdoor", "entries", "setcookie", "twitter", "refloadapihash", "virtool", "show", "displayname", "windows", "rndhex", "tofsee", "stream", "encrypt", "push", "creation date", "france", "date", "body", "pup", "amazon", "amazon aws", "salesforce", "herokuappdev", "google", "igoogle", "monitored target", "cats" ], "references": [ "FileHash-SHA256\t9f66cab9d7c581cf2dd28b6ae3178bb3d38975ff257c3ffb67c3e89d0f7135ee", "https://otx.alienvault.com/indicator/ip/3.163.24.10", "External Hosts: 52.57.183.74\t access.pcspeedcat.com\taccess.pcspeedcat.com\tGermany\tAS16509 amazon.com inc\taccess.pcspeedcat.com Germany AS16509 amazon.", "External Hosts: 3.163.24.10\t www.pcspeedcat.com\twww.pcspeedcat.com\tUnited States ASNone", "https://otx.alienvault.com/indicator/hostname/pegasus.pahamify.com", "https://otx.alienvault.com/indicator/url/https://pegasus.pahamify.com/", "https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "http://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "biblegateway.comwww.biblegateway.com \u2022 www.biblegateway.com", "Malicious Application Development: herokuappdev.com (Patter match 8 years +)", "direwolf-8b1a1bc476.staging.herokuappdev.com", "Malicious Application Development: herokuappdev.com (pattern matching spans 8+ years)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Generic-9871124-0", "display_name": "Win.Malware.Generic-9871124-0", "target": null }, { "id": "ALF:HackTool:MSIL/HeartSender.A", "display_name": "ALF:HackTool:MSIL/HeartSender.A", "target": null }, { "id": "Win.Malware.Speedcat-6957425", "display_name": "Win.Malware.Speedcat-6957425", "target": null }, { "id": "Tofsee Attack", "display_name": "Tofsee Attack", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 404, "FileHash-SHA1": 286, "FileHash-SHA256": 1419, "SSLCertFingerprint": 7, "domain": 441, "URL": 4233, "hostname": 1217, "email": 10 }, "indicator_count": 8017, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "69 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6958780c8479a9d69920c3d8", "name": "Telnet - Mirai \u2022 Dark Nexus BusyBox iOS Attack", "description": "There\u2019s enough here to cause an outage. I will stop here. Illegal activities to silence victim and block her from financial settlement award for permanent injuries under workers compensation in a premise and healthcare worker assault scenario. Attorneys estimated her case to be above $100 million but knew she\u2019d be tampered with. Mark Montano MD forewarned her but is culpable. Still attacking family of victim.\n[ True- otx auto generated: Adversaries may be able to gain access to a victim's network through a drive-by attack, as well as using a short-term SSL certificate, in order to target the victim.] |||\nPositive:\nT1140 - Deobfuscate/Decode Files or Information\nSuspicious IP Address\n104.21.51.140, 172.67.181.41\nLocation United States ASN\nModif AS13335 cloudflare\nAutomate Nameservers:\nns1.colocrossing.com.", "modified": "2026-02-02T01:02:46.327000", "created": "2026-01-03T01:59:40.530000", "tags": [ "united", "moved", "title", "passive dns", "ipv4 add", "urls", "files", "hosting", "reverse dns", "location united", "hash avast", "avg clamav", "msdefender mar", "read c", "create c", "medium", "search", "memcommit", "high", "checks", "windows", "execution", "dock", "write", "persistence", "capture", "local", "ref b", "wed may", "backdoor", "mtb aug", "next associated", "mtb dec", "twitter", "smoke loader", "malware", "virtool", "hacktool", "data upload", "present dec", "mtb apr", "win32", "trojan", "worm", "lowfi", "cybota", "expiration date", "name servers", "ipv4", "url analysis", "port", "destination", "telnet login", "bad login", "gpl telnet", "suspicious path", "busybox", "tcp syn", "et telnet", "path", "mirai", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "america", "ck id", "name tactics", "suspicious", "informative", "learn", "t1179 hooking", "installs", "t1035 service", "adversaries", "msie", "windows nt", "slcc2", "media center", "y013", "flag", "span", "accept", "core", "february", "hybrid", "malicious", "general", "click", "strings", "roboto", "next", "usa windows", "finished", "queueprogress", "timestamp input", "threat level", "october", "september", "hwp support", "fresh", "win64", "khtml", "gecko", "brand", "microsoft edge", "programfiles", "comspec", "model", "iframe", "form", "listeners", "initial access", "t1590 gather", "victim network", "ssl certificate", "quasi government", "jeffrey reimer", "palantir", "Regis university", "otx hp", "apple", "pegasus", "h5 data center", "florence colorado", "brian sabey", "target : Tsara Brasheaers", "aig", "industry and commerce", "united states", "State of Colorado.", "date", "status", "domain", "hostname add", "pulse pulses", "files ip", "address", "url https", "url http", "hostname", "show", "type indicator", "source hostname", "entries", "Prometheus Intelligence Technology", "pulse submit", "america flag", "body", "dynamicloader", "microsoft azure", "tls issuing", "named pipe", "json", "ascii text", "lredmond", "Apple", "Telnet", "BusyBox", "Pegasus", "Colorado State Fixer: Christopher P. Ahmann", "Hijacker: Brian Sabey", "For: Concentra", "Protecting Assaulter: Jeffrey Reimer", "For: AIG", "For Industry and Commerce", "For: Quasi Government", "For: Workers Compensation", "Authorities", "Law Enforcement Dark", "Silencing", "Tampering with a Victim", "Meta", "Palantir", "Google", "Bing", "Microsoft", "ColoCrossing", "Associates", "hit men" ], "references": [ "ET Telnet | https://www.colocrossing.com | velocity servers", "https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives", "TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host", "Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)", "(legitimate services will remain up-and-running usually) High | ID dead_host", "ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0", "IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login", "Yara Detections is__elf", "Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , ELFHighEntropy , elf_empty_sections", "http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/", "https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l", "https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!", "https://www.colocrossing.com/", "(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.", "In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov", "104.21.51.140, 172.67.181.41", "Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot", "stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe", "Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download", "Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration", "IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192", "IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82", "Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com", "This is hard to comprehend or put into indelible words." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "HackTool:MSIL/Boilod.C!bit", "display_name": "HackTool:MSIL/Boilod.C!bit", "target": "/malware/HackTool:MSIL/Boilod.C!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1462", "name": "Malicious Software Development Tools", "display_name": "T1462 - Malicious Software Development Tools" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Technology", "Healthcare", "Insurance", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6390, "domain": 723, "hostname": 1978, "FileHash-SHA256": 1912, "FileHash-MD5": 410, "FileHash-SHA1": 306, "email": 3, "SSLCertFingerprint": 28, "CVE": 3 }, "indicator_count": 11753, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "76 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6935c92c5fc93fd873c6aa6d", "name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)", "description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727", "modified": "2026-01-06T18:04:02.620000", "created": "2025-12-07T18:36:28.055000", "tags": [ "memcommit", "read c", "t1082", "cryptexportkey", "invalid pointer", "write", "msil", "malware", "media", "autorun", "countries", "united", "america", "high defense", "evasion", "t1055", "ck technique", "technique id", "allocates", "potential code", "attempts", "threatintel", "dark web", "coinbasecartel", "ransomware", "osint", "tor", "data breach", "cinvestav", "ai generated", "ransomware leak", "page", "november", "investigacin y", "nacional", "mexican", "mexico", "present nov", "verdana", "td tr", "passive dns", "ip address", "urls", "aaaa", "present may", "present oct", "present jul", "virtool", "present sep", "present jun", "win32", "default", "unicode", "png image", "rgba", "high", "dock", "execution", "xport", "unknown", "data upload", "extraction", "will", "data", "name cloudflare", "hostmaster name", "org cloudflare", "townsend st", "city san", "us creation", "kelihos", "ipv4", "present dec", "files", "domain", "search", "hostname", "verdict", "location united", "asn as16625", "akamai", "urls show", "date checked", "url hostname", "server response", "google safe", "results nov", "present aug", "backdoor", "msie", "chrome", "trojan", "mtb aug", "worm", "cryp", "junkpoly", "twitter", "trojandropper", "title", "germany unknown", "ipv4 add", "pulse pulses", "hosting", "reverse dns", "cologne", "search engine", "gse compromised", "redacted for", "privacy admin", "privacy tech", "server", "organization", "street", "city", "stateprovince", "postal code", "country", "resolver domain", "cape sa", "virustot", "type pdf", "name", "lookups", "email abuse", "historical ssl", "certificates", "first", "graph summary", "cname", "address", "ip2location", "bogon ip", "admin", "network", "wifi password", "ssid", "demo", "details", "failed", "include review", "exclude sugges", "onlv", "x try", "find s", "typ url", "url data", "severity att", "module load", "icmp traffic", "dns query", "t1055 jseval", "windows nt", "port", "entries", "destination", "medium", "show", "pecompact", "june", "service", "next", "xserver", "encrypt", "t1129", "windows module", "dlls", "convention", "windows native" ], "references": [ "Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS", "Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "hallplan.vm05.iveins.de", "https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c", "Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx", "Name : iveins.de Service : connect", "https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com", "phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com", "https://otx.alienvault.com/indicator/cve/CVE-2025-11727" ], "public": 1, "adversary": "COINBASECARTEL", "targeted_countries": [ "United States of America", "Sweden", "Bangladesh", "Japan" ], "malware_families": [ { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "MSIL:Agent-DQ\\ [Trj]", "display_name": "MSIL:Agent-DQ\\ [Trj]", "target": null }, { "id": "VirTool:MSIL/Covent.A", "display_name": "VirTool:MSIL/Covent.A", "target": "/malware/VirTool:MSIL/Covent.A" }, { "id": "Trojan:Win32/Pynamer!rfn", "display_name": "Trojan:Win32/Pynamer!rfn", "target": "/malware/Trojan:Win32/Pynamer!rfn" }, { "id": "Win64:TrojanX", "display_name": "Win64:TrojanX", "target": null }, { "id": "VirTool:MSIL/Covent", "display_name": "VirTool:MSIL/Covent", "target": "/malware/VirTool:MSIL/Covent" }, { "id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "CVE-2025-11727", "display_name": "CVE-2025-11727", "target": null }, { "id": "Exploit:JS/CVE-2014-0322", "display_name": "Exploit:JS/CVE-2014-0322", "target": "/malware/Exploit:JS/CVE-2014-0322" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 117, "FileHash-SHA256": 1746, "URL": 5018, "hostname": 1827, "domain": 1072, "CVE": 3, "email": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9938, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e2d950ac7d1e2a3454a4f", "name": "Gooogle Accounts | Drive-by Compromise \u2022 Ransomware \u2022 Phishing Attack", "description": "Google accounts Drive-by Compromise. Affected Google accounts redirects to a suspicious non - Google homepage. |\nRansomware | Adware | Phishing | Injection | \nExploits seen affecting both OS and iOS devices. Threat actors able to remotely access iOS device, unlock, access iCloud. System root control, fully infected devices, Attackers continue to ravage devices w/ drive by compromise, unsafe adware, malware text, etc., Seeks to remove malicious IoC\u2019s on mock accounts , password stealers", "modified": "2025-12-31T23:04:59.378000", "created": "2025-12-02T00:06:45.807000", "tags": [ "iocs", "drop", "network traffic", "ck id", "mitre att", "ck matrix", "network related", "detected", "t1566", "t1204", "united", "click", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "learn", "suspicious", "informative", "name tactics", "adversaries", "command", "initial access", "spawns", "found", "binary file", "t1189", "regsetvalueexa", "regdword", "post http", "medium", "high", "regbinary", "loader", "dock", "write", "malware", "unknown", "romania unknown", "present may", "msie", "chrome", "body", "passive dns", "ip address", "present jun", "welcome", "accept", "encrypt", "gmt content", "ipv4 add", "url analysis", "urls", "files", "reverse dns", "unknown aaaa", "certificate", "hostname add", "error", "flag", "domain address", "contacted hosts", "type", "india unknown", "record value", "body html", "head title", "title", "entries", "read c", "high defense", "evasion", "yara detections", "virtool", "win32", "ahmann", "hacker group", "law firm", "order", "google", "smart assembly" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool:MSIL/Injector.BF", "display_name": "VirTool:MSIL/Injector.BF", "target": "/malware/VirTool:MSIL/Injector.BF" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 112, "FileHash-SHA256": 589, "URL": 1795, "SSLCertFingerprint": 3, "domain": 319, "hostname": 847, "email": 1 }, "indicator_count": 3781, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692d400f81164107d98922db", "name": "Injector.BO : DNS Reply Sinkhole via Phishing emails , texts , drives or malicious links", "description": "\"Phishing threat: This is a phishing website that impersonates a trusted website to trick you into revealing personal or financial information.\";var L_MalwareThreat_TEXT = \"Malicious software threat: This site contains links to viruses or other software programs that can reveal personal information stored or typed on your computer to malicious persons", "modified": "2025-12-31T06:01:00.551000", "created": "2025-12-01T07:13:19.659000", "tags": [ "url http", "url https", "urls", "files", "address", "asn as400519", "united states", "info geo", "united", "as400519", "us note", "route", "ipv4", "live", "superdata", "viet nam", "cisco umbrella", "sectigo rsa", "secure", "google safe", "browsing", "current dns", "a record", "input", "closenotify", "phpsessid value", "source level", "url text", "general full", "protocol h2", "security tls", "ecdhersa", "asn45544", "reverse dns", "resource", "hash", "as45544", "vn note", "backdoor", "generic", "cnc activity", "passive dns", "ipv4 add", "company limited", "dnssec", "hostname add", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "t1480 execution", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "vietnam", "location viet", "nam flag", "urlhttp", "extracted files", "unicode text", "utf8 text", "lowfihstr", "trojan", "mtb trojan", "spawns", "found", "process details", "flag", "contacted", "xb6x04x00", "t1055", "search", "read c", "cnlolcat", "microsoft", "medium", "entries", "unknown", "virtool", "malware", "copy", "write", "win32", "next", "url add", "http", "hostname", "files domain", "files related", "related tags", "china unknown", "creation date", "body", "please", "x msedge", "tracking" ], "references": [ "anonsecbotnet.cameraddns.net", "https://api.playit.gg/agents/routing/get", "http://www.google.com-viruswall1-source-cloud-computing-services-distribution.cpdev.dyson.cn/", "https://www.endgamesystems.com/", "IDS Detections : DNS Rep Sinkhole - Microsoft - 199.2.137.0/24" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:MSIL/Ranos.A", "display_name": "Trojan:MSIL/Ranos.A", "target": "/malware/Trojan:MSIL/Ranos.A" }, { "id": "Trojan:MSIL/ClipBanker.GC!MTB", "display_name": "Trojan:MSIL/ClipBanker.GC!MTB", "target": "/malware/Trojan:MSIL/ClipBanker.GC!MTB" }, { "id": "Win.Packed.Msilperseus-9956592-0", "display_name": "Win.Packed.Msilperseus-9956592-0", "target": null }, { "id": "ALF:Backdoor:MSIL/Noancooe.", "display_name": "ALF:Backdoor:MSIL/Noancooe.", "target": null }, { "id": "Win.Trojan.Generic-6417450-0", "display_name": "Win.Trojan.Generic-6417450-0", "target": null }, { "id": "Win.Packed.Bladabindi-6872770-0", "display_name": "Win.Packed.Bladabindi-6872770-0", "target": null }, { "id": "#LowFiHSTR:MSIL/Confuser", "display_name": "#LowFiHSTR:MSIL/Confuser", "target": "/malware/#LowFiHSTR:MSIL/Confuser" }, { "id": "Win.Dropper.njRAT-10015886-0", "display_name": "Win.Dropper.njRAT-10015886-0", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AP", "display_name": "Backdoor:MSIL/Bladabindi.AP", "target": "/malware/Backdoor:MSIL/Bladabindi.AP" }, { "id": "Win.Packed.Generic-9795615-0", "display_name": "Win.Packed.Generic-9795615-0", "target": null }, { "id": "Win.Packed.Generic-9795615-0", "display_name": "Win.Packed.Generic-9795615-0", "target": null }, { "id": "Win.Packed.Fecn-7077459-0", "display_name": "Win.Packed.Fecn-7077459-0", "target": null }, { "id": "Win.Packed.Marsilia-10021147-0", "display_name": "Win.Packed.Marsilia-10021147-0", "target": null }, { "id": "VirTool:Win32/Injector.BO", "display_name": "VirTool:Win32/Injector.BO", "target": "/malware/VirTool:Win32/Injector.BO" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1578.001", "name": "Create Snapshot", "display_name": "T1578.001 - Create Snapshot" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1610, "domain": 147, "hostname": 501, "FileHash-SHA256": 384, "CIDR": 3, "FileHash-MD5": 79, "FileHash-SHA1": 77, "email": 3, "SSLCertFingerprint": 1 }, "indicator_count": 2805, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916dc43beba2f3839fd7c36", "name": "Ransomware | FIREEYE.COM redirects to www.TRELLIX.com", "description": "FireEye appears to have been a Cybersecurity that now redirects to www.trellix.com. Seen before in a malicious MO.gov w/names of 2 \u2018alleged\u2019 female SA victims. I researched was without realizing it was a CySec.We have researched Trellix , found it to be malicious ; reported false information / documentation. FEDNS1.FIREEYE.COM URL is still found in several searches. So we researched it.\nRe: Safebae the other Mo. Gov SA URL found a\u2019. \u2018non profit\u2019 for Catherine \u2018Daisy\u2019 Coleman that isn\u2019t in any way related to her. It makes me believe it\u2019s could be related to Bae systems a collaboration with Peter Thiel's company Palantir, which provides data analytics software to governments and militaries. Significance: This partnership showcases the convergence of American tech innovation and traditional defense contracting, involving companies like Palantir and BAE Systems. \n\n#foundry #josht _ca #hostile #advesarial #contacted_hosts #safebae_or_bae_systems? #honeypotbot # fireeye #trellix", "modified": "2025-12-14T05:04:31.480000", "created": "2025-11-14T07:37:39.794000", "tags": [ "gmt content", "related tags", "found title", "cache control", "x request", "runtime", "vary", "reverse dns", "ashburn", "resource", "verdict", "address", "read c", "unicode", "high", "memcommit", "delete", "dock", "write", "execution", "next associated", "server response", "port", "destination", "crlf line", "malware", "png image", "rgba", "united states", "medium", "encrypt", "america", "msie", "unknown", "present jan", "name servers", "present oct", "present may", "present mar", "present dec", "present nov", "united", "present apr", "present jun", "urls show", "url hostname", "ip address", "google safe", "results jun", "canada unknown", "passive dns", "canada", "meta name", "robots content", "x ua", "ieedge chrome1", "twitter", "chrome", "urls", "files", "asn as13335", "dns resolutions", "trojan", "trojanspy", "win32", "title", "servers", "unknown ns", "domain", "present aug", "present sep", "files domain", "files related", "none google", "safe browsing", "unknown aaaa", "moved", "cloudfront x", "meta", "ip whois", "registrar", "hostname", "files ip", "ipv4 add", "location united", "america flag", "america asn", "present jul", "virtool", "record value", "dnssec", "meta http", "content", "gmt server", "litespeed x", "present feb", "write c", "as62597 nsone", "as16509", "module load", "t1129", "service", "dynamicloader", "windows", "tofsee", "stream", "hostile", "win64", "delete c", "all ipv4", "url analysis", "status", "error", "aaaa", "ireland unknown", "asn as14618", "backdoor", "a domains", "russia", "mtb nov", "ransom", "displayname", "push", "yara rule", "loaderid", "lidfileupd", "localcfg", "rndhex", "rndchar", "checks", "checks system", "filehash", "av detections", "ids detections", "yara detections", "learn", "command", "adversaries", "ck id", "name tactics", "suspicious", "informative", "spawns", "found", "ssl certificate", "flag", "server", "cloudflare", "csc corporate", "domains", "fireeye", "contacted hosts", "mitre att", "pattern match", "ck matrix", "hybrid", "local", "path", "click", "strings", "foundry", "josht.ca", "paid parking", "parking crews" ], "references": [ "Fireye - FEDNS1.FIREEYE.COM", "http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==", "http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356", "http://p2d.josht.ca/assets/content-delivery/depots/download", "test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca", "http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/", "https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022", "https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/", "https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg", "https://p2d.josht.ca/api/depots/info/?depot=", "https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/", "Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.", "According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021", "Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?", "Daisy was allegedly brutally assaulted by Matthew Barnett,", "Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.", "Is that where they\u2019re getting these names? Rexxfield.com. SMH", "There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.", "According to accounts she was afraid for her life , found to be safe then took her own life?", "Typing a suicide note on social media is suspicious since it could come from your murderer.", "So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?", "Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.", "and our limited information, is Daisy a victim or a crisis actor?", "Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me", "Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.", "Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)", "Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.", "FireEye was there in 2 year old pulse now removed? I\u2019ll find it." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7617, "domain": 1127, "hostname": 3591, "email": 9, "FileHash-SHA256": 1160, "FileHash-MD5": 481, "FileHash-SHA1": 404, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 14403, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69138421066f81131da59cc5", "name": "Malicious Legal Google Botnet - Treece Alfrey Musat P.C.\u2022 Christopher P. Ahmann Spam - Malicious ", "description": "", "modified": "2025-12-03T00:01:23.660000", "created": "2025-11-11T18:44:49.343000", "tags": [ "status", "date", "name servers", "lowfi", "passive dns", "urls", "domain", "susp", "win32", "search", "win64", "error", "url https", "url http", "ipv4", "type indicator", "role title", "added active", "related pulses", "morocco", "united kingdom", "united", "present nov", "aaaa", "present oct", "cname", "brazil", "malaysia", "title", "present jun", "ip address", "creation date", "record value", "emails", "unknown aaaa", "body", "url add", "pulse pulses", "http", "related nids", "files location", "flag united", "trojan", "trojandropper", "virtool", "entries", "next associated", "ipv4 add", "unknown ns", "present jul", "present sep", "present aug", "win32upatre nov", "candyopen", "tlsv1", "port", "destination", "ogoogle trust", "cngts ca", "show", "read c", "youtube", "copy", "dock", "write", "next", "malware", "persistence", "execution", "filehashmd5", "hostname", "filehashsha256", "types of", "germany", "poland", "indicator role", "title added", "active related", "pulses url", "p1377925676", "gaz1", "sid1696503456", "sct1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6907f7e98289b75f3e5ecaba", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 400, "URL": 2857, "FileHash-MD5": 217, "FileHash-SHA1": 172, "FileHash-SHA256": 1426, "email": 6, "hostname": 1019, "SSLCertFingerprint": 6 }, "indicator_count": 6103, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://pay.c127.decagonsoftware.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://pay.c127.decagonsoftware.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776611482.7837446 }