{ "type": "URL", "indicator": "https://play.itunes.apple.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://play.itunes.apple.com", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #45", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #2", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain apple.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain apple.com", "name": "Whitelisted domain" }, { "source": "newssite", "message": "Whitelisted news domain apple.com", "name": "Whitelisted newssite network domain" } ], "base_indicator": { "id": 3166305824, "indicator": "https://play.itunes.apple.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6962bb143187f7cb571ef6f5", "name": "Pahamify Pegasus", "description": "Hmmm, only able to manually add IOC\u2019s after last pulse.\n\nPulse: Pahamify Pegasus - Apple IOC\u2019s", "modified": "2026-02-09T22:00:25.303000", "created": "2026-01-10T20:48:20.438000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1190, "hostname": 891, "URL": 4201, "FileHash-SHA256": 1555, "email": 33, "FileHash-MD5": 591, "FileHash-SHA1": 400 }, "indicator_count": 8861, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "69 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6962d43456bb524b17e9d5ce", "name": "Apple MyDoom + IOC\u2019s isolated from Palantir related Pahamify Pegasus | BibleGateway App | Drive by & other targeting /.monitoring Access Attacks ", "description": "", "modified": "2026-02-09T22:00:25.303000", "created": "2026-01-10T22:35:32.582000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6962bb143187f7cb571ef6f5", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1190, "hostname": 891, "URL": 4201, "FileHash-SHA256": 1555, "email": 33, "FileHash-MD5": 591, "FileHash-SHA1": 400 }, "indicator_count": 8861, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "69 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6962b68da732abc66a0c2caf", "name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus", "description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else", "modified": "2026-02-09T19:00:09.890000", "created": "2026-01-10T20:29:01.675000", "tags": [ "ip address", "status code", "kb body", "iocs", "deny age", "cloudfront", "utc google", "tag manager", "g8t6ln06z40", "utc na", "google tag", "injection", "t1055 malware", "tree", "help v", "defense evasion", "injection t1055", "resolved ips", "get http", "dns resolutions", "v memory", "pattern domains", "full reports", "v help", "memory pattern", "urls https", "hashes", "tiktok", "microsoft", "dashboard falcon", "request", "windows nt", "win64", "khtml", "gecko", "response", "appleid", "united", "name servers", "aaaa", "servers", "moved", "script urls", "passive dns", "urls", "data upload", "extraction", "failed", "jsvendor", "jsapp", "script script", "cssapp", "jsfirebase", "pegasus", "encrypt", "title error", "ipv4", "files", "reverse dns", "united states", "malware", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "t1204 user", "script", "beginstring", "bad traffic", "et info", "null", "title", "refresh", "span", "strings", "error", "tools", "meta", "look", "verify", "restart", "mitre att", "ascii text", "pattern match", "ck matrix", "tls handshake", "hybrid", "general", "local", "path", "click", "ck techniques", "access att", "div div", "a li", "ul div", "record value", "emails", "accept", "referen https", "microsoft-falcon.net", "proxy", "status", "certificate", "updated date", "whois server", "zipcode", "entries http", "scans show", "search", "matches x", "type", "gmt cache", "all ipv4", "america flag", "america asn", "sameorigin", "urls show", "date checked", "url hostname", "server response", "google safe", "results jan", "ipv4 add", "win32mydoom jan", "trojan", "worm", "expiration date", "files show", "date hash", "avast avg", "win32mydoom", "backdoor", "found", "gmt connection", "control", "content type", "twitter", "dynamicloader", "medium", "high", "msie", "wow64", "slcc2", "media center", "write", "global", "domain name", "hostname", "apple", "racebook", "mouse movement", "remote mouse", "domain", "hostname add", "url analysis", "crlf line", "ff d5", "unicode text", "utf8", "ee fc", "yara rule", "f0 ff", "ff bb", "music", "push", "autorun", "unknown", "present sep", "present may", "present jan", "present aug", "cname", "present nov", "present jun", "apache", "body", "pragma", "found registry", "able", "model", "indicator", "source", "show technique", "file", "internet", "errore", "erreur", "download", "service", "crypto", "compiler", "installer", "yang", "updater", "shutdown", "thunk", "este", "install", "reboot", "code", "downloader", "sigur", "kanna", "der zugriff", "google", "chrome", "Pahamify Pegasus", "christoper p. ahmann", "law enforcement", "retaliation", "phone", "espionage", "united states", "m brian sabey", "quasi government", "target", "monitored targeting", "aig", "therahand (old name)", "target: tsara brashears", "douglas county, co", "sheriff", "industry and commerce", "worker\u2019s compensation", "crime", "financial crime", "danger", "nem tih", "amazon", "aws", "amazon aws", "deal", "deal with it lawfully", "pay victim", "protecting reimer" ], "references": [ "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur", "Pahamify Pegasus", "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)", "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android", "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4", "tv.apple.com", "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net", "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A", "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)", "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)", "IDS: TLS Handshake Failure", "Yara Detections BackdoorWin32Simda", "Google_Chrome_64bit_v136.0.7103.49.exe", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022", "https://wallpapers-nature.com/tsara-brashears/urlscan-io" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "AutoRunIt", "display_name": "AutoRunIt", "target": null }, { "id": "Sigur", "display_name": "Sigur", "target": null }, { "id": "Kanna", "display_name": "Kanna", "target": null }, { "id": "Der Zugriff", "display_name": "Der Zugriff", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1134.002", "name": "Create Process with Token", "display_name": "T1134.002 - Create Process with Token" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1560.002", "name": "Archive via Library", "display_name": "T1560.002 - Archive via Library" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" } ], "industries": [ "Civil Society", "Legal", "Government", "Technology", "Telecommunications", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6094, "domain": 1195, "hostname": 2001, "FileHash-SHA256": 2598, "FileHash-MD5": 546, "FileHash-SHA1": 403, "email": 16, "CVE": 2, "SSLCertFingerprint": 3 }, "indicator_count": 12858, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "69 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4b7b44b63ea6ea0c503d8", "name": "Sabey targeting | Gains access to premier Denver Recording Studio", "description": "Intellectual property accessed and distributed. \nSabey and company have access, storage and at will control. Ransomware. Active threat. Likelihood of Pegasus abuse.. Critical alert. Reckless predatory type with motives, tools, knowledge, and colleagues continue cyberstalking and in person contact with SA survivor. Carelessly attacking systems of business and facilities target likely to use, This behavior puts others at risk.", "modified": "2024-03-09T10:04:19.572000", "created": "2024-02-08T11:15:00.329000", "tags": [ "malware", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber espionage", "studio created", "minutes ago", "white goldmax", "sibot", "goldfinder", "python", "indicator role", "title added", "active related", "pulses url", "entries", "url http", "pulses cve", "threat analyzer", "threat", "paste", "iocs", "analyze", "hostnames", "urls http", "sample", "urls https", "filehashsha1", "filehashmd5", "ipv4", "types of", "united kingdom", "united", "india", "china", "search", "pega type", "united states", "url https", "added active", "related pulses", "backdoor type", "discovery", "command", "all octoseek", "formbook", "goldmax", "ransomware", "njrat", "hacktool", "maui ransomware", "worm", "next", "type indicator", "role title", "go", "sabey", "tulach", "targeting tsara brashears", "utah", "whois record", "contacted", "ssl certificate", "referrer", "whois whois", "resolutions", "collections", "bundled", "execution", "lokibot", "tracer tool", "c2", "command and control", "sabey", "targeting", "hacking apple" ], "references": [ "https://side3.com/ | webdisk.side3.com | (http://koshishmarketing.com/mo8igygw3uv/t4z68181/ | malware hosting)", "https://sabeydatacenters.com/", "sabeydatacenters.com", "4jslg.sabeydatacenters.com", "https://sabeydatacenters.com/", "ProflWiz.exe | 1993173153b9112833140c61f28232bd8af7df7a4891fa4796378a6647fe95e0", "https://tulach.cc/ | [phishing | malware engineering]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing | data collection | property theft | target]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "nr-data.net [Apple Private Data Collection]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "Go", "display_name": "Go", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Entertainment", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 422, "domain": 240, "hostname": 495, "CVE": 1, "FileHash-MD5": 75, "FileHash-SHA1": 73, "FileHash-SHA256": 843, "email": 2 }, "indicator_count": 2151, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "771 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4a099f6a2c8fc2bb85d4b", "name": "Cyber espionage & ransomware attacks Denver Recording Studio", "description": "GoldMax is used by UNC2452 as a command-and-control backdoor. It is written in the Go programming language. To hide its activities, it generates dummy traffic.\n\nSibot is a VBScript-based malware that allows attackers to download and run payloads from a remote command-and-control server. It uses file names that are similar to those used in Windows for masquerading. The VBScript is executed through a scheduled task.\n\nGoldFinder is another Go malware used by attackers to access a hardcoded command-and-control (C2) server by logging the route or hops that a packet takes like an HTTP tracer tool.", "modified": "2024-03-09T09:02:09.950000", "created": "2024-02-08T09:36:25.114000", "tags": [ "ssl certificate", "contacted", "historical ssl", "february", "referrer", "threat roundup", "apple ios", "goldfinder", "sibot", "goldmax", "hacktool", "malicious", "formbook", "contacted urls", "resolutions", "malware", "njrat", "ransomware", "open", "cyber criminal", "record type", "ttl value", "dropped", "execution", "hashes hashes", "hashes", "network", "communicating", "maui ransomware", "type name", "jpeg", "ms word", "document", "whois record", "january", "october", "december", "april", "august", "crypto", "awful", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "march", "urls http", "threat network", "problems", "whois whois", "probe", "startpage", "premium", "snatch", "first", "utc submissions", "submitters", "cloudflarenet", "gvb gelimed", "com laude", "mb super", "optimizer", "amazonaes", "summary iocs", "twitter", "united", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "trojan", "as6185 apple", "creation date", "virtool", "worm", "date", "win32", "urls", "search", "servers", "targeting", "target", "tsara brashears", "united kingdom", "whitelisted", "as6453 tata", "passive dns", "domain", "as46606", "scan endpoints", "all search", "otx octoseek", "pulse submit", "url analysis", "as54113", "entries", "moved", "body", "unknown", "found", "files", "backdoor", "expiration date", "hallrender", "tulach", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "as62597 nsone", "as62729", "showing", "next", "as2914 ntt", "ireland unknown", "germany unknown", "as6461 zayo", "as7843 charter", "as3257 gtt", "ip address", "location united", "for privacy", "record value", "as54990", "bouvet island", "encrypt", "show", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "as15169 google", "domains ii", "sality", "ck id", "ck matrix", "intellectual property theft", "malicious file transfers", "scheme", "threat", "paste", "iocs", "hostnames", "urls https", "urls url", "j490s6lkpppw", "lfqprnkje8dni0" ], "references": [ "https://side3.com/", "https://www.side3.com", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "http://fillmark.net/index.php [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "www.icloud.com [wp-login.php]", "webdisk.thehomemakers.nl [spyware | tracking]", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "www.anyxxxtube.net [malicious data collection]", "s3.amazonaws.com [targeting data collection]", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "api.utah.edu [access apple]", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "tv.apple.com", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "andrewka6.pythonanywhere.com [python connection - apple]", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "sonymobilemail.com", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "pegahpouraseflaw.info", "http://mouthgrave.net/index.php", "ransomed.vc", "Intellectual property accessed and distributed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax", "display_name": "GoldMax", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null } ], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Recording Industry", "Entertainers", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5271, "FileHash-MD5": 899, "FileHash-SHA1": 881, "FileHash-SHA256": 5609, "domain": 2199, "hostname": 3205, "CVE": 1, "email": 9 }, "indicator_count": 18074, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "771 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4a1c74cf5f1af5be6464e", "name": " authsmtp.sabeydatacenters.com | tulach gained access to Side3 Studios Denver\t\t", "description": "", "modified": "2024-03-09T09:02:09.950000", "created": "2024-02-08T09:41:27.252000", "tags": [ "ssl certificate", "contacted", "historical ssl", "february", "referrer", "threat roundup", "apple ios", "goldfinder", "sibot", "goldmax", "hacktool", "malicious", "formbook", "contacted urls", "resolutions", "malware", "njrat", "ransomware", "open", "cyber criminal", "record type", "ttl value", "dropped", "execution", "hashes hashes", "hashes", "network", "communicating", "maui ransomware", "type name", "jpeg", "ms word", "document", "whois record", "january", "october", "december", "april", "august", "crypto", "awful", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "march", "urls http", "threat network", "problems", "whois whois", "probe", "startpage", "premium", "snatch", "first", "utc submissions", "submitters", "cloudflarenet", "gvb gelimed", "com laude", "mb super", "optimizer", "amazonaes", "summary iocs", "twitter", "united", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "trojan", "as6185 apple", "creation date", "virtool", "worm", "date", "win32", "urls", "search", "servers", "targeting", "target", "tsara brashears", "united kingdom", "whitelisted", "as6453 tata", "passive dns", "domain", "as46606", "scan endpoints", "all search", "otx octoseek", "pulse submit", "url analysis", "as54113", "entries", "moved", "body", "unknown", "found", "files", "backdoor", "expiration date", "hallrender", "tulach", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "as62597 nsone", "as62729", "showing", "next", "as2914 ntt", "ireland unknown", "germany unknown", "as6461 zayo", "as7843 charter", "as3257 gtt", "ip address", "location united", "for privacy", "record value", "as54990", "bouvet island", "encrypt", "show", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "as15169 google", "domains ii", "sality", "ck id", "ck matrix", "intellectual property theft", "malicious file transfers", "scheme", "threat", "paste", "iocs", "hostnames", "urls https", "urls url", "j490s6lkpppw", "lfqprnkje8dni0" ], "references": [ "https://side3.com/", "https://www.side3.com", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "http://fillmark.net/index.php [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "www.icloud.com [wp-login.php]", "webdisk.thehomemakers.nl [spyware | tracking]", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "www.anyxxxtube.net [malicious data collection]", "s3.amazonaws.com [targeting data collection]", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "api.utah.edu [access apple]", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "tv.apple.com", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "andrewka6.pythonanywhere.com [python connection - apple]", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "sonymobilemail.com", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "pegahpouraseflaw.info", "http://mouthgrave.net/index.php", "ransomed.vc", "Intellectual property accessed and distributed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax", "display_name": "GoldMax", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null } ], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Recording Industry", "Entertainers", "Civil Society" ], "TLP": "white", "cloned_from": "65c4a099f6a2c8fc2bb85d4b", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5271, "FileHash-MD5": 899, "FileHash-SHA1": 881, "FileHash-SHA256": 5609, "domain": 2199, "hostname": 3205, "CVE": 1, "email": 9 }, "indicator_count": 18074, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "771 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "webdisk.thehomemakers.nl [spyware | tracking]", "www.icloud.com [wp-login.php]", "ransomed.vc", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "sonymobilemail.com", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "www.anyxxxtube.net [malicious data collection]", "https://sabeydatacenters.com/", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "tv.apple.com", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "api.utah.edu [access apple]", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "andrewka6.pythonanywhere.com [python connection - apple]", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)", "http://fillmark.net/index.php [phishing]", "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "sabeydatacenters.com", "nr-data.net [Apple Private Data Collection]", "http://mouthgrave.net/index.php", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "https://side3.com/", "Google_Chrome_64bit_v136.0.7103.49.exe", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "Pahamify Pegasus", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A", "https://tulach.cc/ | [phishing | malware engineering]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "ProflWiz.exe | 1993173153b9112833140c61f28232bd8af7df7a4891fa4796378a6647fe95e0", "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "s3.amazonaws.com [targeting data collection]", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing | data collection | property theft | target]", "Intellectual property accessed and distributed", "Yara Detections BackdoorWin32Simda", "https://side3.com/ | webdisk.side3.com | (http://koshishmarketing.com/mo8igygw3uv/t4z68181/ | malware hosting)", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "Obfuscation: XOR-based String Encryption (0x20)", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022", "https://www.side3.com", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.", "4jslg.sabeydatacenters.com", "IDS: TLS Handshake Failure", "pegahpouraseflaw.info", "T1110.001 (Brute Force: Password Guessing)", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s" ], "malware_families": [ "Njrat", "Maui ransomware", "Virus:win95/cerebrus", "Goldfinder", "Hacktool", "Tulach", "Sabey", "Trojan:win32/pariham.a", "Sibot", "Sality", "Goldmax", "Go", "Formbook", "Autorunit", "Malware family: stealthworker / gobrut", "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf", "Kanna", "Mydoom", "Worm:win32/mydoom", "Sigur", "Ransomware", "Der zugriff", "Cyber criminal" ], "industries": [ "Entertainers", "Legal", "Entertainment", "Telecommunications", "Recording industry", "Civil society", "Government", "Technology", "Financial" ], "unique_indicators": 58043 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/apple.com", "whois": "http://whois.domaintools.com/apple.com", "domain": "apple.com", "hostname": "play.itunes.apple.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6962bb143187f7cb571ef6f5", "name": "Pahamify Pegasus", "description": "Hmmm, only able to manually add IOC\u2019s after last pulse.\n\nPulse: Pahamify Pegasus - Apple IOC\u2019s", "modified": "2026-02-09T22:00:25.303000", "created": "2026-01-10T20:48:20.438000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1190, "hostname": 891, "URL": 4201, "FileHash-SHA256": 1555, "email": 33, "FileHash-MD5": 591, "FileHash-SHA1": 400 }, "indicator_count": 8861, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "69 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6962d43456bb524b17e9d5ce", "name": "Apple MyDoom + IOC\u2019s isolated from Palantir related Pahamify Pegasus | BibleGateway App | Drive by & other targeting /.monitoring Access Attacks ", "description": "", "modified": "2026-02-09T22:00:25.303000", "created": "2026-01-10T22:35:32.582000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6962bb143187f7cb571ef6f5", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1190, "hostname": 891, "URL": 4201, "FileHash-SHA256": 1555, "email": 33, "FileHash-MD5": 591, "FileHash-SHA1": 400 }, "indicator_count": 8861, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "69 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6962b68da732abc66a0c2caf", "name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus", "description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else", "modified": "2026-02-09T19:00:09.890000", "created": "2026-01-10T20:29:01.675000", "tags": [ "ip address", "status code", "kb body", "iocs", "deny age", "cloudfront", "utc google", "tag manager", "g8t6ln06z40", "utc na", "google tag", "injection", "t1055 malware", "tree", "help v", "defense evasion", "injection t1055", "resolved ips", "get http", "dns resolutions", "v memory", "pattern domains", "full reports", "v help", "memory pattern", "urls https", "hashes", "tiktok", "microsoft", "dashboard falcon", "request", "windows nt", "win64", "khtml", "gecko", "response", "appleid", "united", "name servers", "aaaa", "servers", "moved", "script urls", "passive dns", "urls", "data upload", "extraction", "failed", "jsvendor", "jsapp", "script script", "cssapp", "jsfirebase", "pegasus", "encrypt", "title error", "ipv4", "files", "reverse dns", "united states", "malware", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "t1204 user", "script", "beginstring", "bad traffic", "et info", "null", "title", "refresh", "span", "strings", "error", "tools", "meta", "look", "verify", "restart", "mitre att", "ascii text", "pattern match", "ck matrix", "tls handshake", "hybrid", "general", "local", "path", "click", "ck techniques", "access att", "div div", "a li", "ul div", "record value", "emails", "accept", "referen https", "microsoft-falcon.net", "proxy", "status", "certificate", "updated date", "whois server", "zipcode", "entries http", "scans show", "search", "matches x", "type", "gmt cache", "all ipv4", "america flag", "america asn", "sameorigin", "urls show", "date checked", "url hostname", "server response", "google safe", "results jan", "ipv4 add", "win32mydoom jan", "trojan", "worm", "expiration date", "files show", "date hash", "avast avg", "win32mydoom", "backdoor", "found", "gmt connection", "control", "content type", "twitter", "dynamicloader", "medium", "high", "msie", "wow64", "slcc2", "media center", "write", "global", "domain name", "hostname", "apple", "racebook", "mouse movement", "remote mouse", "domain", "hostname add", "url analysis", "crlf line", "ff d5", "unicode text", "utf8", "ee fc", "yara rule", "f0 ff", "ff bb", "music", "push", "autorun", "unknown", "present sep", "present may", "present jan", "present aug", "cname", "present nov", "present jun", "apache", "body", "pragma", "found registry", "able", "model", "indicator", "source", "show technique", "file", "internet", "errore", "erreur", "download", "service", "crypto", "compiler", "installer", "yang", "updater", "shutdown", "thunk", "este", "install", "reboot", "code", "downloader", "sigur", "kanna", "der zugriff", "google", "chrome", "Pahamify Pegasus", "christoper p. ahmann", "law enforcement", "retaliation", "phone", "espionage", "united states", "m brian sabey", "quasi government", "target", "monitored targeting", "aig", "therahand (old name)", "target: tsara brashears", "douglas county, co", "sheriff", "industry and commerce", "worker\u2019s compensation", "crime", "financial crime", "danger", "nem tih", "amazon", "aws", "amazon aws", "deal", "deal with it lawfully", "pay victim", "protecting reimer" ], "references": [ "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur", "Pahamify Pegasus", "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)", "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android", "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4", "tv.apple.com", "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net", "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A", "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)", "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)", "IDS: TLS Handshake Failure", "Yara Detections BackdoorWin32Simda", "Google_Chrome_64bit_v136.0.7103.49.exe", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022", "https://wallpapers-nature.com/tsara-brashears/urlscan-io" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "AutoRunIt", "display_name": "AutoRunIt", "target": null }, { "id": "Sigur", "display_name": "Sigur", "target": null }, { "id": "Kanna", "display_name": "Kanna", "target": null }, { "id": "Der Zugriff", "display_name": "Der Zugriff", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1134.002", "name": "Create Process with Token", "display_name": "T1134.002 - Create Process with Token" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1560.002", "name": "Archive via Library", "display_name": "T1560.002 - Archive via Library" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" } ], "industries": [ "Civil Society", "Legal", "Government", "Technology", "Telecommunications", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6094, "domain": 1195, "hostname": 2001, "FileHash-SHA256": 2598, "FileHash-MD5": 546, "FileHash-SHA1": 403, "email": 16, "CVE": 2, "SSLCertFingerprint": 3 }, "indicator_count": 12858, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "69 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4b7b44b63ea6ea0c503d8", "name": "Sabey targeting | Gains access to premier Denver Recording Studio", "description": "Intellectual property accessed and distributed. \nSabey and company have access, storage and at will control. Ransomware. Active threat. Likelihood of Pegasus abuse.. Critical alert. Reckless predatory type with motives, tools, knowledge, and colleagues continue cyberstalking and in person contact with SA survivor. Carelessly attacking systems of business and facilities target likely to use, This behavior puts others at risk.", "modified": "2024-03-09T10:04:19.572000", "created": "2024-02-08T11:15:00.329000", "tags": [ "malware", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber espionage", "studio created", "minutes ago", "white goldmax", "sibot", "goldfinder", "python", "indicator role", "title added", "active related", "pulses url", "entries", "url http", "pulses cve", "threat analyzer", "threat", "paste", "iocs", "analyze", "hostnames", "urls http", "sample", "urls https", "filehashsha1", "filehashmd5", "ipv4", "types of", "united kingdom", "united", "india", "china", "search", "pega type", "united states", "url https", "added active", "related pulses", "backdoor type", "discovery", "command", "all octoseek", "formbook", "goldmax", "ransomware", "njrat", "hacktool", "maui ransomware", "worm", "next", "type indicator", "role title", "go", "sabey", "tulach", "targeting tsara brashears", "utah", "whois record", "contacted", "ssl certificate", "referrer", "whois whois", "resolutions", "collections", "bundled", "execution", "lokibot", "tracer tool", "c2", "command and control", "sabey", "targeting", "hacking apple" ], "references": [ "https://side3.com/ | webdisk.side3.com | (http://koshishmarketing.com/mo8igygw3uv/t4z68181/ | malware hosting)", "https://sabeydatacenters.com/", "sabeydatacenters.com", "4jslg.sabeydatacenters.com", "https://sabeydatacenters.com/", "ProflWiz.exe | 1993173153b9112833140c61f28232bd8af7df7a4891fa4796378a6647fe95e0", "https://tulach.cc/ | [phishing | malware engineering]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing | data collection | property theft | target]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "nr-data.net [Apple Private Data Collection]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "Go", "display_name": "Go", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Entertainment", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 422, "domain": 240, "hostname": 495, "CVE": 1, "FileHash-MD5": 75, "FileHash-SHA1": 73, "FileHash-SHA256": 843, "email": 2 }, "indicator_count": 2151, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "771 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4a099f6a2c8fc2bb85d4b", "name": "Cyber espionage & ransomware attacks Denver Recording Studio", "description": "GoldMax is used by UNC2452 as a command-and-control backdoor. It is written in the Go programming language. To hide its activities, it generates dummy traffic.\n\nSibot is a VBScript-based malware that allows attackers to download and run payloads from a remote command-and-control server. It uses file names that are similar to those used in Windows for masquerading. The VBScript is executed through a scheduled task.\n\nGoldFinder is another Go malware used by attackers to access a hardcoded command-and-control (C2) server by logging the route or hops that a packet takes like an HTTP tracer tool.", "modified": "2024-03-09T09:02:09.950000", "created": "2024-02-08T09:36:25.114000", "tags": [ "ssl certificate", "contacted", "historical ssl", "february", "referrer", "threat roundup", "apple ios", "goldfinder", "sibot", "goldmax", "hacktool", "malicious", "formbook", "contacted urls", "resolutions", "malware", "njrat", "ransomware", "open", "cyber criminal", "record type", "ttl value", "dropped", "execution", "hashes hashes", "hashes", "network", "communicating", "maui ransomware", "type name", "jpeg", "ms word", "document", "whois record", "january", "october", "december", "april", "august", "crypto", "awful", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "march", "urls http", "threat network", "problems", "whois whois", "probe", "startpage", "premium", "snatch", "first", "utc submissions", "submitters", "cloudflarenet", "gvb gelimed", "com laude", "mb super", "optimizer", "amazonaes", "summary iocs", "twitter", "united", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "trojan", "as6185 apple", "creation date", "virtool", "worm", "date", "win32", "urls", "search", "servers", "targeting", "target", "tsara brashears", "united kingdom", "whitelisted", "as6453 tata", "passive dns", "domain", "as46606", "scan endpoints", "all search", "otx octoseek", "pulse submit", "url analysis", "as54113", "entries", "moved", "body", "unknown", "found", "files", "backdoor", "expiration date", "hallrender", "tulach", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "as62597 nsone", "as62729", "showing", "next", "as2914 ntt", "ireland unknown", "germany unknown", "as6461 zayo", "as7843 charter", "as3257 gtt", "ip address", "location united", "for privacy", "record value", "as54990", "bouvet island", "encrypt", "show", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "as15169 google", "domains ii", "sality", "ck id", "ck matrix", "intellectual property theft", "malicious file transfers", "scheme", "threat", "paste", "iocs", "hostnames", "urls https", "urls url", "j490s6lkpppw", "lfqprnkje8dni0" ], "references": [ "https://side3.com/", "https://www.side3.com", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "http://fillmark.net/index.php [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "www.icloud.com [wp-login.php]", "webdisk.thehomemakers.nl [spyware | tracking]", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "www.anyxxxtube.net [malicious data collection]", "s3.amazonaws.com [targeting data collection]", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "api.utah.edu [access apple]", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "tv.apple.com", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "andrewka6.pythonanywhere.com [python connection - apple]", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "sonymobilemail.com", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "pegahpouraseflaw.info", "http://mouthgrave.net/index.php", "ransomed.vc", "Intellectual property accessed and distributed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax", "display_name": "GoldMax", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null } ], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Recording Industry", "Entertainers", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5271, "FileHash-MD5": 899, "FileHash-SHA1": 881, "FileHash-SHA256": 5609, "domain": 2199, "hostname": 3205, "CVE": 1, "email": 9 }, "indicator_count": 18074, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "771 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4a1c74cf5f1af5be6464e", "name": " authsmtp.sabeydatacenters.com | tulach gained access to Side3 Studios Denver\t\t", "description": "", "modified": "2024-03-09T09:02:09.950000", "created": "2024-02-08T09:41:27.252000", "tags": [ "ssl certificate", "contacted", "historical ssl", "february", "referrer", "threat roundup", "apple ios", "goldfinder", "sibot", "goldmax", "hacktool", "malicious", "formbook", "contacted urls", "resolutions", "malware", "njrat", "ransomware", "open", "cyber criminal", "record type", "ttl value", "dropped", "execution", "hashes hashes", "hashes", "network", "communicating", "maui ransomware", "type name", "jpeg", "ms word", "document", "whois record", "january", "october", "december", "april", "august", "crypto", "awful", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "march", "urls http", "threat network", "problems", "whois whois", "probe", "startpage", "premium", "snatch", "first", "utc submissions", "submitters", "cloudflarenet", "gvb gelimed", "com laude", "mb super", "optimizer", "amazonaes", "summary iocs", "twitter", "united", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "trojan", "as6185 apple", "creation date", "virtool", "worm", "date", "win32", "urls", "search", "servers", "targeting", "target", "tsara brashears", "united kingdom", "whitelisted", "as6453 tata", "passive dns", "domain", "as46606", "scan endpoints", "all search", "otx octoseek", "pulse submit", "url analysis", "as54113", "entries", "moved", "body", "unknown", "found", "files", "backdoor", "expiration date", "hallrender", "tulach", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "as62597 nsone", "as62729", "showing", "next", "as2914 ntt", "ireland unknown", "germany unknown", "as6461 zayo", "as7843 charter", "as3257 gtt", "ip address", "location united", "for privacy", "record value", "as54990", "bouvet island", "encrypt", "show", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "as15169 google", "domains ii", "sality", "ck id", "ck matrix", "intellectual property theft", "malicious file transfers", "scheme", "threat", "paste", "iocs", "hostnames", "urls https", "urls url", "j490s6lkpppw", "lfqprnkje8dni0" ], "references": [ "https://side3.com/", "https://www.side3.com", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "http://fillmark.net/index.php [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "www.icloud.com [wp-login.php]", "webdisk.thehomemakers.nl [spyware | tracking]", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "www.anyxxxtube.net [malicious data collection]", "s3.amazonaws.com [targeting data collection]", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "api.utah.edu [access apple]", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "tv.apple.com", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "andrewka6.pythonanywhere.com [python connection - apple]", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "sonymobilemail.com", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "pegahpouraseflaw.info", "http://mouthgrave.net/index.php", "ransomed.vc", "Intellectual property accessed and distributed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax", "display_name": "GoldMax", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null } ], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Recording Industry", "Entertainers", "Civil Society" ], "TLP": "white", "cloned_from": "65c4a099f6a2c8fc2bb85d4b", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5271, "FileHash-MD5": 899, "FileHash-SHA1": 881, "FileHash-SHA256": 5609, "domain": 2199, "hostname": 3205, "CVE": 1, "email": 9 }, "indicator_count": 18074, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "771 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://play.itunes.apple.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://play.itunes.apple.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776641526.2139845 }