{ "type": "URL", "indicator": "https://pmang.window.open", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://pmang.window.open", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2486015579, "indicator": "https://pmang.window.open", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69e4e7cfdc3bb3cdffeecf7c", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:51.385000", "created": "2026-04-19T14:33:51.385000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "8 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e4e7c6ddf646eb4e645bd5", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:42.400000", "created": "2026-04-19T14:33:42.400000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "8 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e434769e2a43c088066ca2", "name": "Kraddare \u2022 Agent Tesla \u2022 CVE Jar clone credit octoseek", "description": "", "modified": "2026-04-19T07:36:41.138000", "created": "2026-04-19T01:48:38.335000", "tags": [ "heur", "cisco umbrella", "site", "alexa top", "malware", "million", "xcnfe", "maltiverse", "malware site", "safe site", "malicious", "trojan", "artemis", "vidar", "redline stealer", "raccoon", "keylogger", "riskware", "agent tesla", "remcos", "stealer", "miner", "hacktool", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "detplock", "networm", "win64", "service", "smokeloader", "dropper", "crack", "alexa", "trojanspy", "detection list", "blacklist https", "kyriazhs1975", "noname057", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cyber threat", "united", "engineering", "phishing", "covid19", "facebook", "phishing site", "paypal", "njrat", "emotet", "nanocore rat", "meterpreter", "azorult", "download", "msil", "bladabindi", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "cve201711882", "redline", "ssl certificate", "tsara brashears", "cyberstalking", "spyware", "apple ios", "quasar", "ransomware", "malware norad", "cry kill", "attack", "installer", "formbook", "lockbit", "open", "banker", "bazarloader", "core", "ransomexx", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "ascii text", "null", "date", "error", "span", "refresh", "class", "generator", "critical", "body", "look", "verify", "restart", "meta", "hybrid", "general", "click", "strings", "tools", "as141773", "as63932", "moved", "passive dns", "search", "entries", "gmt content", "type", "keep alive", "scan endpoints", "all octoseek", "pulse pulses", "as17806 mango", "blacklist http", "phishtank", "malicious site", "apple", "blockchain", "runescape", "twitter", "qakbot", "asyncrat", "team", "internet storm", "generic", "union", "bazaloader", "media", "generic malware", "hostname", "suppobox", "netwire rc", "installcore", "conduit", "iobit", "mediaget", "outbreak", "acint", "installpack", "phish", "rostpay", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "dapato", "cleaner", "softonic", "encpk", "qbot", "predator", "swrort", "kraddare", "systweak", "dllinject", "driverpack", "iframe", "downldr", "presenoker", "as61317", "asnone united", "urls", "files", "next", "as15169 google", "japan unknown", "as17506 arteria", "as32244 liquid", "as49505", "russia unknown", "expired", "domain", "falcon", "as19969", "ipv4", "ransom", "encrypt", "file", "windows nt", "indicator", "response", "appdata", "gmt contenttype", "png image", "local", "contacted", "fali malicious", "dropped", "communicating", "referrer", "fali contacted", "silk road", "immediate", "cymulate2", "tsara brashears", "malvertizing" ], "references": [ "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://alohatube.xyz/search/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "ww.google.com.uy", "https://alohatube.xyz/search/tsara-brashears", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://polling.portal.gov.bd/js/npc.script.js", "polling.portal.gov.bd", "https://polling.portal.gov.bd/js/npop.script.js", "http://watchhers.net/index.php", "https://brandyallen.com/2022/11/23/sexy", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc", "http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf", "https://twitter.com/PORNO_SEXYBABES", "https://alohatube.xyz/search/sex-mom-dog-animal", "https://www.colorfulbox.jp/", "Hybrid Analysis", "Any.run", "OTX AlienVault", "Urlscan", "UrlVoid", "http://emrd.gov.bd/dead.php", "http://titasgas.portal.gov.bd/dead.php", "http://mincom.gov.bd/dead.php", "http://cabinet.gov.bd/dead.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia", "Bangladesh" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Racoon Stealer", "display_name": "Racoon Stealer", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Bazaar Loader", "display_name": "Bazaar Loader", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Detplock", "display_name": "Detplock", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null }, { "id": "Ghandi", "display_name": "Ghandi", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swort", "display_name": "Swort", "target": null }, { "id": "Silk Road", "display_name": "Silk Road", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:VBS/Dapato", "display_name": "Worm:VBS/Dapato", "target": "/malware/Worm:VBS/Dapato" }, { "id": "Kraddare", "display_name": "Kraddare", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" } ], "industries": [], "TLP": "green", "cloned_from": "654a7a53317c717d1f4fee7f", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2522, "FileHash-SHA1": 862, "FileHash-SHA256": 2855, "URL": 7963, "domain": 1168, "hostname": 3181, "CVE": 13, "email": 2, "IPv4": 1 }, "indicator_count": 18567, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "15 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c1bd40f81db45dc044697c", "name": "Masterkey Clone By CallmeDoris", "description": "", "modified": "2026-03-23T22:22:56.940000", "created": "2026-03-23T22:22:56.940000", "tags": [ "dropped file", "chromeua", "runtime data", "drmedgeua", "edgeua", "generator", "win64", "null", "template", "unknown", "critical", "addressbar", "desktop", "dark", "light", "iframe", "cookie", "meta", "body", "legend", "dwis", "core", "tear", "malicious", "mozilla", "strings", "qakbot", "://masterkey.com.ua/download/MKClientSetup.exe" ], "references": [ "https://hybrid-analysis.com/sample/41859e0b198fbe88772ef12c577023c0481ec19867e410bab335e67fea87c1bb/642ca80cde2048242a0e097d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": "642db7b656049e54b2f71c20", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 949, "URL": 5642, "CVE": 2, "domain": 509, "FileHash-SHA256": 293, "FileHash-MD5": 550, "FileHash-SHA1": 60, "email": 5 }, "indicator_count": 8010, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "27 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6940b852c28f2a2c6abb4aad", "name": "FRITZ!Box \u2026.Connecting to Apple devices", "description": "Connecting to targeted Apple\ndevices overnight. \n\nHow to connect to the FRITZ!Box, how to access all of the product's functions, and what to do with the device if you are not connected to it in your home network.", "modified": "2026-01-15T01:02:47.757000", "created": "2025-12-16T01:39:30.381000", "tags": [ "fritz", "strong", "main navigation", "deutsch", "englisch", "funktionen der", "verbindung zur", "wifi", "ip address", "box avm", "lowfi", "win32", "susp", "urls", "files", "asn as44716", "related tags", "indicator facts", "germany unknown", "a domains", "meta", "typo3", "body doctype", "kasper skaarhoj", "gmt server", "pragma", "a nxdomain", "nxdomain", "whitelisted", "present aug", "present jul", "present oct", "present jun", "united", "present sep", "present nov", "next http", "scans show", "title", "div div", "a li", "wir suchen", "li ul", "avm karriere", "dich a", "reverse dns", "berlin", "germany asn", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "none related", "passive dns", "ipv4", "url analysis", "present dec", "moved", "certificate", "vertriebs gmbh", "aaaa", "as12732 gutcon", "domain", "hostname", "verdict", "files ip", "address", "germany", "as13335", "as8220 colt", "present may", "united kingdom", "regsetvalueexa", "regdword", "regbinary", "show", "yara detections", "regsetvalueexw", "regsz", "medium", "suspicious", "delphi", "malware", "write", "as6878", "msie", "chrome", "gmt content", "germany showing", "createobject", "set http", "search", "high", "read c", "et trojan", "jfif", "ascii text", "detected", "trojan generic", "checkin", "pony downloader", "http library", "virustotal", "riskware", "mcafee", "drweb", "vipre", "trojan", "panda", "next", "unknown", "as15169 google", "status", "name servers", "record value", "emails", "error", "trojandropper", "results dec", "ddos", "worm", "mtb trojan", "mtb apr", "exev2e", "ia256", "extraction", "get http", "post http", "learn", "command", "ck id", "name tactics", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "germany germany", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "show technique", "ck matrix", "show process", "network traffic", "t1057", "t1071", "hybrid", "local", "path", "t1204 user", "defense evasion", "t1480 execution", "sha1", "sha256", "size", "script", "null", "span", "refresh", "footer", "body", "june", "general", "click", "strings", "tools", "tracker", "code", "look", "verify", "restart", "bad traffic", "et info", "tls handshake", "failure", "process details", "flag", "link", "present feb", "servers", "redacted for", "as20546 soprado", "encrypt", "mtb sep", "ransom", "next associated", "twitter", "virtool", "hostname add", "location russia", "as200350", "russia unknown", "federation flag", "ipv4 add", "asn as200350", "related", "domain add", "unknown ns", "expiration date", "http version", "windows nt", "gbot", "post method", "port", "destination", "delete", "get na", "as15169", "expiration", "url https", "no expiration", "showing", "entries", "url add", "pulse pulses", "http", "files domain", "files related", "pulses none", "unknown cname", "cname", "asn as24940", "less", "date", "pulse submit" ], "references": [ "https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |", "https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1", "AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US", "Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA", "Subject: DE Certificate Subject: Berlin Certificate Subject", "https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d", "http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com", "https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud", "ecs-80-158-49-8.reverse.open-telekom-cloud.com", "http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne", "HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba", "Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet", "Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0", "Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft", "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System", "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114", "ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114", "ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114", "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114", "http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box", "http://netuser.joymeng.com/charge_apple/notify", "https://www.passcreator.com/en/apple-wallet-passes", "https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No", "apple-business.cancom.at", "Apple - 162.55.158.153", "Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f", "Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283", "Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc", "Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53", "ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#LowFi:Tool:Win32/VbsToExeV2E", "display_name": "#LowFi:Tool:Win32/VbsToExeV2E", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Androp", "display_name": "Androp", "target": null }, { "id": "Inject.BRDV", "display_name": "Inject.BRDV", "target": null }, { "id": "Win32:Androp", "display_name": "Win32:Androp", "target": null }, { "id": "Crypt2.AZDI", "display_name": "Crypt2.AZDI", "target": null }, { "id": "TEL:MSIL/DlSocConSend", "display_name": "TEL:MSIL/DlSocConSend", "target": "/malware/TEL:MSIL/DlSocConSend" }, { "id": "DDOS:Linux/Lightaidra", "display_name": "DDOS:Linux/Lightaidra", "target": "/malware/DDOS:Linux/Lightaidra" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Trojan:Win32/Salgorea.C!MTB", "display_name": "Trojan:Win32/Salgorea.C!MTB", "target": "/malware/Trojan:Win32/Salgorea.C!MTB" }, { "id": "Worm:Win32/Autorun.XFV", "display_name": "Worm:Win32/Autorun.XFV", "target": "/malware/Worm:Win32/Autorun.XFV" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "Worm:Win32/Yuner.A", "display_name": "Worm:Win32/Yuner.A", "target": "/malware/Worm:Win32/Yuner.A" }, { "id": "Win.Trojan.Zegost", "display_name": "Win.Trojan.Zegost", "target": null }, { "id": "PWS:Win32/QQpass", "display_name": "PWS:Win32/QQpass", "target": "/malware/PWS:Win32/QQpass" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win.Trojan.Generic", "display_name": "Win.Trojan.Generic", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win32/Trickler", "display_name": "Win32/Trickler", "target": null }, { "id": "Win.Malware.Hd0kzai-9985588-0", "display_name": "Win.Malware.Hd0kzai-9985588-0", "target": null }, { "id": "Trojan:Win32/Aenjaris.AL!bit", "display_name": "Trojan:Win32/Aenjaris.AL!bit", "target": "/malware/Trojan:Win32/Aenjaris.AL!bit" }, { "id": "Trojan:Win32/Agent.AG!MTB", "display_name": "Trojan:Win32/Agent.AG!MTB", "target": "/malware/Trojan:Win32/Agent.AG!MTB" }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Win.Malware.Barys-6840738-0", "display_name": "Win.Malware.Barys-6840738-0", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "wormWin32/Mofksys.RND!MTB", "display_name": "wormWin32/Mofksys.RND!MTB", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "CVE 2007695", "display_name": "CVE 2007695", "target": null } ], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 927, "hostname": 2093, "FileHash-SHA256": 1474, "URL": 5935, "FileHash-MD5": 351, "FileHash-SHA1": 252, "email": 5, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11040, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "94 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693f3ef3b05672ba47b903e3", "name": "Create Amazing Password Forms - Project Cicada", "description": "Huge pulse of multiple IoC\u2019 from Project Cicada URL\n(not the 3301 Mystery) | Monitored Target | Indont know if it\u2019s related to Havana Syndrome. Is related to State of Colorado , Christopher P. \u2018Buzz\u2019 Ahmann and Tesla Hackers, \n\u201cThe right of a man or woman to retreat into his/her own home and there be free is from UNREASONABLE government intrusion is at the \u201c very core\u201d of the Fourth Amendment.\u201d\nFlorida vs. Jardines 569 U.S. 1 (2013)", "modified": "2026-01-13T22:02:50.260000", "created": "2025-12-14T22:49:23.114000", "tags": [ "cicada", "project cicada", "united states", "quasi government", "asnone country", "united", "moved", "agent", "meta", "title error", "reverse dns", "servers", "urls", "url analysis", "aaaa", "present dec", "ip address", "america flag", "unknown", "Christopher P. \u2018Buzz\u2019 Ahmann", "brian sabey.", "State of Colorado", "date checked", "url hostname", "server response", "google safe", "results mar", "avast avg", "qualified immunity", "address google", "freeman", "mathis", "special forces", "tailored access", "tao", "hacker force", "infiltrate", "manipulate", "sabotage", "tools", "show", "results nov", "9b", "tao operations", "root9b", "hunt operations", "error mar", "over watch", "overkill", "read c", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "local", "msie", "windows nt", "wow64", "slcc2", "media center", "suspicious_write_exe", "network_icmp", "antisandbox_restart", "creates_largekey", "infostealer_keylogger", "proess_martian", "injection_resumethread", "allocates_rwx", "targeted intelligence", "js_eval", "network_http", "name servers", "value domain", "domain name", "expiration date", "safe browsing", "unknown ns", "record value", "vercel", "certificate", "domain add", "refresh", "encrypt", "x vercel", "k jun", "mtb jul", "next http", "scans record", "value", "deployment not", "ransom", "trojan", "a domains", "safari", "android", "webkit", "animation", "click", "title", "passive dns", "gmt content", "arial helvetica", "ipv4 add", "status", "search", "emails", "as15169 google", "virtool", "cryp", "as396982", "win32", "error", "code", "domain", "showing", "query", "hostile", "observed dns", "et dns", "et info", "dns query", "malware", "push", "gmt cache", "sameorigin", "files", "url add", "http", "related nids", "files location", "flag united", "as44273 host", "hostname add", "unknown aaaa", "win32upatre dec", "mtb dec", "trojandropper", "hstr", "next associated", "backdoor", "entity", "tempe", "present sep", "hostname", "verdict", "lowfi", "usesscrrun", "ipv4", "element", "password", "developers", "create", "forms web", "group", "make sure", "autocomplete", "currentpassword", "make", "extraction", "data upload", "search otx", "ider data", "asn na", "ag da", "source level", "url text", "general full", "url https", "protocol h2", "security tls", "asn16509", "amazon02", "resource", "hash", "as16509", "us note", "route", "redacted for", "script urls", "japan unknown", "present apr", "present mar", "accept", "cookie", "path", "sectigo https", "encrypt https", "log id", "trustasia https", "amazon", "search criteria", "22965417271", "summary leaf", "timestamp entry", "log operator", "https", "script script", "cname", "present jun", "coup", "files ip", "address", "location united", "asn as16509", "color value", "item tile", "gmt max", "primary text", "text color", "play button", "search bar", "dasher", "flag", "bad traffic", "tls handshake", "failure", "analysis tip", "windir", "openurl c", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "network traffic", "beginstring", "show process", "null", "span", "general", "strings", "look", "verify", "restart", "dynamicloader", "ee fc", "yara rule", "ff d5", "c1 e0", "f0 ff", "ff ff", "eb e2", "ed b8", "fe ff", "june", "polymorphic", "network cnc", "cnc", "dead connect", "present nov", "france unknown", "generic http", "exe upload", "uploading exe", "intel", "ms windows", "medium", "http traffic", "monitored target", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "t1071", "t1057", "segoe ui", "script", "html", "body", "twitter", "formbook cnc", "checkin", "pegasus", "get updates", "p2p zeus", "downloader", "mpress", "win32upatre sep", "win32upatre oct", "win32upatre nov", "india unknown", "r61afin", "common upatre", "write c", "cts exe", "ids detections", "open", "present aug", "singapore", "date", "creation date", "pentest people", "tesla hackers", "vietnam unknown", "viet nam", "company limited", "pulse pulses" ], "references": [ "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "dev-app.project-cicada.com \u2022 project-cicada.com", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "api.acumatica.flex.redteam.com", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://goo.gl/9p2vKq", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "IDS Detections Gh0stCringe CnC Activity M2", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com" ], "public": 1, "adversary": "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Cymt", "display_name": "Cymt", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win32:MalOb-BX", "display_name": "Win32:MalOb-BX", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "VirTool:Win32/Obfuscator.K", "display_name": "VirTool:Win32/Obfuscator.K", "target": "/malware/VirTool:Win32/Obfuscator.K" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11102, "hostname": 4142, "domain": 4251, "email": 15, "FileHash-SHA256": 3108, "FileHash-MD5": 624, "FileHash-SHA1": 490, "CIDR": 1, "SSLCertFingerprint": 3 }, "indicator_count": 23736, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e2bb5d9ee8577ab5519f2c", "name": "Meritshealth with DoD links? ", "description": "", "modified": "2026-01-13T00:05:56.401000", "created": "2025-10-05T18:39:25.286000", "tags": [ "gtmk5nxqc6", "utc amazon", "utc na", "acceptencoding", "gmt contenttype", "connection", "true pragma", "gmt setcookie", "httponly", "gmt vary", "nc000000 up", "html document", "unicode text", "utf8 text", "oc0006 http", "http traffic", "https http", "mitre att", "control ta0011", "protocol t1071", "match info", "t1573 severity", "info", "number", "ja3s", "algorithm", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft cus", "get http", "dns resolutions", "registrar", "markmonitor inc", "country", "resolver domain", "type name", "html", "apnic", "apnic whois", "please", "rirs", "cidr", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "development att", "name tactics", "binary file", "ck matrix", "wheelchair", "iamrobert", "pattern match", "ascii text", "href", "united", "general", "local", "path", "encrypt", "click", "passive dns", "urls", "files", "reverse dns", "netherlands", "present aug", "a domains", "moved", "first pqc", "ip address", "unknown ns", "unknown aaaa", "title", "body", "meta", "window", "accept", "body doctype", "welcome", "ok server", "gmt content", "present jul", "present sep", "aaaa", "hostname", "error", "defense evasion", "windows nt", "response", "vary", "strings", "core", "t1027.013 encrypted/encoded", "michelin lazy k", "prefetch8", "flag", "date", "starfield", "hybrid", "mobility cr", "extraction", "data upload", "include", "o url", "url url", "included i0", "review ioc", "excluded ic", "suggested", "find sugi", "failed", "cre pul", "enter", "enter sc", "type", "enric", "extra", "type opaste", "data u", "included", "copy md5", "copy sha1", "copy sha256", "null", "refresh", "tools", "look", "verify", "restart", "t1480 execution", "expiration", "url https", "no expiration", "iocs", "ipv4", "text drag", "drop or", "browse to", "select file", "redacted for", "server", "privacy tech", "privacy admin", "postal code", "stateprovince", "organization", "email", "code", "quantum rooms", "sam somalia", "emp", "porn", "media defense", "gov porn", "suck my nips", "reimer suspect", "jeffrey reimer", "dod", "department of defense", "show", "date checked", "url hostname", "server response", "google safe", "results may", "entries http", "scans record", "value status", "sabey type", "merits fake", "y.a.s.", "pornography", "ramsom" ], "references": [ "https://www.meritshealth.com/ Defense.Gov Mobility Co? ", "zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67", "https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf", "https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf", "https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html", "https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com", "https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/", "https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp", "https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg", "https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)", "https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members", "https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210", "https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex", "https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf", "https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo", "https://meumundogay-com.sexogratis.page/locker", "https://es.pornhat.com/models/the-sex-creator/", "Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA", "Can the DoD no questions asked target a SA victim", "Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.", "There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise", "socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov", "There is fear in silence or speaking out", "Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.", "3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?", "If someone is believed to be a threat they have right to due process.", "Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.", "She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.", "Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.", "Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.", "ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot", "iamrobert.com Y.A.S.", "1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam", "Target agreed and complied with all lie detector measures.", "Is the family allowed to have a funeral for Tsara or print an obituary", "No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.", "I am very upset. Whoever is doing this is sick." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "TA0042", "name": "Resource Development", "display_name": "TA0042 - Resource Development" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1562.008", "name": "Disable Cloud Logs", "display_name": "T1562.008 - Disable Cloud Logs" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1180", "name": "Screensaver", "display_name": "T1180 - Screensaver" } ], "industries": [], "TLP": "white", "cloned_from": "68e2b14d83bb63502feac65e", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1365, "URL": 11172, "hostname": 2780, "FileHash-MD5": 381, "FileHash-SHA256": 4420, "FileHash-SHA1": 338, "CIDR": 4, "SSLCertFingerprint": 24, "CVE": 1, "email": 1 }, "indicator_count": 20486, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e2b14d83bb63502feac65e", "name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.", "description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?", "modified": "2026-01-07T00:00:30.717000", "created": "2025-10-05T17:56:29.109000", "tags": [ "gtmk5nxqc6", "utc amazon", "utc na", "acceptencoding", "gmt contenttype", "connection", "true pragma", "gmt setcookie", "httponly", "gmt vary", "nc000000 up", "html document", "unicode text", "utf8 text", "oc0006 http", "http traffic", "https http", "mitre att", "control ta0011", "protocol t1071", "match info", "t1573 severity", "info", "number", "ja3s", "algorithm", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft cus", "get http", "dns resolutions", "registrar", "markmonitor inc", "country", "resolver domain", "type name", "html", "apnic", "apnic whois", "please", "rirs", "cidr", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "development att", "name tactics", "binary file", "ck matrix", "wheelchair", "iamrobert", "pattern match", "ascii text", "href", "united", "general", "local", "path", "encrypt", "click", "passive dns", "urls", "files", "reverse dns", "netherlands", "present aug", "a domains", "moved", "first pqc", "ip address", "unknown ns", "unknown aaaa", "title", "body", "meta", "window", "accept", "body doctype", "welcome", "ok server", "gmt content", "present jul", "present sep", "aaaa", "hostname", "error", "defense evasion", "windows nt", "response", "vary", "strings", "core", "t1027.013 encrypted/encoded", "michelin lazy k", "prefetch8", "flag", "date", "starfield", "hybrid", "mobility cr", "extraction", "data upload", "include", "o url", "url url", "included i0", "review ioc", "excluded ic", "suggested", "find sugi", "failed", "cre pul", "enter", "enter sc", "type", "enric", "extra", "type opaste", "data u", "included", "copy md5", "copy sha1", "copy sha256", "null", "refresh", "tools", "look", "verify", "restart", "t1480 execution", "expiration", "url https", "no expiration", "iocs", "ipv4", "text drag", "drop or", "browse to", "select file", "redacted for", "server", "privacy tech", "privacy admin", "postal code", "stateprovince", "organization", "email", "code", "quantum rooms", "sam somalia", "emp", "porn", "media defense", "gov porn", "suck my nips", "reimer suspect", "jeffrey reimer", "dod", "department of defense", "show", "date checked", "url hostname", "server response", "google safe", "results may", "entries http", "scans record", "value status", "sabey type", "merits fake", "y.a.s.", "pornography", "ramsom" ], "references": [ "https://www.meritshealth.com/ Defense.Gov Mobility Co? ", "zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67", "https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf", "https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf", "https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html", "https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com", "https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/", "https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp", "https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg", "https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)", "https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members", "https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210", "https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex", "https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf", "https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo", "https://meumundogay-com.sexogratis.page/locker", "https://es.pornhat.com/models/the-sex-creator/", "Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA", "Can the DoD no questions asked target a SA victim", "Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.", "There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise", "socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov", "There is fear in silence or speaking out", "Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.", "3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?", "If someone is believed to be a threat they have right to due process.", "Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.", "She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.", "Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.", "Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.", "ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot", "iamrobert.com Y.A.S.", "1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam", "Target agreed and complied with all lie detector measures.", "Is the family allowed to have a funeral for Tsara or print an obituary", "No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.", "I am very upset. Whoever is doing this is sick." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "TA0042", "name": "Resource Development", "display_name": "TA0042 - Resource Development" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1562.008", "name": "Disable Cloud Logs", "display_name": "T1562.008 - Disable Cloud Logs" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1180", "name": "Screensaver", "display_name": "T1180 - Screensaver" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1328, "URL": 9931, "hostname": 2621, "FileHash-MD5": 381, "FileHash-SHA256": 4360, "FileHash-SHA1": 338, "CIDR": 4, "SSLCertFingerprint": 24, "CVE": 1, "email": 1 }, "indicator_count": 18989, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692a86b454eea18b993a2078", "name": "DC RAT Injection | Endgame Systems | Lazarus Group related", "description": "Monitoring. MITRE ATT&CK (T1057) Monitored target/s. DNS requests. Property discovery \n\nRelated to Lazarus Groups expansion", "modified": "2025-12-29T03:02:56.986000", "created": "2025-11-29T05:37:56.021000", "tags": [ "ukraine", "win32", "dynamicloader", "ssl cert", "write c", "asyncrat", "various rat", "dcrat", "write", "guard", "malware", "all ipv4", "ukraine asn", "dns resolutions", "domains top", "level", "read c", "memcommit", "user execution", "delete", "msie", "windows nt", "dock", "execution", "masking", "yara rule", "high", "windows", "msvisualcpp60", "process", "intel", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "access att", "t1566 phishing", "flag", "ukraine ukraine", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "dynu", "mitre att", "ck matrix", "ascii text", "pattern match", "network traffic", "t1071", "t1057", "general", "local", "path", "beginstring", "segoe ui", "null", "refresh", "body", "click", "strings", "error", "tools", "title", "look", "verify", "restart" ], "references": [ "https://hybrid-analysis.com/sample/64e591d43f920a5194806bba9da40e0344db5333cd773da4df4f27259222529d/692a7e373e637b291e0a0957", "Statutory Masking Enabled - a domain registrar is hiding the public contact information for a domains", "registrant in its WHOIS record, often due to regulations like GDPR or ICANN policies.", "MITRE ATT&CK (T1057) Monitoring Target/s. Can be reviewed in Hybrid-Analysis sample." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/AmsiTamper.B", "display_name": "ALF:HeraklezEval:Trojan:Win32/AmsiTamper.B", "target": null }, { "id": "Win.Trojan.DcRat-10039889-0", "display_name": "Win.Trojan.DcRat-10039889-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "TA0039", "name": "Remote Service Effects", "display_name": "TA0039 - Remote Service Effects" }, { "id": "TA0038", "name": "Network Effects", "display_name": "TA0038 - Network Effects" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 482, "URL": 819, "FileHash-SHA256": 274, "domain": 102, "email": 1, "FileHash-MD5": 73, "FileHash-SHA1": 65, "SSLCertFingerprint": 1 }, "indicator_count": 1817, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eea19a23474b8c7dca351f", "name": "All Items - find from the UA archive disk", "description": "Again have zero idea 'what these are' - just uploading from the 'archives' as I sort through things", "modified": "2025-12-24T08:28:47.628000", "created": "2024-03-11T06:15:54.351000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6920c43c3772bb24f26f70cc", "name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun", "description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.", "modified": "2025-12-21T18:01:07.268000", "created": "2025-11-21T19:57:48.145000", "tags": [ "dynamicloader", "write c", "write", "high", "yara rule", "myapp", "delphi", "worm", "win32", "error", "code", "malware", "defender", "medium", "binary file", "heavensgate", "bochs", "dynamic", "td td", "td tr", "united", "a td", "a domains", "dynamic dns", "static dns", "dd wrt", "twitter", "trojan", "trojandropper", "null", "enough", "simple", "click", "easy", "premium", "associated urls", "server response", "google safe", "results nov", "avast avg", "11.21.2025", "11.20.2025", "borland delphi", "pe32", "intel", "ms windows", "inno setup", "win32 exe", "pecompact", "delphi generic", "pe32 compiler", "dark comet", "dark gate", "glassworm", "md5 code", "data", "porkbun llc", "windows match", "getprocaddress", "peb idrdata", "match peb", "t1547", "t1059 t1112", "shared modules", "t1129", "boot", "logon autostart", "execu", "t1134 boot", "encoding", "capture e1113", "file attributes", "analysis ob0001", "b0001 software", "virtual machine", "detection b0009", "analysis ob0002", "ob0003 screen", "windows get", "check", "encode", "check internet", "wininet set", "clear file", "enumerate gui", "get hostname", "get keyboard", "set registry", "find", "capture", "url http", "consolefoundry", "console foundry", "foundry", "malware catalog tree", "autorun keys", "modification", "alexander karp", "peter theil", "christoper ahmann", "christopher pool", "mercedes", "apple", "palantir", "adversarial", "adversaries", "hostile", "quasi", "empty hash", "denver", "mal_xred_backdoor", "backdoor", "xred", "brian sabey", "first-send-petikvx", "stop", "glassworm", "elex", "darkgate", "dark-comet", "search", "entries", "show", "yara detections", "icmp traffic", "rtf file", "top source", "top destination", "format", "host", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "access att", "font", "copy md5", "copy sha1", "copy sha256", "sha1", "ascii text", "pattern match", "sha256", "mitre att", "title", "meta", "hybrid", "local", "path", "strings", "body", "contact", "trace", "form", "bitcoin", "core", "jeffrey reimer", "exe infection", "cve", "porn" ], "references": [ "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Alerts: packer_unknown", "Malicious IP Contacted: 69.42.215.252", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "http://freedns.afraid.org/images/apple.gif", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.mumuplayer.com/redirect/customerservice/_wig", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://consolefoundry.date/one/gate.php", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453", "display_name": "Win.Trojan.Emotet-9850453", "target": null }, { "id": "Win.Trojan.BlackNetRAT-7838854-0", "display_name": "Win.Trojan.BlackNetRAT-7838854-0", "target": null }, { "id": "Win.Dropper.Nanocore-10021490-0", "display_name": "Win.Dropper.Nanocore-10021490-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Packed.Remcos-10024510-0", "display_name": "Win.Packed.Remcos-10024510-0", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "PSW:Win32/VB.CU", "display_name": "PSW:Win32/VB.CU", "target": "/malware/PSW:Win32/VB.CU" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1541", "name": "Foreground Persistence", "display_name": "T1541 - Foreground Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 460, "FileHash-SHA1": 437, "FileHash-SHA256": 4483, "SSLCertFingerprint": 2, "URL": 6487, "hostname": 1772, "domain": 652, "CVE": 3, "email": 5 }, "indicator_count": 14301, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "119 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6919473b9e0624394e9b68e9", "name": "Backdoor:Linux/DemonBot Affecting Unsecured servers", "description": "A closer look at a hacker group found in Mirai Bot Network. Catgirls is still active , has running web server , is only viewable to group according to remarks regarding \u2018catgirls\u2019 domains , sub domains , hosts.\n\n Multiple hosts , name servers and links. .Backdoor:Linux/DemonBot Malicious attacks affecting unsecured servers (personal , business) networks, DDOS attacks , Mitre. Worm, Ransomware. \n\nHacker group has seemingly caused a fair ammunition of damage to small businesses and / or individuals/civil society.. Seen in attacks against handful of targets are in this Mirai Botnet. Of course we know how very large the Mirai Botnet is.", "modified": "2025-12-16T03:02:09.743000", "created": "2025-11-16T03:38:35.430000", "tags": [ "server", "algorithm", "x509v3 subject", "registrar abuse", "v3 serial", "spaceship", "community", "related pulses", "cidr", "mirai botnet", "hacker", "mirai att", "ck id", "group", "active", "generic pong", "reporting arch", "msie", "windows nt", "resolverror", "backdoor", "malware", "strings", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "spawns", "evasion att", "t1480 execution", "ipv4", "iocs", "drop", "review iocs", "found", "ascii text", "pattern match", "mitre att", "beginstring", "null", "refresh", "span", "hybrid", "click", "error", "tools", "look", "verify", "restart", "united", "moved", "passive dns", "urls", "record value", "unknown aaaa", "gmt content", "title", "cookie", "signing defense", "t1553 technique", "subvert trust", "controls learn", "disable", "modify tools", "defense evasion", "t1562 technique", "rdap", "domain database", "dap domain", "datab", "database", "array", "content", "ascii", "form", "initial access", "execution", "present aug", "present jul", "present nov", "present oct", "ip address", "command decode", "suricata ipv4", "localappdata", "windir", "openurl c", "programfiles", "edge", "cloudflare", "ssl certificate", "size", "starfield", "accept", "path", "general", "local", "hostname add", "pulse pulses", "read c", "port", "destination", "rgba", "unicode text", "medium", "unknown", "code", "write", "pecompact", "packer", "delphi", "win32", "persistence", "crash", "next", "china unknown", "chrome", "internal server", "next associated", "ipv4 add", "trojandropper", "date", "domain", "search", "domain add", "certificate", "next http", "scans show", "found title", "head body", "hostname", "files", "files ip", "address", "location united", "asn asnone", "present feb", "present jun", "unknown ns", "internet", "emails", "present sep", "show", "memcommit", "gapd5d", "key0", "packing t1045", "filehash", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "mirai", "json", "total", "delete", "win64", "url http", "http", "related nids", "files location", "flag united", "gmt cache", "pulse submit", "url analysis", "verdict", "win32dh", "reverse dns", "america flag", "worm", "warehouse mgmt", "built", "retailexperts", "read", "top source", "top destination", "aaaa", "ransom", "trojan", "entries", "singapore", "singapore asn", "as16509", "present mar", "creation date", "contacted", "hostile", "targeting", "whitelisted", "high", "systemroot", "as15169", "copy", "global", "dynamicloader", "directui", "yara rule", "element", "classinfobase", "ccbase", "hwndhost", "windows" ], "references": [ "http://catgirls.foundation/main \u2022 https://spaceship.com/", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/68e72a3b96eaf61daf0eb13f", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/691924001d6dc4fa2d04d0b2", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/691924001d6dc4fa2d04d0b2" ], "public": 1, "adversary": "Mirai", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "PSW.Sinowal.X", "display_name": "PSW.Sinowal.X", "target": null }, { "id": "mirai", "display_name": "mirai", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Worm:Win32/Locksky.gen!A", "display_name": "Worm:Win32/Locksky.gen!A", "target": "/malware/Worm:Win32/Locksky.gen!A" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1991, "domain": 428, "hostname": 882, "FileHash-SHA256": 2213, "FileHash-MD5": 675, "FileHash-SHA1": 530, "email": 7, "CIDR": 1, "CVE": 1, "SSLCertFingerprint": 23 }, "indicator_count": 6751, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f7ced2cf17d264b49628bc", "name": "NIDS - Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information", "description": "Multiple malware\u2019s targeting Dropbox & Ebay accounts. Referenced in earlier pukses. Further investigation shows link found in apps on multiple Apple devices. Afraid. Org still running & wreaking havoc globally. Currently targets a Music studio in Clear Creek County Co. The signal bounces from Fire station directly to studio gaining full access to everything.\n\nI am very disappointed with the abuses in f the Palantir , Gotham , Foundry products being abused by law firms and Private Investigators.\nIt is very destructive, causing loss, these firms are literally stealing and making money with other people\u2019s intellectual property and tough luck on the actual inventor, artist, writer because they even steal , cancel your insurance or back accounts leaving you unable to make a claim. \n\nGreat discretion should be used to qualify for these tools used to track, terrorize and access private information as well as tarnish the names of civilians , family ,businesses, stalking tracking known location.", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T18:20:02.120000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80c6bcd3fff3a4f126a68", "name": "Sventore \u2022 Agent Tesla Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information ", "description": "", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T22:42:51.657000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "68f7ced2cf17d264b49628bc", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f5cfa9b74d6faa43eb6585", "name": "Indicator Removal service affecting Threat Hunters | Brian Sabey", "description": "Indicator removal used by M. Brian Sabey to for the purpose of attacking networks and removing malicious indicators related to entities and attacks deployed by & Co. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship).\nThere are many other malicious indicators.\n\n* foundryvttcasero.roleros.cl", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-20T05:59:04.173000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80aa152fdd795fa008e2e", "name": "Small & Comisproc Indicator Removal service Affects Threat Hunter Sevices", "description": "", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-21T22:35:13.128000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": "68f5cfa9b74d6faa43eb6585", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68edc1c2be848e73a32ab9ba", "name": "Fatal Error - Hacker Known \u2022 Name Unknown | Lives @ risk", "description": "I am connected to targeteds phone. My location is autonomous _ will show up in Colorado most likely. \n\nScary, this weekend a woman dressed like a peasant somehow managed to give me a letter past Thursday with information about a death in the 11th floor of an Apartment in Denver. The Sova. Alleged drug overdose may have actually been a homicide, I sound & feel crazy, there were names inside , emails , plans for Airplane attacks affecting civilians this month. I couldn\u2019t, wouldn\u2019t create this. Apparently UK born citizens sponsored by a Google hierarchy were able to weave their way into the lives a family member & Tsara Brashears . These are white males, anlso involved are citizens from African, Ethiopia, India and America deeply involved. They used fake names and I have said too much. If there is an helpful person on here please help!!! There\nis worse and it might be legal hits to insight money for war!\n#nso_related", "modified": "2025-11-13T02:02:12.454000", "created": "2025-10-14T03:21:38.305000", "tags": [ "pulses ipv4", "ipv4", "div div", "united", "script script", "a li", "present jul", "param", "entries", "present aug", "certificate", "global domains", "date", "title", "class", "meta", "agent", "stack", "life", "a domains", "passive dns", "urls", "ok server", "gmt content", "type", "hostname add", "pulse pulses", "files", "win32mydoom oct", "trojan", "next associated", "pulse", "reverse dns", "twitter", "body", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "yara rule", "ff d5", "ascii text", "f0 ff", "eb e1", "unknown", "copy", "write", "malware", "push", "next", "autorun", "suspicious", "ip address", "unknown ns", "unknown aaaa", "ipv4 add", "location united", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ck id", "show technique", "mitre att", "path", "error", "fatalerror", "general", "hybrid", "local", "click", "strings", "filehashsha256", "filehashmd5", "filehashsha1", "iist", "malware family", "mydoom att", "ck ids", "t1060", "run keys", "indicator role", "title added", "active related", "showing", "url https", "url http", "startup", "folder", "web protocols", "t1105", "tool transfer", "indicators hong", "kong", "china", "germany", "australia", "search", "type indicator", "role title", "added active", "related pulses", "wire", "t1071" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2724, "hostname": 1212, "domain": 410, "FileHash-MD5": 408, "email": 9, "FileHash-SHA256": 604, "FileHash-SHA1": 307 }, "indicator_count": 5674, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e2ca40b12d7f02af896284", "name": "Exploit Kit - 77.67.27.35 Isolated", "description": "Information hastily gathered. IP 77.67.27.35\nbelongs to a server or device, WHOIS lookup indicates domain name cloud.com, owned by P.O. Box 412, 1043 CD, Amsterdam, Noord-Holland, NL | Summary ; ASN, AS3257 GTT Communications Inc. ; BGP, 77.67.0.0/17 ; IPs | BGP Looking Glass for AS3257 / GTT Communications Inc. | http.net - IP Transit Provider | Global Services - GTT | http://www.gtt.net Company Looking Glass: http://www.as3257.net/lg/ Info from single malicious file :Win32/Heur\n, \nTrojan.Crypted-29\nIDS Detections\nET POLICY Unsupported/Fake Windows NT Version 5.0\nET TROJAN Trojan/W32.KRBanker.60928.C Checkin\nYara Detections\nNone\nAlerts:\n\u2022 infostealer_browser\n\u2022 bypass_firewall\n\u2022 persistence_autorun\n\u2022 network_bind\n\u2022 network_http\n\u2022 packer_entropy\n- IP\u2019s Contacted :\n8.8.8.8 ,\n\n77.67.27.35 ,\n\n59.13.211.166 ,\n\n118.99.41.30 ,\nDomains Contacted :\nr.qzone.qq.com", "modified": "2025-11-04T19:02:34.015000", "created": "2025-10-05T19:42:56.097000", "tags": [ "win32dh", "mxigd4et", "united", "passive dns", "entries", "next associated", "present oct", "win32virut feb", "all ipv4", "pulse pulses", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "command", "found", "evasion att", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "ascii text", "pattern match", "mitre att", "show technique", "null", "refresh", "body", "span", "hybrid", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "information", "whois", "amsterdam", "noordholland", "summary", "as3257 gtt", "bgp looking", "glass", "as3257", "ip transit", "global", "jfif", "clsid", "jpeg image", "windows nt", "gif image", "msie", "rgba", "utf8 unicode", "malware", "copy", "write", "next", "handle", "address range", "cidr", "network name", "allocation type", "assigned pa", "status", "whois server", "ripe ncc", "ripe network" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Republic of", "Hong Kong" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Telecom" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 195, "FileHash-SHA1": 106, "FileHash-SHA256": 254, "URL": 603, "hostname": 256, "domain": 74, "CIDR": 3, "email": 2 }, "indicator_count": 1493, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "166 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e2b9fd811ffc6684ba25f7", "name": "Isolated DoD now DoW nodes - emotional commentary", "description": "*https://www.sentient.industries/\n*trk.b.jackrogersusa.com\n*http://trk.southerntide.com/\nOTX is auto populating this pulse. Let\u2019s see\u2026", "modified": "2025-11-04T18:01:18.650000", "created": "2025-10-05T18:33:33.277000", "tags": [ "united", "present feb", "present may", "aaaa", "present jul", "passive dns", "ip address", "present dec", "present sep", "present jun", "url https", "url http", "type indicator", "role title", "added active", "related pulses", "germany", "taiwan", "netherlands", "china", "search", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "ascii text", "size", "pattern match", "mitre att", "ck id", "null", "refresh", "body", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "filehashmd5", "hostname", "filehashsha256", "types of", "indicator role", "title added", "active related", "pulses url", "ruby", "jeffrey reimer", "target", "tsara", "information", "capture", "gather victim", "report spam", "kill targets", "created", "starfield", "show technique", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1180", "name": "Screensaver", "display_name": "T1180 - Screensaver" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1333, "domain": 355, "URL": 5874, "hostname": 1066, "FileHash-SHA1": 101, "FileHash-MD5": 88, "SSLCertFingerprint": 2 }, "indicator_count": 8819, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "166 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6608aaf7ca0e965e593ed1d4", "name": "MUI programu Microsoft Office Access (w j\u0119zyku angielskim) zosta\u0142o u\u017cyte do wys\u0142ania z\u0142o\u015bliwego oprogramowania na serwer w Czechach jest to pierwszy tego typu atak na komputer. e", "description": "A look back at some of the key words and phrases used to describe the situation in Italy, as \"probacja\" (or \"democrata), as they were translated into English.", "modified": "2025-10-17T11:03:07.034000", "created": "2024-03-31T00:14:47.183000", "tags": [ "sha256", "ssdeep", "reputacja", "tworzy pliki", "informacje", "bardzo duga", "tworzy", "adresy url", "tworzy katalog", "win64", "ameryki", "typ pliku", "serwer nazw", "san jose", "adres", "digital", "data wyganicia", "csc corporate", "domains", "ca data", "data utworzenia", "dnssec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6432, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2140, "hostname": 5874, "FileHash-SHA256": 12539, "FileHash-MD5": 3686, "FileHash-SHA1": 2751, "IPv4": 503, "URL": 10770, "email": 26, "CVE": 88, "YARA": 6, "JA3": 2, "IPv6": 28, "SSLCertFingerprint": 5, "BitcoinAddress": 3, "CIDR": 1 }, "indicator_count": 38422, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68beb866c8ed898ed0ece438", "name": "BlackieVirus . Expanded- Apple", "description": "", "modified": "2025-10-08T10:00:30.227000", "created": "2025-09-08T11:05:10.064000", "tags": [ "present may", "present apr", "unknown ns", "present sep", "unknown aaaa", "present jun", "present dec", "passive dns", "ip address", "virtool", "win32cve sep", "trojan", "mtb sep", "ipv4", "urls", "trojanspy", "united states", "dynamicloader", "ms windows", "observed dns", "query", "windows nt", "wow64", "khtml", "gecko", "pe32", "write", "media", "malware", "suspicious", "learn", "ck id", "name tactics", "informative", "command", "defense evasion", "adversaries", "spawns", "t1204 user", "mitre att", "ck matrix", "null", "error", "click", "general", "local", "path", "strings", "refresh", "tools", "meta", "onload", "span", "apple", "entries", "write c", "defender", "tencent", "hostname add", "pulse submit", "url analysis", "present jul", "present mar", "present oct", "saudi arabia", "united", "present feb", "creation date", "search", "title", "date", "botnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Win.Trojan.Filerepmalware-10008115-0", "display_name": "Win.Trojan.Filerepmalware-10008115-0", "target": null }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 951, "hostname": 1766, "URL": 4969, "FileHash-MD5": 337, "FileHash-SHA1": 317, "FileHash-SHA256": 4296, "CVE": 1, "SSLCertFingerprint": 1, "email": 1 }, "indicator_count": 12639, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68be65e95645ef1a6c8a898d", "name": "Apple affected by Tofsee at least 4 remote devices. DEAD Apple products", "description": "Such a hacked device. Victims phone remotely accessed the night it was purchased. A man wearing a jammer/ deauth watch was part of an aggressive caravan of followers. Will repost related pulse. \n South Africa became customer service once again for every external service called. Target was aware. \n\nIt must be nice to SA someone, and have a racist mafia of silencers behind because the corporation didn\u2019t want bad press and the Sheriff was friends with the MD who threatened victim with future retaliation.\n\nNo one helps because this is obviously abuse by law enforcement. He is the victim. She simply suffered from life threatening injuries until the end. This should be illegal. Denied justice, representation, medical care, emergency care of any kind, diagnos3s and followed and monitored 24/7.", "modified": "2025-10-08T04:04:41.943000", "created": "2025-09-08T05:13:13.781000", "tags": [ "mtb oct", "trojandropper", "avast avg", "backdoor", "trojan", "ubuntu", "passive dns", "federation flag", "asn as49505", "dns resolutions", "domains top", "level", "unique tlds", "dynamicloader", "high", "medium", "port", "delete c", "windows", "displayname", "tofsee", "grum", "stream", "powershell", "write", "malware", "hostile", "misa", "ipv4 add", "urls", "files", "learn", "ck id", "name tactics", "suspicious", "informative", "found", "command", "defense evasion", "adversaries", "spawns", "united", "orc5", "flag", "rhur3d", "title", "click", "strings", "refresh", "aids", "dzan", "sumo", "miny", "judi", "pattern match", "mitre att", "show technique", "ck matrix", "ascii text", "show process", "hybrid", "general", "local", "path", "t1480 execution", "null", "span", "error", "tools", "look", "verify", "restart", "domain secure", "windows nt", "ogoogle trust", "zerossl ecc", "site ca0x1ex17r", "win64", "unknown", "encrypt", "search", "entries", "destination", "push", "next", "apple", "moved", "gmt content", "type", "content length", "ipv4", "date", "handle", "address range", "cidr", "network name", "allocation type", "assigned pi", "status", "whois server", "entity ipripe", "apnic", "url add", "http", "hostname", "files domain", "files related", "related tags", "ip address", "related nids", "files location", "flag united", "unknown ns", "name servers", "creation date", "emails", "pulse pulses", "pulses none", "none google", "safe browsing", "external", "location united", "asn as714", "less whois", "registrar", "ios", "iphone", "ipad", "australia", "dead host" ], "references": [ "https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound", "https://176.113.115.136/ohhiiiii/", "https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE", "https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8", "palantir-staging.staging.candidate.app.paulsjob.ai", "pornhub.com\t \u2022 www.pornhub.com", "appleaustralia.com", "https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb", "https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Muldrop", "display_name": "Muldrop", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1273, "FileHash-MD5": 347, "domain": 606, "hostname": 778, "FileHash-SHA256": 2724, "FileHash-SHA1": 322, "email": 9, "SSLCertFingerprint": 14, "CIDR": 3 }, "indicator_count": 6076, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68aff672de7f1b65a97c00b1", "name": "WarzoneRAT impacts Social Media of users with compromised systems", "description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn", "modified": "2025-09-27T05:00:09.125000", "created": "2025-08-28T06:25:54.794000", "tags": [ "d10927", "mp41", "mp41 connection", "r connection", "ip address", "dynamicloader", "write c", "globalc", "medium", "high", "write", "dll read", "trojan", "delphi", "win32", "dialer", "tracking", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "t1590 gather", "mitre att", "ck matrix", "null", "click", "title", "span", "meta", "general", "local", "path", "strings", "refresh", "tools", "virgin islands", "united", "unknown ns", "a domains", "montserrat", "passive dns", "ipv4", "urls", "files", "hosting", "trojandropper", "location virgin", "msie", "windows nt", "wow64", "slcc2", "media center", "item", "has description", "unknown", "explorer", "error", "powershell", "yara rule", "windows", "t1055", "warzonerat", "avemaria", "virtool", "netwire", "malware", "hostile", "autoit", "defender", "date", "bq aug", "next associated", "ipv4 add", "resolved ips", "get http", "request", "win64", "khtml", "gecko", "resolutions", "number", "ja3s", "algorithm", "cnr12 cus", "cname", "accept", "port", "gmt ifnonematch", "screenshots no", "involved dns", "name response", "nxdomain", "tcp connections", "involved direct", "country name", "moved", "alone email", "body doctype", "gmt server", "content type", "service privacy", "cve" ], "references": [ "http://remote.edikamin.com/", "http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C", "http://deposito.hostance.net/dialer/", "Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT", "Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net", "DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net", "Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1", "simswap.in (possible Mirai or relationship to)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Virgin Islands, British" ], "malware_families": [ { "id": "Trojan:Win32/Diamin.F", "display_name": "Trojan:Win32/Diamin.F", "target": "/malware/Trojan:Win32/Diamin.F" }, { "id": "Dialer", "display_name": "Dialer", "target": null }, { "id": "Win32:CabMod\\ [Drp]", "display_name": "Win32:CabMod\\ [Drp]", "target": null }, { "id": "TrojanDropper:Win32/Hupigon.gen!A", "display_name": "TrojanDropper:Win32/Hupigon.gen!A", "target": "/malware/TrojanDropper:Win32/Hupigon.gen!A" }, { "id": "ALF:HeraklezEval:PUA:Win32/Keygen", "display_name": "ALF:HeraklezEval:PUA:Win32/Keygen", "target": null }, { "id": "Trojan:Win32/Startpage.AEA", "display_name": "Trojan:Win32/Startpage.AEA", "target": "/malware/Trojan:Win32/Startpage.AEA" }, { "id": "Banload", "display_name": "Banload", "target": null }, { "id": "TrojanDownloader:Win32/Banload.D", "display_name": "TrojanDownloader:Win32/Banload.D", "target": "/malware/TrojanDownloader:Win32/Banload.D" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "!#AddsCopy-ToStartup", "display_name": "!#AddsCopy-ToStartup", "target": null }, { "id": "VirTool:Win32/AutInject.CZ!bit", "display_name": "VirTool:Win32/AutInject.CZ!bit", "target": "/malware/VirTool:Win32/AutInject.CZ!bit" }, { "id": "Win.Trojan.Agent-316098", "display_name": "Win.Trojan.Agent-316098", "target": null }, { "id": "virtool:Win32/Injector.gen!BQ", "display_name": "virtool:Win32/Injector.gen!BQ", "target": "/malware/virtool:Win32/Injector.gen!BQ" }, { "id": "WarzoneRAT - S0670", "display_name": "WarzoneRAT - S0670", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4194, "hostname": 1563, "FileHash-SHA256": 2494, "domain": 624, "FileHash-MD5": 274, "FileHash-SHA1": 226, "email": 1, "CVE": 1 }, "indicator_count": 9377, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "204 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a23eef53f1124e8dc273fc", "name": "Sign in to your account - Anorocuriv", "description": "Short link sent to an iPhone user possibly by accident or maybe not. Unraveled :[https://ns4.whichkill.net/]\n[https://l.us-1.a.mimecastprotect.com/l]\n[https://api-glintstage.glintinc.com/api/client/tiaa/token/saml2/consume/includeDeskLink]\n\n[https://api.glintinc.com/api/client/tiaa/token/saml2/consume/includeDeskLink]\t\n\n*api.us1.glintinc.com #malta\n*ALF:Trojan:Win32/Anorocuriv.A.#virtool #LowFI:HookwowLow \n#tracking #tiaa #locate recording #userpics #movies #audio #screen #mobile_assets #https://biccerija.gov.mt/en/contact/", "modified": "2025-09-16T20:00:00.565000", "created": "2025-08-17T20:43:27.502000", "tags": [ "url http", "url https", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "status", "msie", "chrome", "passive dns", "urls", "date", "pulse pulses", "files", "domain", "files ip", "body", "http", "hostname", "files domain", "present jan", "present dec", "united", "present aug", "present jun", "unknown aaaa", "present mar", "present may", "present feb", "present jul", "error", "a domains", "gmt content", "accept encoding", "config nocache", "hostname add", "pulse submit", "content type", "certificate", "ip address", "cookie", "mita", "next associated", "please", "x msedge", "ipv4 add", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "pattern match", "mitre att", "ascii text", "null", "click", "august", "hybrid", "general", "local", "path", "strings", "refresh", "tools", "meta", "onload", "span", "adversaries", "ssl certificate", "logo", "av detection", "default browser", "guest system", "professional", "falcon sandbox", "response risk", "ck techniques", "detection", "show process", "prefetch8", "windows nt", "win64", "khtml", "gecko", "post collect", "microsoft edge", "nota", "brand", "class", "facebook", "ascii", "hex dump", "extraction", "failed", "data upload", "pul data", "enter", "s data", "type", "extr error", "href", "mask", "extra", "uta support", "include review", "exclude sugges", "find", "wow64", "show", "observed dns", "query", "unknown", "virtool", "copy", "write", "defender", "expiro", "malware", "next", "lowfi", "hookwowlow dec", "mtb jan", "mtb nov", "hookwowlow nov", "trojan", "trojandropper", "http request", "delete", "yara detections", "pe exe", "dll windows", "minimal http", "february", "guard", "alerts", "analysis date", "file score", "detections alf", "detections http", "http executable", "retrieved", "location united", "america flag", "america asn", "urls show", "date checked", "url hostname", "server response" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 853, "hostname": 1835, "URL": 7127, "email": 3, "FileHash-SHA256": 1470, "FileHash-MD5": 293, "FileHash-SHA1": 284, "SSLCertFingerprint": 426, "CVE": 1 }, "indicator_count": 12292, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "215 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a0cb6a89a10d13623a0018", "name": "Medicaid Mirai Botnet | United Healthcare Mirai Botnet", "description": "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll. Medicaid Botnet work managed by Lumen Technologies as part of a massive silencing campaign. |\n\nPhone calls routed since forces and investigated disclosures of several attack resulting in great bodily harm and life threatening, ending injuries.\nThis campaign date has one start date 11/13/2013.\n#missed assaults internal investigated 10/08/2013 -11/31/ 2013.\nI\u2019m sure other targets are impacted . This stems from targets personal , documented experiences. \nFormerly k/a Century Link was confronted by associate of targets when a plain clothed male entered targets yard in 11/ 2013, told their box controlled entire neighborhood. Continuously accessed properties. \n\n\n\n#rip #lumen #botnet #fencing #malware #silencing #civil_liberties # monitored_target #remote #corruption #privacy_abuse #centurylink", "modified": "2025-09-15T16:04:47.043000", "created": "2025-08-16T18:18:18.657000", "tags": [ "url https", "search", "type indicator", "role title", "added active", "related pulses", "entries", "httponly", "samesitelax", "read c", "medium", "rgba", "unicode", "port", "memcommit", "delete", "next", "dock", "write", "execution", "present aug", "united", "ip address", "name servers", "unknown ns", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "pattern match", "show technique", "ck matrix", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "href", "size", "t1480 execution", "file defense", "ascii text", "trojan", "passive dns", "trojandropper", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "ipv4 add", "urls", "files", "location united", "ipv4", "url analysis", "america flag", "america asn", "backdoor", "win32", "malware", "date", "domain", "segoe ui", "a domains", "security tls", "san jose", "asn8075", "reverse dns", "software", "resource hash", "general full", "status", "emails", "expiration date", "asp", "microsoft oem", "found", "running webserver", "netherlands", "creation date", "aaaa", "certificate", "protocol h2", "name value", "hash", "present jun", "present apr", "moved", "control att", "t1573 encrypted", "channel command", "decrypted ssl", "runtime process", "appdata", "windows nt", "svg scalable", "patch", "internal", "core", "high", "tcp syn", "icmp traffic", "dns query", "av detections", "ashburn", "ai device id", "telnet", "windows script", "microsoft", "host", "yara detections", "pdb path", "pe resource", "script host", "test", "hostname add", "files ip", "domains", "hashes", "ireland", "mtb jun", "mtb may", "device local", "remotewd", "nemtih", "url add", "http", "hostname", "files domain", "files related", "pulses otx", "present jul", "domain add", "colorado", "quasi", "contracts", "botnet", "remote access", "virginia", "c++", "hacking", "monitored target", "silencing campaign", "audio recording", "cameras", "full service", "tactics" ], "references": [ "Handled by Lumen Technologies | What kind of darkness is this?", "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider", "dev.myhpnmedicaid.com", "ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113", "https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f", "https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851", "https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5", "Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet", "Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/", "https://dotnet.microsoft.com/en-us/apps/aspnet", "ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .", "ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.", "ASP.net Open source. A framework for building web apps and services with .NET and C#", "Registrant Org: Japan Computer Emergency Response Team Coordination Center", "Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com", "Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/", "Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx", "Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com", "http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Trojan:Win32/Daws", "display_name": "Trojan:Win32/Daws", "target": "/malware/Trojan:Win32/Daws" }, { "id": "ELF:Mirai-ATI", "display_name": "ELF:Mirai-ATI", "target": null }, { "id": "Trojan:Win32/IRCbot", "display_name": "Trojan:Win32/IRCbot", "target": "/malware/Trojan:Win32/IRCbot" }, { "id": "alf:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "alf:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Trojandropper:Win32/Muldrop.V!MTB", "display_name": "Trojandropper:Win32/Muldrop.V!MTB", "target": "/malware/Trojandropper:Win32/Muldrop.V!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1092", "name": "Communication Through Removable Media", "display_name": "T1092 - Communication Through Removable Media" }, { "id": "T1433", "name": "Access Call Log", "display_name": "T1433 - Access Call Log" } ], "industries": [ "Technology", "Telecommunications", "Contracts", "Government", "Finance", "Insurance", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4880, "domain": 575, "hostname": 1419, "FileHash-SHA256": 1745, "FileHash-MD5": 284, "FileHash-SHA1": 263, "email": 5, "CVE": 1 }, "indicator_count": 9172, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "216 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689d7fd544aa8cf483b02d5c", "name": "Sinkhole | Win32/Dofoil.R CnC Beacon", "description": "#LowFI:VBExpensiveLoop\n*Worm:Win32/Gamarue [Static Pe Anomaly \u2022\nContains Pe Overlay \u2022\nBinary Yara]\n- Win32/Dofoil.R CnC Beacon |\nAlerts:\n\u2022 suspicious_iocontrol_codes\n\u2022 physical_drive_access", "modified": "2025-09-13T06:02:44.359000", "created": "2025-08-14T06:19:01.666000", "tags": [ "lowfi", "united", "entries", "passive dns", "open ports", "next associated", "ipv4", "pulse pulses", "urls", "files", "domain", "address", "creation date", "name servers", "date", "hostname add", "dynamicloader", "medium", "fake", "high", "post", "show", "search", "observed http", "reg add", "copy", "write", "june", "malware", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "pattern match", "ascii text", "mitre att", "ck id", "null", "error", "click", "body", "august", "hybrid", "general", "local", "path", "strings", "refresh", "tools", "meta", "onload", "span", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "mask", "generator" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 175, "FileHash-SHA1": 180, "FileHash-SHA256": 458, "URL": 436, "domain": 69, "hostname": 156, "email": 1, "SSLCertFingerprint": 9 }, "indicator_count": 1484, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689d5115ad786de4ff048e5b", "name": "TEL:ECCert!SSLCO | Mirai Malware Hosting | Multi user Tracker", "description": "https://api.mirai.com/MiraiWebService/passbook/180823-77257/4001645 [Malware hosting]\n*TEL:ECCert!SSLCO\nYARA Detections:\nDelphi\nThis program must be run under Win32\ncompilers.\nCode Overlap of Trojan Droppers Backdoors , TrojanSpy\n\n\n#injection_inter_process\n#creates_largekey\n#network_bind\n#ransomware_file_modifications\n#antivm_generic_bios\n#antivm_generic_disk\n#enumerates_physical_drives\n#physical_drive_access\n#deletes_executed_files\n#recon_fingerprint\n#suspicious_command_tools\n#anomalous_deletefile\n#antisandbox_sleep\n#dead_connect\n#dynamic_function_loading\n#http_request\n#ipc_namedpipe\n#network_anomaly\n#powershell_download\n#powershell_request #track #locate #remote_access", "modified": "2025-09-13T02:00:42.729000", "created": "2025-08-14T02:59:33.036000", "tags": [ "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "present sep", "united", "present aug", "present jul", "present jun", "moved", "unknown ns", "present may", "present apr", "passive dns", "date", "encrypt", "body", "cookie", "gmt server", "content type", "dynamicloader", "medium", "x17x03x01", "download studio", "high", "read c", "show", "windows", "copy", "powershell", "write", "anomaly", "next", "unknown", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "yara detections", "delphi", "codeoverlap", "win32", "rgba", "memcommit", "delete", "png image", "hash", "dock", "execution", "malware", "wine emulator", "dynamic", "msie", "windows nt", "wow64", "slcc2", "media center", "capture", "persistence", "sha256", "submitted", "copy md5", "copy sha1", "copy sha256", "sha1", "script", "mitre att", "ck id", "show technique", "ck matrix", "null", "august", "span", "refresh", "meta", "mirai", "february", "april", "june", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "caribe", "rest", "accept", "friday", "look", "verify", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6211, "domain": 682, "hostname": 1661, "FileHash-MD5": 117, "FileHash-SHA1": 100, "FileHash-SHA256": 1386, "SSLCertFingerprint": 5 }, "indicator_count": 10162, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689d14258dd07e26a3bb1d46", "name": "PalantirFoundry.com (?) Multiple Remote Controlled Devices", "description": "Hacking.\nI\u2019m not sure if this is masquerading or not yet. Anything with \u2018PalantirFoundry.com\u2019 redirects to actual Palanrir login. Multiple users. Potentially 5000+ devices included in pulse. All monitored targets.", "modified": "2025-09-12T22:00:43.252000", "created": "2025-08-13T22:39:33.511000", "tags": [ "passive dns", "urls", "files", "ip address", "asn as16509", "less whois", "registrar", "unknown related", "servers", "status", "hostname", "domain", "files ip", "address", "united", "unknown ns", "a domains", "search", "script urls", "authority", "record value", "service", "mirai", "cloud provider", "reverse dns", "sydney", "australia asn", "as16509", "dns resolutions", "related tags", "none indicator", "write c", "mozilla", "nsisinetc", "show", "medium", "entries", "high", "http", "delete", "write", "malware", "data upload", "ms windows", "intel", "pe32", "lowfi", "next", "showing", "present feb", "present jun", "present dec", "present aug", "present may", "present jul", "moved", "media", "segoe ui", "ipv4", "url analysis", "location united", "error", "regopenkeyexa", "regsetvalueexa", "read c", "port", "destination", "regdword", "windows nt", "hostile", "win32", "unknown", "delphi", "persistence", "execution", "extraction", "l data", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "sha1", "sha256", "ascii text", "mitre att", "pattern match", "show technique", "null", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "type", "please", "pulse submit", "url add", "pulse pulses", "related nids", "files location", "flag united", "ddos", "next associated", "files show", "date hash", "avast avg", "virtool", "downloader", "dadobra", "date", "certificate", "montreal", "canada", "asn16509", "amazon02", "screenshot", "title login", "palantir", "page url", "history https", "evasion att", "remember", "label", "button", "form", "general full", "url https", "protocol h2", "security tls", "software envoy", "value", "domainpath name", "header value", "self", "copy md5", "copy sha1", "copy sha256", "returnur", "south korea", "as9318 sk", "sqlite rollback", "journal", "as701 verizon", "bittorrent dht", "win64", "copy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFi:LinkularNSIS", "display_name": "#LowFi:LinkularNSIS", "target": null }, { "id": "#Lowfi:HSTR:Win32/ObfuscatorDynMemJmpAPI", "display_name": "#Lowfi:HSTR:Win32/ObfuscatorDynMemJmpAPI", "target": null }, { "id": "Fareit", "display_name": "Fareit", "target": null }, { "id": "TrojanDownloader:Win32/Dadobra.E", "display_name": "TrojanDownloader:Win32/Dadobra.E", "target": "/malware/TrojanDownloader:Win32/Dadobra.E" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3149, "domain": 1304, "URL": 5269, "FileHash-SHA256": 968, "FileHash-SHA1": 206, "email": 7, "FileHash-MD5": 274, "SSLCertFingerprint": 1, "CVE": 1 }, "indicator_count": 11179, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "219 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689cc89e77327602780be49e", "name": "Remotewd Devices \u2022 Spectrum / Charter Communications & AT&T", "description": "Remotewd Devices expanded \u2022 Spectrum / Charter Communications & AT&T.\nAdvesarial. Polymorphic.", "modified": "2025-09-12T16:05:33.542000", "created": "2025-08-13T17:17:18.456000", "tags": [ "url https", "domain", "types of", "united kingdom", "sweden", "virgin islands", "china", "germany", "date", "status", "ip address", "search", "domain add", "passive dns", "urls", "files", "error sep", "present jul", "address google", "safe browsing", "united", "unknown ns", "moved", "body", "cloudfront x", "hio52 p1", "certificate", "win32", "trojan", "entries", "next associated", "title error", "ipv4", "host gh", "secure path", "httponly cache", "x github", "request id", "accept", "encrypt", "formbook cnc", "checkin", "a domains", "lowfi", "mtb jun", "github pages", "as11427", "us note", "route", "ptr record", "hostname add", "url analysis", "verdict", "general info", "geo mckinney", "texas", "spectrum", "charter communications", "charter collection", "auth", "files ip", "address", "asn as16509", "record value", "germany unknown", "meta", "gmt cache", "sans400", "condensed300", "feel lost", "h1 div", "server", "gmt connection", "keep alive", "pragma", "ipv4 add", "url add", "http", "related nids", "files location", "flag united", "unknown aaaa", "china unknown", "beijing", "unknown soa", "hostname", "present aug", "name servers", "aaaa", "windows nt", "dynamicloader", "generic http", "exe upload", "inbound", "outbound", "host", "medium", "write", "markus", "malware", "files domain", "files related", "related tags", "none google", "showing", "error", "extraction", "se enter", "sc type", "data upload", "failed", "extr data", "ox sunnort", "include review", "exclude data", "iocs", "pdf report", "pcap", "stix", "openloc", "pul data", "move", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "pattern match", "ascii text", "show technique", "null", "refresh", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "class", "adversaries", "defense evasion", "initial access", "msie", "chrome", "gmt content", "main", "virtool", "idran anv", "exti", "concor referen", "running webserver", "review iocs", "suggested iocs", "show", "http traffic", "intel", "ms windows", "pe32", "high", "write c", "explorer", "unknown", "worm", "next", "comman_and_control", "et", "vtapi", "dos", "persistence", "polymorphic", "virus", "device", "script", "style", "endcolorstr", "regexp", "link", "powershell", "form", "push", "active", "remote_access", "general full", "protocol h2", "security tls", "austin", "asn7018", "attinternet4", "reverse dns", "software", "domains", "hashes", "at&t", "injection", "rwx", "hackers", "attack", "cape", "stealth hidden extension", "antivm generic", "cape detected", "threat stealth", "public folder", "deletes", "files anomalous", "disables system", "restore dead", "mail procmem", "yara suricata", "queries user name" ], "references": [ "Remotewd.com research - Devices under command and control. Malicious / adversarial | 3000 + devices in Pulse", "https://hybrid-analysis.com/sample/713944cb1accb541622bf99d55f34876b5ff13d042c6c203bab89632a15b9248/689c0eca8dd0033cbb064d12", "device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com TWC-11427-TEXAS, US \u2022 Spectrum", "Geo\tMcKinney, Texas, United States (US) \u2014 AS \u2022AS11427 - TWC-11427-TEXAS, US", "Note: An IP might be announced by multiple ASs.Spectrum | Charter Communications", "This is not shown. Route \u2022 184.92.0.0/16 (Route of ASN) PTR", "syn-184-092-221-096.res.spectrum.com(PTR record of primary IP) IPv4\t184.92.221.96", "https://urlscan.io/domain/device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com", "truist.palantirfoundry.com \u2022 nissansandbox.palantirfoundry.com", "device-7de2fab7-44a1-494e-8f36-8d135628c33a.remotewd.com 104.190.139.162 AT&T", "Stealth Hiddenreg Cape Detected Threat Stealth Timeout Accesses Public Folder Deletes", "Executed Files Anomalous Deletefile Dropper Disables System Restore Dead Connect", "Infostealer Cookies Infostealer Mail Procmem Yara Suricata Alert Modify Proxy Powershell", "Ransomware File Modifications Exec Crash", "Location Antisandbox Sleep Antidebug Setunhandledexceptionfilter Packer Unknown Pe Section Name Packer Entropy Network Bind Antivm Network Adapters Http Request Infostealer Browser Recon Fingerprint Antivm Checks Available Memory Antivm Generic Bios Reads Self Polymorphic Enumerates Physical Drives Network Http Network Cnc Http Antivm Bochs Keys", "Request Queries Keyboard Layout Antivm Generic Disk Resumethread", "Remote Process Static Pe Anomaly Https Urls Virus Process Creation Suspicious", "Contains Pe Overlay Queries Locale Api Language Check Registry" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "VirTool:Win32/Obfuscator.JM", "display_name": "VirTool:Win32/Obfuscator.JM", "target": "/malware/VirTool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Cycbot-1584", "display_name": "Win.Trojan.Cycbot-1584", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6171, "domain": 1823, "hostname": 3155, "email": 8, "FileHash-SHA256": 950, "FileHash-MD5": 345, "FileHash-SHA1": 317, "CVE": 1, "CIDR": 1, "SSLCertFingerprint": 1 }, "indicator_count": 12772, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "219 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689b9b9fab42ca4f016a226f", "name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)", "description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +", "modified": "2025-09-11T13:03:18.814000", "created": "2025-08-12T19:53:03.953000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses url", "entries", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "href", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "show technique", "ck matrix", "null", "refresh", "body", "span", "general", "local", "path", "iframe", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "united", "unknown ns", "ip address", "creation date", "search", "present sep", "moved", "domain add", "encrypt", "accept", "please", "passive dns", "msie", "next associated", "html", "background", "unknown site", "div div", "trojan", "zeus", "process32nextw", "read c", "show", "shellexecuteexw", "windows nt", "wow64", "copy", "dock", "write", "malware", "unknown", "defense evasion", "t1480 execution", "file defense", "august", "hybrid", "port", "destination", "tlsv1", "as15169", "ogoogle trust", "cngts ca", "execution", "next", "persistence", "data upload", "extraction", "win32", "ransom", "trojandropper", "mtb nov", "forcud", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4179, "domain": 774, "hostname": 1673, "FileHash-MD5": 169, "FileHash-SHA1": 110, "FileHash-SHA256": 2073, "email": 1, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 8993, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68958d96a43dd0d3b5a65220", "name": "Mirai Communication Networks Inc", "description": "BGP Mirai Communication Networks Inc. May be used for Red Hat activities considered enterprise open source solutions. Used for adversarial motives. Abuse.\nResearched a device-local-**********.remotewd.com found in last residential community a monitored target lived.", "modified": "2025-09-07T05:03:49.633000", "created": "2025-08-08T05:39:34.315000", "tags": [ "united", "unknown ns", "moved", "passive dns", "ip address", "cloudfront x", "hio50 c1", "a domains", "domains", "meta", "mirai", "apache", "url hostname", "server response", "google safe", "learn", "ck id", "name tactics", "suspicious", "informative", "spawns", "command", "found", "mitre att", "ck techniques", "sha256", "sha1", "ascii text", "pattern match", "size", "null", "refresh", "body", "span", "august", "hybrid", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "defense evasion", "t1480 execution", "file defense", "show technique", "ck matrix", "adversaries", "general", "starfield", "iframe", "onload", "status", "urls", "domain", "name servers", "hostname", "files", "files ip", "certificate", "urls show", "results aug", "entries", "show process", "utf8", "crlf line", "network traffic", "title error", "next associated", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "equiv content", "win32", "trojan", "servers", "search", "whois show", "record value", "emails", "name legal", "department name", "address po", "city seattle", "present oct", "present jul", "present dec", "present aug", "files domain", "files related", "related tags", "none google", "safe browsing", "external", "data upload", "extraction", "include review", "exclude sugges", "uny inuuue", "find s", "extr", "typ dom", "failed", "extri data", "mirai meta", "japan unknown", "miraipcok meta", "overview ip", "address", "location united", "asn as15169", "nameservers", "less whois", "registrar", "overview domain", "address domain", "ip whois", "title", "create c", "read c", "delete", "write", "medium", "create", "showing", "rgba", "next", "dock", "execution", "malware", "sqlite rollback", "jfif", "journal", "regsetvalueexa", "ascii", "regdword", "baidu", "url add", "http", "related nids", "files location", "flag united", "redacted for", "unknown aaaa", "hostname add", "url analysis", "encrypt", "date", "germany unknown", "ascio", "creation date", "alfper", "ipv4 add", "reverse dns", "mozilla", "set spray", "pty ltd", "date checked", "present jun", "present nov", "present may", "present mar", "present sep", "present jan", "for privacy", "lngen", "ransom", "virtool", "exploit", "as133618", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "asn as133618", "whois registrar", "ietfdtd html", "gmt server", "debian", "dynamicloader", "unknown", "feat", "query", "installer", "results oct", "results jan", "aaaa", "tlsv1", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "lowfi", "urlshortner aug", "urlshortner jul", "urlshortner", "write c", "high", "et exploit", "probe ms17010", "f codeoverlap", "copy", "contacted", "w3wwhb", "svwjh5dd u", "uv5b usvwu", "f us3v9", "cu codeoverlap", "filehash", "sha256 add", "monitored target", "sloffeefoundry.com", "apple", "samsung", "galaxy", "msie", "windows nt", "wow64", "slcc2", "media center", "persistence", "edge", "bing", "racism", "amazon music", "ios", "twitter", "googleapis", "denver" ], "references": [ "Researched: 210.172.192.15 | p192015.mirai.ne.jp | sanso-mirai.jp", "Mirai Communication Network Inc. (AS7690) Seto, Japan ASN is a BGP Network", "*ccm-command-center.int.m1np.symetra.cloud", "Monitored Target/s", "https://hybrid-analysis.com/sample/ff37a006ed8677bafa412d653ce9adfe84744702f28f7dfe9f5f4ec51b599419/689505a3a647793a0300f73f", "https://hybrid-analysis.com/sample/d30cf86f09e3ab7bb7d0a4ac2608aafb31e07c94fe77f5a264ccdb35fe153c59/689505ded9be5613900509fd", "https://hybrid-analysis.com/sample/f6e628e57373bf795bae87c883dcaefdbb720960133edc1adacc6146d10fc88a", "https://otx.alienvault.com/indicator/ip/210.172.192.15", "https://otx.alienvault.com/indicator/domain/sanso-mirai.jp", "device-local-**********. remotewd.com", "https://sms-apple.com/login", "https://www.exito.com/galaxy-m12-64-gb-negro-samsung-sm-m127fzkkcoo-3016108/p", "https://4.img-dpreview.com/files/p/articles/2356747397/samsung_nv24hd_bk.jpeg", "https://shell-gift.website/sweeps/de/amazon-voucher/question1000-agg/index.html?uclick=qdlpqnvr&uclickhash=qdlpqnvr-qdlpqnvr-pmwj-0-xsi4-hovr-hoi4-9b6533", "api.omgpornpics.com", "http://www.mylifelawyer.com/services/denver-affordable-lawyer-child-custody/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Crypt-142", "display_name": "Win.Trojan.Crypt-142", "target": null }, { "id": "#Lowfi:SIGATTR:URLShortner", "display_name": "#Lowfi:SIGATTR:URLShortner", "target": null }, { "id": "Win.Trojan.14278494-1", "display_name": "Win.Trojan.14278494-1", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ransom:Win32/WannaCrypt.H", "display_name": "ransom:Win32/WannaCrypt.H", "target": "/malware/ransom:Win32/WannaCrypt.H" }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Mirai Communications", "display_name": "Mirai Communications", "target": null }, { "id": "Alfper", "display_name": "Alfper", "target": null }, { "id": "telper:HSTR:CLEAN:Ninite", "display_name": "telper:HSTR:CLEAN:Ninite", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8962, "domain": 1671, "hostname": 2125, "FileHash-SHA256": 2031, "FileHash-MD5": 718, "FileHash-SHA1": 523, "SSLCertFingerprint": 12, "email": 7, "CVE": 1 }, "indicator_count": 16050, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6894f30905efa56990bb10f6", "name": "Expanded device-local-****remotewd.com", "description": "device-local-2ffdbd74-9f90-41fa-beb8-454ed65788c5.remotewd.com", "modified": "2025-09-06T06:03:31.462000", "created": "2025-08-07T18:40:09.876000", "tags": [ "hostname", "pulse pulses", "passive dns", "urls", "files", "ip address", "nameservers", "date hash", "avast avg", "entries", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "itre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "domain", "hostname add", "files ip", "address", "location united", "hash avast", "avg clamav", "msdefender aug", "united", "port", "destination", "as16509", "search", "unknown", "ocloudflare", "medium", "memcommit", "service", "write", "next", "persistence", "execution", "malware", "copy", "encrypt", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "next associated", "urls show", "date checked", "virtool", "win64", "worm", "mtb may", "files show", "heur", "script", "dropper", "ransom", "vitro", "pe32", "intel", "ms windows", "as15169", "read c", "asnone", "show", "packing t1045", "t1045", "delphi", "code", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6741, "domain": 5822, "FileHash-SHA256": 1550, "URL": 16348, "FileHash-MD5": 287, "FileHash-SHA1": 242, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 31000, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6894f4e6c41982f405592b55", "name": "Worm:Win32/Mydoom | Expanded device-local-****remotewd.com", "description": "", "modified": "2025-09-06T06:03:31.462000", "created": "2025-08-07T18:48:06.557000", "tags": [ "hostname", "pulse pulses", "passive dns", "urls", "files", "ip address", "nameservers", "date hash", "avast avg", "entries", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "itre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "domain", "hostname add", "files ip", "address", "location united", "hash avast", "avg clamav", "msdefender aug", "united", "port", "destination", "as16509", "search", "unknown", "ocloudflare", "medium", "memcommit", "service", "write", "next", "persistence", "execution", "malware", "copy", "encrypt", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "next associated", "urls show", "date checked", "virtool", "win64", "worm", "mtb may", "files show", "heur", "script", "dropper", "ransom", "vitro", "pe32", "intel", "ms windows", "as15169", "read c", "asnone", "show", "packing t1045", "t1045", "delphi", "code", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": "6894f30905efa56990bb10f6", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6741, "domain": 5822, "FileHash-SHA256": 1550, "URL": 16348, "FileHash-MD5": 287, "FileHash-SHA1": 242, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 31000, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6893eee9bf1b30e08d1a6d8e", "name": "Ransom:Win32/CVE - Denver \u2022 Community Lifestyle Neighborhood", "description": "*Ransom:Win32/CVE - * Win.Dropper.Stone-9856966-0,\nDenver \u2022 Community Lifestyle Neighborhood. \nCorporate & Leasing Office corrupted with spyware. There is a single verified monitored target. All technology devices corrupted, at least 2 phones monitored, YouTube is courtesy of hackers. Several in person and phone investigations, staff change and they know nothing about leasing apartments, townhomes , etiquette, poor communication. Target also investigated. It appears to be harassment, intimidation and monitoring for unspecified reasons. The parking lot is stacked with obvious people sitting in their vehicles for hours. It\u2019s unclear if the staffing change is legitimate or part of an investigation.", "modified": "2025-09-05T23:02:52.811000", "created": "2025-08-07T00:10:17.696000", "tags": [ "address google", "safe browsing", "united", "typeof", "passive dns", "body doctype", "nreum", "date", "gmt server", "apache x", "cnection", "content type", "span", "ok transfer", "encoding", "x powered", "unknown soa", "unknown ns", "showing", "entries", "next associated", "urls show", "body", "encrypt", "search", "ip address", "creation date", "record value", "present jul", "present may", "present apr", "certificate", "present aug", "present feb", "present dec", "present nov", "error", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "development att", "sha1", "copy md5", "copy sha1", "copy sha256", "mitre att", "show technique", "ck matrix", "pattern match", "ascii text", "august", "hybrid", "general", "local", "path", "click", "strings", "itre att", "accept", "sha256", "size", "type data", "utf8 text", "document file", "flag", "server", "european union", "name server", "tor analysis", "dns requests", "domain address", "ii llc", "windir", "openurl c", "prefetch2", "show process", "ogoogle trust", "network traffic", "organization", "elton avundano", "object", "title object", "header http2", "returnurl", "texas", "rsa ov", "ssl ca", "status", "australia", "netherlands", "urls", "gmt path", "hostname add", "pulse submit", "present oct", "e safe", "results jul", "response ip", "present jan", "name servers", "verdict", "domain", "files ip", "address domain", "xhr start", "xhr load", "aaaa", "read c", "show", "port", "destination", "high", "delete", "outbound m3", "copy", "write", "persistence", "execution", "malware", "generic", "unknown", "present mar", "dynamicloader", "wine emulator", "dynamic", "medium", "read", "associated urls", "date checked", "url hostname", "server response", "google safe", "dnssec", "domain name", "solutions", "llc status", "next passive", "dns status", "hostname query", "files show", "date hash", "avast avg", "overview ip", "address", "related nids", "files location", "flag united", "hostname", "files domain", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "virtool", "win64", "defense evasion", "t1480 execution", "file defense", "null", "refresh", "tools", "look", "verify", "restart", "file discovery", "utf8", "crlf line", "a domains", "script urls", "link", "unknown aaaa", "meta", "atom", "results jan", "present", "present sep", "akamai", "asn as16625", "less whois", "registrar", "http", "france flag", "france hostname", "files related", "url analysis", "files", "location france", "detailed error", "sec ch", "ch ua", "ua full", "ua platform", "moved", "name", "perfect privacy", "error jul", "next related", "domains show", "domain related", "url add", "pulse pulses", "hosting", "reverse dns", "france asn", "as16276", "dns resolutions", "datacenter", "regopenkeyexa", "regsetvalueexa", "windows nt", "regdword", "hostile", "service", "delphi", "next", "pulses none", "related tags", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "review", "data upload", "extraction", "khtml", "gecko", "olet", "cnlet", "tlsv1", "hacktool", "push", "ms windows", "intel", "pe32", "users", "precreate read", "ransom", "code", "installer", "june", "media", "autorun", "next yara", "detections name", "aspackv2xxx", "eu alexey", "alerts", "pe file", "filehash", "sha256 add", "av detections", "ids detections", "yara detections", "analysis date", "april", "packing t1045", "t1045", "t1060", "registry run", "keys", "user execution", "icmp traffic" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1132, "URL": 6245, "hostname": 2264, "FileHash-SHA256": 1857, "FileHash-SHA1": 491, "email": 9, "FileHash-MD5": 573, "SSLCertFingerprint": 16 }, "indicator_count": 12587, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688fa1290b459ca0e307fcbd", "name": "http://www.jeffreyrusertjeffersoncounty.net/", "description": "Does this mean a someone who SA\u2019d and critically injured someone was given legal access to also spy on his victim? \nFurther investigation needed. Now ther is a little phone symbol blinking on my device. Weirdness.", "modified": "2025-09-02T10:03:26.815000", "created": "2025-08-03T17:49:29.657000", "tags": [ "status", "creation date", "date", "domain add", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as396982", "whois registrar", "pulses", "related tags", "indicator facts", "historical otx", "pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "mitre att", "ck techniques", "spawns", "falcon sandbox", "hybrid", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ascii text", "size", "null", "refresh", "body", "span", "august", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "config", "runner", "us seen", "general info", "geo kansas", "city", "missouri", "united", "as396982", "us note", "route", "ptr record", "live", "november", "value emails", "dnssec", "domain name", "llc status", "whois server", "showing", "entries", "olet", "encrypt", "cnr3", "cnr10", "cnr11", "ilike search", "id logged", "common name", "issuer name", "encrypt https", "expired", "key usage", "tls web", "identifier", "search criteria", "timestamp entry", "log operator", "log url", "google https", "poison", "info", "certificate", "linter", "precertificate", "tls server", "subject dn", "ascii", "sha256 hash", "graph", "sectigo https", "ca mechanism", "provider status", "revocation date", "log id", "criteria id", "16566017041", "summary leaf", "15317728412", "15385730680", "sequence", "octet string", "pkcs", "integer", "null bit", "string", "boolean", "pkix key", "pkix", "observed" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69, "URL": 226, "hostname": 64, "email": 1, "FileHash-SHA256": 143, "FileHash-MD5": 28, "FileHash-SHA1": 35, "CIDR": 1, "SSLCertFingerprint": 4 }, "indicator_count": 571, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f6c635cb8c3c8b256b6dba", "name": "sdfzsdf.ele fac1ec40eea5a4fc05f17e019328e287", "description": "SHA1- 33008f85428a83996083c3da92a8f00595071403\nSHA256\ncdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf\nhttps://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=7b6726e20c513baebf7fd387a3dd1b7d67a4c7c4\nhttps://ti.qianxin.com/v2/search?type=file&value=fac1ec40eea5a4fc05f17e019328e287\nhttps://www.virustotal.com/gui/file/cdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf/relations", "modified": "2025-09-01T08:05:17.675000", "created": "2025-04-09T19:10:45.337000", "tags": [ "sha1", "rozmiar", "typ pliku", "win32", "numer wersji", "wersja", "nieznany", "sha512", "crc32", "ssd gboki", "win64", "security", "license v2", "f6 d9", "windows nt", "detects", "gecko", "khtml", "msie", "wow64", "stealer", "error", "userprofile", "hunt", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "koivm", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec", "babylockerkz", "new service", "creation id", "nextron" ], "references": [ "Windows_Trojan_Tofsee.yar", "Suspicious New Service Creation (1).yml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 353, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 27, "FileHash-SHA256": 1077, "domain": 282, "hostname": 316, "URL": 1092, "YARA": 535, "email": 4 }, "indicator_count": 3361, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688716977e80a4274f2eafa9", "name": "LeadIQ | The Smart B2B Prospecting Platform | Malware Packed | Agent Tesla & more", "description": "Found in Bot joining Pulse.", "modified": "2025-08-27T06:03:05.020000", "created": "2025-07-28T06:20:07.660000", "tags": [ "present jul", "united", "entries", "search", "moved", "ip address", "creation date", "record value", "date", "showing", "body", "meta", "passive dns", "next associated", "win32spigot apr", "title error", "ipv4 add", "pulse pulses", "urls", "files", "adaptivebee", "worm", "win32", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "location united", "asn asnone", "nameservers", "less whois", "registrar", "csc corporate", "status", "servers", "name servers", "hostname", "hostname add", "a domains", "script urls", "unknown aaaa", "technology one", "script script", "certificate", "null", "trojan", "twitter", "domain", "files ip", "address domain", "ip related", "pulses otx", "virtool", "http", "present jun", "present may", "pulse submit", "url analysis", "reverse dns", "australia asn", "as55532 squiz", "dns resolutions", "overview ip", "address", "ipv4", "iocs", "data upload", "extraction", "ided iocs", "failed", "shaw", "ail tvnas", "rl irl", "domain add", "ostname add", "verdict", "show", "types", "type", "indicator data", "searc type", "a indicator", "data", "select across", "all pages", "domain domain", "checked url", "hostname server", "response ip", "address google", "safe browsing", "msie", "chrome", "present dec", "base", "read c", "port", "destination", "delete", "copy", "write", "memcommit", "cryptexportkey", "invalid pointer", "writeconsolea", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "ascii text", "crlf line", "mitre att", "error", "click", "hybrid", "local", "path", "starfield", "strings", "refresh", "tools", "onload", "span", "form", "adversaries", "windows nt", "generic http", "exe upload", "inbound", "outbound", "yara detections", "malware", "expiration date", "whois show", "name andrew", "bauer name", "div id", "beginstring", "beginerror", "script", "general", "cloud", "find", "footer", "ninite feb", "telper", "ninite mar", "ninite apr", "trojandropper", "mtb mar", "url https", "general full", "security tls", "software", "resource hash", "protocol h2", "frankfurt", "main", "germany", "input", "skype", "opciones", "july", "es form", "dom name", "post https", "imagen", "microsoft", "iniciar sesin", "value", "variables", "config", "debug", "loader", "geturl", "b function", "addlistener", "proof", "amazon02", "dk summary", "amazon rsa", "september", "browsing", "resource", "asn16509", "name value", "queueprogress", "timestamp input", "status actions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 487, "FileHash-SHA1": 461, "URL": 10732, "domain": 1672, "email": 6, "hostname": 3039, "FileHash-SHA256": 2569, "SSLCertFingerprint": 7 }, "indicator_count": 18973, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "235 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68858e8244c8db854e8947c1", "name": "Goodreads Malware", "description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore", "modified": "2025-08-26T01:03:19.405000", "created": "2025-07-27T02:27:14.517000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "united", "flag united", "present jun", "present may", "present apr", "search", "moved", "creation date", "record value", "date", "body", "meta", "indicator role", "title added", "active related", "pulses url", "memcommit", "value1", "partnerid4146", "username", "gamesessionid", "port", "destination", "regsetvalueexa", "mozilla", "write", "persistence", "execution", "malware", "copy", "next", "process32nextw", "show", "entries", "module load", "t1129", "intel", "ms windows", "showing", "t1045", "win32", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "evasion att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "pattern match", "ascii text", "null", "error", "starfield", "click", "hybrid", "local", "path", "strings", "refresh", "tools", "onload", "span", "smbds ipc", "ms17010", "msf style", "probe ms17010", "generic flags", "yara detections", "nrv2x", "upxoepplace" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 155, "hostname": 1237, "FileHash-SHA256": 1141, "domain": 574, "URL": 4593, "FileHash-SHA1": 139, "email": 1, "SSLCertFingerprint": 8 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68851d56edbe226314c31445", "name": "LinuxTsunami - Mirai_Botnet_Malware", "description": "[EXE:CPUByteOrder - Little endian]\n\u2022 ELF:Mirai-APD\\ [Trj]\n\u2022 Unix.Trojan.Mirai-1\nIDS Detections: SUSPICIOUS Path to BusyBox TELNET login failed ||\n\u2022 Yara Detections: Mirai_Botnet_Malware , SUSP_XORed_Mozilla , is__elf , Linux_Mirai Alerts dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout ||\n\nInteresting: 162.93.126.142\nLocation: \nUnited States of America\n[ASN: AS6949 charles schwab & co inc]\n*Unix.Trojan.Mirai-1\n\nAssociated Files: [5e2b1e9f7aa3dbfe8494a1ffd30e8a552f06d47f03e8ce17d4fb3b63c67991a1] \u2022 ELF:Mirai-APD\\ [Trj]\t\t\u2022 Unix.Trojan.Mirai-1 || 5\n\u2022 Backdoor:Linux/Tsunami.C!MTB\nIDS Detections:\nIRC Nick change on non-standard port\nTeamTNT IRC Bot Joining Channel\nIRC Channel JOIN on non-standard port\nIRC authorization message\nYara Detections:\nis__elf ||\n\nLinuxTsunami\nAlerts: \nnetwork_irc\nnolookup_communication\nIP\u2019s Contacted:\n194.31.98.17\nDomains Contacted:\nc6a7d807.vpn.njalla.net\n#hackers #lawfirms #mirai #botnets #remote_control #quasi", "modified": "2025-08-25T17:00:22.985000", "created": "2025-07-26T18:24:22.495000", "tags": [ "pulse", "http", "ip address", "passive dns", "related nids", "urls", "files location", "czechia flag", "czechia related", "pulses otx", "ipv4 add", "pulse pulses", "files", "hosting", "czechia asn", "as2118", "pulses", "related tags", "port", "destination", "light", "high", "tcp syn", "meerkat", "resolverror", "yara detections", "malware", "icmp traffic", "path", "copy", "pv4 add", "pulse submit", "url analysis", "location united", "america flag", "united", "america asn", "ck id", "name tactics", "suspicious", "informative", "learn", "spawns", "command", "found", "defense evasion", "t1480 execution", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "ascii text", "pattern match", "mitre att", "show technique", "null", "refresh", "body", "span", "hybrid", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "google safe", "browsing", "windows error", "april", "october", "september", "sandbox reports", "rejectedfailed", "timestamp input", "message status", "actions april", "june", "august", "july", "internal error", "entries", "show", "search", "backdoor", "teamtnt irc", "bot joining", "intel", "notice", "irc server", "tsunami", "domain", "creation date", "privacy inc", "customer", "domain add", "p address", "process details", "domains", "a domains", "script urls", "date", "status", "meta", "ov ssl", "record value", "showing", "certificate", "hostname add", "present may", "present jun", "present oct", "present jul", "present mar", "present nov", "present sep", "present feb", "next associated", "urls show", "date checked", "url hostname", "server response" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 73, "FileHash-SHA1": 77, "FileHash-SHA256": 404, "URL": 647, "domain": 124, "hostname": 487, "CVE": 1, "email": 3 }, "indicator_count": 1816, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68abf75bf3b03b94a6762409", "name": "(Repost) How to connect listeners to e.intercom | serverhub.com eonix.net", "description": "", "modified": "2025-08-25T05:40:43.552000", "created": "2025-08-25T05:40:43.552000", "tags": [ "context", "error", "ajaxupdate", "request", "requestdata", "name", "xoctoberassets", "datarequest", "typesubmit", "typetext", "click", "function", "typeof c", "bootstrap", "javascript", "azaz", "popover", "typeof f", "typeof g", "typeof h", "vui", "anda", "tente", "outubro", "trackingclient", "srpanj", "rabu", "vasaris", "image", "typeof atrkopts", "800px", "40px", "i18n", "blockedemail", "typeof i18n", "hubspot", "captcha", "date", "please", "april", "august", "close", "february", "june", "form", "klik", "download", "window", "this", "next", "null", "blank", "este", "anna", "rserver", "mais", "void", "object", "typeerror", "array", "symbol", "bound", "typeof window", "typeof t", "invalid path", "unknown method", "phonenumber", "ninja", "typeof e", "edge", "dataname", "intercom", "typeof symbol", "apple", "webkiti", "criosi", "trident" ], "references": [ "xfe-URL-Eonix.net-stix2-2.1-export.json", "xfe-URL-Serverhub.com-stix2-2.1-export.json", "xfe-URL-Enom.com-stix2-2.1-export 2.json", "https://widget.intercom.io/widget/rbc8ok9w", "https://js.hscollectedforms.net/collectedforms.js", "https://js.hsleadflows.net/leadflows.js", "https://d31qbv1cthcecs.cloudfront.net/atrk.js", "https://serverhub.com/combine/a059fe7a562c0b582328162f0ee69fda-1426025688", "https://serverhub.com/modules/system/assets/js/framework.js", "https://js.hs-scripts.com/3844463.js", "xfe-URL-Cloudfront.net-stix2-2.1-export.json", "xfe-URL-Intercom.io-stix2-2.1-export.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vui", "display_name": "Vui", "target": null }, { "id": "Outubro", "display_name": "Outubro", "target": null }, { "id": "Tente", "display_name": "Tente", "target": null }, { "id": "Anda", "display_name": "Anda", "target": null }, { "id": "Vasaris", "display_name": "Vasaris", "target": null }, { "id": "Rabu", "display_name": "Rabu", "target": null }, { "id": "Srpanj", "display_name": "Srpanj", "target": null }, { "id": "TrackingClient", "display_name": "TrackingClient", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": "62719a4dec6d0aa4631b9b2f", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5708, "hostname": 1541, "FileHash-SHA256": 876, "domain": 915, "CVE": 1, "FileHash-MD5": 1 }, "indicator_count": 9042, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "237 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688343b9e60e8693f50e515f", "name": "Cycbot & worse - Palantir Monitoring Target/s", "description": "Palantir \u2022 Gotham \u2022 Foundry Top tier sells tools used to monitor, harass, smear , invoke fear, even \u2018kill\u2019. Used by military., too many partners to name (includes the entire government., heavy military, NSA use) of course Twitter, Apple Facebook, Pegasus related, possibly Paragon if what I\u2019ve read and researched is true. *There are 188 Palantir Foundry links in this pulse. ||\nMonitored target || Apparently ,\u2018tool\u2019 is weaponized against civilians for unknown and unwarranted purposes. || Lofty and unclear how or why a manner of death of target was predicted and posted online 12 years ago. || More research is needed.\n\nMalware named was found in research. \n\n #targeted #rip #palantir #foundry #gotham #twitter #techbromafia #silencing #overreach #quasi_gov #ongoing #active #moved #dangerous", "modified": "2025-08-24T06:01:34.920000", "created": "2025-07-25T08:43:37.734000", "tags": [ "status", "united", "unknown ns", "passive dns", "urls", "creation date", "search", "emails", "date", "expiration date", "tcp include", "top source", "top destination", "show", "source source", "data upload", "extraction", "showing", "moved", "certificate", "ip address", "domain", "body", "present jul", "present jun", "present aug", "present sep", "trojan", "name servers", "twitter", "vtflooder", "foundry", "virustotal", "gotham", "palantir", "tools", "destination", "port", "msie", "windows nt", "unknown", "read c", "etpro trojan", "malware", "copy", "write", "infostealer", "possible", "virustotal", "copyleft", "present jan", "entries", "next associated", "ipv4 add", "pulse submit", "url analysis", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "discovery att", "hostname add", "files", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "ascii text", "mitre att", "pattern match", "show technique", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "look", "verify", "restart", "se extri", "referen", "etpro tr", "virtool", "referencec", "failed", "se extra", "eanioae", "include review", "exclude sugges", "includec review", "exclude", "suggest data", "open ports", "reverse dns", "location united", "america flag", "boardman", "t1045", "ck ids", "packing", "t1060", "run keys", "startup", "folder", "t1057", "discovery", "t1071", "value emails", "name domain", "org microsoft", "microsoft way", "city redmond", "country us", "dnssec", "t1012", "t1047", "instrumentation", "t1053", "taskjob", "spyware", "source", "signing defense", "size", "meta", "onload", "dynamicloader", "unicode text", "crlf line", "utf8", "medium", "write c", "default", "delphi", "win32", "code", "stream", "next", "akamai rank", "show process", "prefetch2", "dns server", "network traffic", "virus", "monitored target", "tofsee", "generic http", "exe upload", "inbound", "outbound", "delete", "yara detections", "markus", "flowid22101", "pixelevtid11771", "dvid", "urls show", "date checked", "188 palantir results", "adversaries", "development att", "ssl certificate", "flag", "stop", "facebook", "4328", "5943", "stealer", "unknown aaaa", "present may", "domain add", "hyundaitx", "twitter", "monitored tsara", "brashears", "apple", "ios", "remote", "cycbot", "maudio fw", "heur", "productversion", "fileversion", "maudio firewire" ], "references": [ "palantirfoundry.com \u2022 https://edenglobalpartners.palantirfoundry.com/", "247seekscenter.com \u2022 ns-1986.awsdns-56.co.uk: | 365-notifcation.com", "ETPRO TROJAN Win32/Oderoor Checkin \u2022 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain", "Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)", "ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection", "platform.twitter.co \u2022 rm.twitter.co \u2022 upload.twitter.co \u2022 http://2fsyndication.twitter.co/", "http://legal.twitter.co \u2022 http://mobile.twitter.co/", "ec2-44-228-94-74.us-west-2.compute.amazonaws.com \u2022 defender.palantirfoundry.com", "https://embaxter.palantirfoundry.com \u2022 https://amgistudios.palantirfoundry.com", "https://ametrine-containers.palantirfoundry.com \u2022 https://amfp.palantirfoundry.com", "https://ameteklms.palantirfoundry.com \u2022 https://ametrine-compute.palantirfoundry.com", "https://amiable-constellation.palantirfoundry.com \u2022 https://amplifi.palantirfoundry.com", "https://oscar.palantirfoundry.com/ \u2022 https://replica.palantirfoundry.com/", "https://statemed.palantirgov.com/workspace/settings/notifications \u2022 https://cchbc.palantirfoundry.com", "https://test-1.washington.palantircloud.com \u2022 https://tarn.palantirgov.com \u2022 https://stateplatform.palantirgov.com", "https://imperium-dev-1.palantircloud.com \u2022 https://hii.palantirgov.com \u2022 https://genoa.washington.palantircloud.com", "tsystems.palantirfoundry.com \u2022 https://statemed.palantirgov.com \u2022 https://statecms.palantirgov.com", "https://replica.palantirfoundry.com/ \u2022 https://spacejam.palantirfoundry.com/ \u2022", "https://pl.pornhub.mrst.one/ \u2022 hotamateurpornsite.xxx \u2022 squirting.porn \u2022 https://de-pornhub.mrst.one/", "Hostname: hcl-dna-sandbox.palantirfoundry.com", "https://www.hyundaitx.com/", "ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check", "https://remote.downloadnow-1.com/", "Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp", "Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection", "Monitored Target - Spawned process \"iexplore.exe\" w/commandline \"SCODEF:5860 CREDAT:275457 /prefetch:2\" (Show Process) source", "Monitored Target: Queries DNS server details \"www.hyundaitx.com\" source Network Traffic T1071.004", "Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |", "ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Vtflooder-9783271-0", "display_name": "Win.Malware.Vtflooder-9783271-0", "target": null }, { "id": "Trojan.Kazy-237", "display_name": "Trojan.Kazy-237", "target": null }, { "id": "Trojan.Vundo-5335", "display_name": "Trojan.Vundo-5335", "target": null }, { "id": "Generic31.BKFG", "display_name": "Generic31.BKFG", "target": null }, { "id": "Win.Packed.Krucky-6941986-0", "display_name": "Win.Packed.Krucky-6941986-0", "target": null }, { "id": "ALF:HSTR:KrunchyMalPacker!MTB", "display_name": "ALF:HSTR:KrunchyMalPacker!MTB", "target": null }, { "id": "Win.Trojan.Agent-920890", "display_name": "Win.Trojan.Agent-920890", "target": null }, { "id": "Win.Trojan.Jorik-10365", "display_name": "Win.Trojan.Jorik-10365", "target": null }, { "id": "Trojan.Adload-2492", "display_name": "Trojan.Adload-2492", "target": null }, { "id": "Trojan.Spy-59563", "display_name": "Trojan.Spy-59563", "target": null }, { "id": "Ransom:Win32/Cryptor", "display_name": "Ransom:Win32/Cryptor", "target": "/malware/Ransom:Win32/Cryptor" }, { "id": "Win32/Blacked", "display_name": "Win32/Blacked", "target": null }, { "id": "Win.Trojan.Cycbot-764", "display_name": "Win.Trojan.Cycbot-764", "target": null }, { "id": "Trojan.VB-47534", "display_name": "Trojan.VB-47534", "target": null }, { "id": "Backdoor:Win32/Drixed.J ,", "display_name": "Backdoor:Win32/Drixed.J ,", "target": "/malware/Backdoor:Win32/Drixed.J ," }, { "id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "Malware Tool", "display_name": "Malware Tool", "target": null }, { "id": "Palantir Spyware", "display_name": "Palantir Spyware", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4203, "domain": 1218, "email": 9, "hostname": 2006, "FileHash-SHA256": 2740, "FileHash-MD5": 424, "FileHash-SHA1": 419, "SSLCertFingerprint": 12 }, "indicator_count": 11031, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687c95b12318dd62bdfbd29e", "name": "sorting \u2026", "description": "", "modified": "2025-08-19T06:05:20.676000", "created": "2025-07-20T07:07:29.508000", "tags": [ "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "discovery att", "files", "domain", "passive dns", "urls", "files ip", "address", "location united", "asn as14618", "less whois", "registrar", "et trojan", "msie", "windows nt", "show", "search", "entries", "unknown", "ascii text", "medium", "delete", "copy", "virustotal", "write", "next", "trojandropper", "malware", "asn as16509", "read c", "port", "destination", "rgba", "memcommit", "dock", "execution", "default", "unicode", "crlf line", "united", "xport", "module load", "t1129", "icmp traffic", "high", "cmd c", "t1055", "http", "ipv4 add", "pulse submit", "url analysis", "reverse dns", "america flag", "next associated", "showing", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "flag", "country", "markmonitor", "name server", "date", "contacted hosts", "process details", "extraction", "data upload", "extri", "include review", "exclude sugges", "typ hos", "ipv4", "data", "copy sha256", "copy sha1", "copy md5", "sha1", "sha256", "size", "beginstring", "segoe ui", "null", "type data", "refresh", "body", "span", "hybrid", "general", "click", "strings", "error", "tools", "look", "verify", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1596, "hostname": 2143, "FileHash-MD5": 73, "FileHash-SHA1": 48, "FileHash-SHA256": 422, "URL": 5044 }, "indicator_count": 9326, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687b5499d48de6e54f3bff11", "name": "213.174.130.70 - Spyware Install | Emotet via Malware sites", "description": "Malicious IP address for multiple malware domains. Very malicious spyware, will hijack network and devices. \n\u2022 Best Targeted sites \nSpyware Install\n\u2022 Garveep POST CnC\nBeacon\n\u2022 Worm.Mydoom\nCheckin\n\n#endgame #emotet #mydoom #malware_domains #install_spyware #monitered_targets", "modified": "2025-08-18T08:00:43.712000", "created": "2025-07-19T08:17:29.443000", "tags": [ "handle", "ripe ncc", "ripe network", "address range", "cidr", "allocation type", "assigned pa", "status", "whois server", "entity ah36ripe", "algorithm", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "date", "abuse contact", "orgid", "orgtechhandle", "address", "orgabuseref", "postalcode", "ripe", "seen", "update date", "tech email", "admin country", "expiration date", "dnssec", "admin id", "mi11255597wp", "msie", "chrome", "passive dns", "united", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "hosting", "open", "body", "extraction", "data upload", "failed", "include review", "anorexx", "video", "father sex", "ebony riding", "ebony", "roberta", "type win32", "exe size", "mb first", "file name", "sentinelone", "present jul", "present oct", "entries http", "memcommit", "t1055", "read c", "search", "entries", "show", "medium", "showing", "high process", "injection t1055", "copy", "write", "win32", "malware", "tsara brashears", "tsara", "pornhub", "porn videos", "watch tsara", "most relevant", "open threat", "exchange", "public", "https", "green", "daily", "brashears", "porn", "watch", "busty xxx", "filter tsara", "brashears porn", "url add", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "md5 sha256", "google safe", "browsing", "dynamicloader", "dynamic", "read", "delete", "mtb apr", "trojan", "lowfi", "virtool", "icloader apr", "otx telemetry", "australia", "exploit", "cobalt strike", "hostile", "trojanspy", "msil", "win64", "pulse", "alerts", "yara rule", "named pipe", "xe7xf3xf2x14x9d", "high", "delphi", "local", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "defense evasion", "adversaries", "spawns", "found", "process details", "flag", "contacted", "meta", "location united", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "size", "beginstring", "null", "type data", "error", "span", "hybrid", "general", "click", "strings", "refresh", "tools", "pattern match", "show technique", "mitre att", "ck matrix", "ascii text", "show process", "utf8", "crlf line", "network traffic", "path", "included", "review", "excludea", "sugges data", "typ url", "url url", "url hos", "hos hos", "extraction f", "enter so", "u extractio", "extra data", "included review", "ic excluded", "suggeste", "pulses", "md5 google", "safe browsing", "virustotal api", "comments", "ally s", "extraction data", "enter soudcfidi", "ad temdac", "cddad ad", "praw type", "extr", "include u", "creation date", "record value", "gmt content", "x adblock", "certificate", "domain", "encrypt", "sec ch", "ch ua", "unknown aaaa", "ua full", "ua platform", "present jun", "moved", "ip address", "doctype html", "lander script", "head", "method", "allowed date", "arizona", "scottsdale", "go daddy", "authority", "next associated", "extraction fail", "enter soupce", "udi ad", "trydda dada", "panca type", "ur extraction", "s data", "pr extract", "servers", "hostname", "files ip", "denmark unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 4, "URL": 7528, "domain": 1822, "hostname": 2015, "email": 5, "FileHash-MD5": 373, "FileHash-SHA1": 363, "FileHash-SHA256": 1939 }, "indicator_count": 14049, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68761742b83c406c6afc4a45", "name": "Egton Medical Information Systems | Mirai | Malware | Cams", "description": "Egton Medical Information Systems Limited | Lynn Green\nRawdon House Green Lane\nCity\tLeeds\nCountry\tGB (andrew.carr@e-mis.com)\n[http://www.camx.com/files/cb05_final_report_120805.aspx]\n\nRequires further research.\nPotentially patient data brokers, international PHI exchange, stealth monitoring. #mirai #malware #trojan #cams #target #medical_information_exchange", "modified": "2025-08-14T08:00:18.079000", "created": "2025-07-15T08:54:26.212000", "tags": [ "egton medical", "limited name", "server", "date", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "beginstring", "segoe ui", "null", "type data", "refresh", "body", "span", "hybrid", "general", "click", "strings", "error", "tools", "look", "verify", "restart", "pattern match", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "show process", "utf8", "crlf line", "t1057", "local", "path", "learn", "name tactics", "suspicious", "informative", "command", "spawns", "evasion att", "t1480 execution", "discovery att", "serving ip", "address", "status code", "united", "passive dns", "entries", "gmt server", "ecacc", "ipv4 add", "pulse pulses", "urls", "files", "location united", "ddos", "activity", "checkin", "next associated", "win64", "win32", "url http", "url https", "indicator role", "title added", "active related", "pulses hostname", "type indicator", "role title", "added active", "related pulses", "ck techniques", "memcommit", "read c", "show", "search", "copy", "ip address", "high", "dns query", "medium", "write", "malware", "urlhttp", "url add", "http", "related nids", "files location", "flag united", "backdoor", "mtb jul", "please", "x msedge", "all ipv4", "open", "data upload", "extraction", "sc type", "failed", "extr", "include review", "name server", "status", "whois field", "value address", "rawdon house", "green lane", "city leeds", "country gb", "creation date", "dnssec", "domain", "servers", "present jul", "body xml", "error code", "message value", "time2017", "a domains", "name servers", "redacted for", "unknown aaaa", "script urls", "record value", "germany unknown", "certificate", "for privacy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 107, "hostname": 192, "URL": 488, "FileHash-MD5": 136, "FileHash-SHA1": 130, "FileHash-SHA256": 169, "CVE": 1, "email": 6 }, "indicator_count": 1229, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68743465f53cdee0dcd25195", "name": "Attack on LevelBlue - OTX | Stealer? Cloudfront?", "description": "Strange incidents on OTX.\n1. Can\u2019t finish adding IoC\u2019s for a small\nOlor large pulse.\n2. I can annotate in rare occasions.\n3. The worst is there is a team of us working on Tsara Brashears using this tool on downtime. Yesterday there were over 1000 pulses now there are more only 144. There were 100\u2019s of indicators now it read 0 indicators on my end. 4. Tsara or Tsara Brashears goes to an IP with an unsigned signature 5. Receiving emails re: pulses pulsed years ago. ||\n\nThis is the second time and the largest grab. Other pulses are missing information regarding very concerning IoC\u2019s. The information truly needs to be restored. It is checked every time there is a login. \n\nFurther research is needed, the information is being stolen quickly and all devices ever used are still available. \n\n\nOpen Threat Exchange, I feel threatened. I noticed malware expert dorkingbeauty (and others with related content) has some pulses with 0 IoC\u2019s and has seemingly abandoned platform?", "modified": "2025-08-12T00:00:35.297000", "created": "2025-07-13T22:34:13.242000", "tags": [ "data upload", "extraction", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "levelblue", "open threat", "exchange og", "levelblue open", "threat exchange", "exchange", "cloudfront", "contenttype", "connection", "date sun", "gmt etag", "united", "country", "alienvault name", "server", "date", "flag", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "size", "script", "segoe ui", "div id", "beginstring", "meta", "null", "error", "body", "click", "roboto", "path", "strings", "refresh", "tools", "onload", "span", "iframe", "pattern match", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "show process", "utf8", "crlf line", "unicode text", "local", "starfield", "command", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "y ts", "include review", "exclude sugges", "uny incuat", "find s", "typ no", "failed", "extra data", "included ous", "review ic", "excludea tous", "suggeste data", "find suresteu", "type indicaloka" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 107, "FileHash-SHA256": 187, "hostname": 25, "FileHash-MD5": 30, "FileHash-SHA1": 31, "domain": 30, "SSLCertFingerprint": 3 }, "indicator_count": 413, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684bb4770ea123b0c1a2334f", "name": "Screen Capture - American Imaging Centers", "description": "", "modified": "2025-07-13T04:04:28.476000", "created": "2025-06-13T05:17:43.001000", "tags": [ "czech republic", "server", "date", "flag", "contacted hosts", "ip address", "process details", "cdn77 datacamp", "limited", "frankfurt", "main", "germany", "http", "april", "google safe", "browsing", "current dns", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "pattern match", "mitre att", "ck id", "show technique", "null", "span", "error", "body", "june", "hybrid", "general", "local", "path", "encrypt", "click", "strings", "refresh", "tools", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "ck techniques", "verified", "ecdsa", "europeberlin", "aes256gcm", "linux x8664", "date fri", "contentlength", "connection", "general full", "url https", "protocol h2", "security tls", "asn60068", "ssl certificate", "execution att", "czechia", "passive dns", "present oct", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "czechia asn", "as9080 ipex", "html document", "ascii text", "crlf line", "language", "iremotepanel", "screenshot", "screen capture" ], "references": [ "MicCerLisCA2011_2011-03-29.crt0nF", "master_audio1_128_20250528_b_01636.aac 1688088685.png", "IRemotePanel", "&docid=tVU1jbsRquWQLM&w=1920&h=1080&itg=1&q=horror AMD-FORCED-I2C-81x64-1.2.0.60-drp.zip" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 55, "hostname": 103, "URL": 373, "FileHash-MD5": 51, "FileHash-SHA1": 33, "FileHash-SHA256": 79, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 697, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "280 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6845e54bb82667ed18988fe5", "name": "Amazon -CF | Malicious autonomous system", "description": "Handle: AMAZON-4 Network Name: AMAZON-CF\n#DWactivity |\nWHO IS: \nAutonomous System Numbers\nAMAZON-AS\tAS7224 (AS7224)\nLABSHUB-NETWORKING\tAS10291 (AS10291)\nAMAZON-02\tAS16509 (AS16509)\nAWS-01\tAS19047 (AS19047)\nPRIME-TESTING\tAS63088 (AS63088)\n#malicious #rat #infection #auotonomous #virus #network #dns #intrusion #darkweb\n\n*issue with this great tool or possibly my network. Several IoC\u2019s deleted, I went back to retrieve IoC\u2019s from VT they were deleted and I had to do it all\nOver but conditions had changed.\nStill unable to annotate.", "modified": "2025-07-08T19:04:31.649000", "created": "2025-06-08T19:32:27.529000", "tags": [ "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "ascii text", "pattern match", "mitre att", "ck id", "show technique", "null", "refresh", "body", "span", "june", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "net3128001", "net3168001", "amazon", "technology", "zenbox", "domain", "r2dbox", "virustotal", "technology xn", "united", "unknown aaaa", "search", "emails", "servers", "moved", "registrar", "creation date", "name servers", "present may", "entries", "ip address", "present feb", "present jan", "aaaa", "status", "passive dns", "urls", "server", "asn16509", "amazon02", "general full", "url http", "reverse dns", "resource", "resource path", "size", "cloudfront", "request id", "expiration date", "record value", "name domain", "org microsoft", "microsoft way", "hostname add", "pulse submit", "pulse indicator", "url analysis", "amazon ec2", "abuse", "aws rpki", "management poc", "ip routing", "report abuse", "abuse poc", "aea8arin", "amazon web", "amazon aws", "service", "net1042531920", "net10425319201", "net108138001", "net108156002", "net130176002", "net13224002", "net13249001", "net1332002", "net1335001", "net143204002", "allocation", "certificate", "assignment", "po box", "learn", "name tactics", "suspicious", "informative", "command", "spawns", "found", "ck techniques", "evasion att", "status code", "body length", "b body", "headers server", "cloudfront date", "contentlength", "connection", "date sun", "defense evasion", "ta0005 command", "control ta0011", "catalog tree", "resolved ips", "cname", "nothing", "accept", "registry keys", "http", "port", "gmt ifnonematch", "info file", "network dropped", "shutdown", "range", "name amazoncf", "parent at88z", "net type", "as organization", "amazon4", "link https", "links arin", "submit url", "handle amazon4", "street", "ave city", "wa postal", "code", "country us", "related", "whoiswhoisrws", "arin search", "whoisrws" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 106, "FileHash-SHA1": 101, "FileHash-SHA256": 636, "URL": 786, "domain": 462, "hostname": 790, "CIDR": 82, "email": 16 }, "indicator_count": 2979, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "285 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6844240c68255798e08beb3b", "name": "Bilety online: Tw\u00f3j kolejowy partner w podr\u00f3\u017cy", "description": "Microsoft has created a new version of its XMLHttpRequest, which allows users to access a website, via a browser or browser without the permission of a third party, using the same address.", "modified": "2025-07-07T00:01:51.704000", "created": "2025-06-07T11:35:40.942000", "tags": [ "sign", "google sign", "forgot email", "criminalip", "create account", "bilety online", "sprzeday biletw", "polregio", "ssdeep", "license", "typeerror", "regexp", "promise", "function", "version", "typeof symbol", "copyright", "google llc", "apache license", "date", "without", "error", "blank", "trident", "generator", "class", "mountain view", "android", "submission", "california", "common name", "google inc", "unit android", "country code", "us state", "sha1", "sha256", "imphash", "pehash", "file type", "vhash", "authentihash" ], "references": [ "http://bilety.polregio.pl", "https://bilety.polregio.pl", "http://www.salesmanago.pl/static/sm.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1295, "hostname": 302, "domain": 137, "FileHash-SHA256": 996, "FileHash-MD5": 38, "FileHash-SHA1": 40, "IPv4": 1 }, "indicator_count": 2809, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "286 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp", "Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.", "https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb", "http://legal.twitter.co \u2022 http://mobile.twitter.co/", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "&docid=tVU1jbsRquWQLM&w=1920&h=1080&itg=1&q=horror AMD-FORCED-I2C-81x64-1.2.0.60-drp.zip", "https://replica.palantirfoundry.com/ \u2022 https://spacejam.palantirfoundry.com/ \u2022", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "ETPRO TROJAN Win32/Oderoor Checkin \u2022 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain", "https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No", "api.omgpornpics.com", "Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/", "*ccm-command-center.int.m1np.symetra.cloud", "https://urlscan.io/domain/device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com", "master_audio1_128_20250528_b_01636.aac 1688088685.png", "AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US", "ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "https://statemed.palantirgov.com/workspace/settings/notifications \u2022 https://cchbc.palantirfoundry.com", "https://js.hsleadflows.net/leadflows.js", "OTX AlienVault", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "Any.run", "Can the DoD no questions asked target a SA victim", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "https://oscar.palantirfoundry.com/ \u2022 https://replica.palantirfoundry.com/", "https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f", "https://es.pornhat.com/models/the-sex-creator/", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs", "Monitored Target - Spawned process \"iexplore.exe\" w/commandline \"SCODEF:5860 CREDAT:275457 /prefetch:2\" (Show Process) source", "Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet", "https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0", "https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851", "Executed Files Anomalous Deletefile Dropper Disables System Restore Dead Connect", "https://pl.pornhub.mrst.one/ \u2022 hotamateurpornsite.xxx \u2022 squirting.porn \u2022 https://de-pornhub.mrst.one/", "https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Is the family allowed to have a funeral for Tsara or print an obituary", "IDS Detections Gh0stCringe CnC Activity M2", "simswap.in (possible Mirai or relationship to)", "Location Antisandbox Sleep Antidebug Setunhandledexceptionfilter Packer Unknown Pe Section Name Packer Entropy Network Bind Antivm Network Adapters Http Request Infostealer Browser Recon Fingerprint Antivm Checks Available Memory Antivm Generic Bios Reads Self Polymorphic Enumerates Physical Drives Network Http Network Cnc Http Antivm Bochs Keys", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "ww.google.com.uy", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit", "gitea.neconsside.com \u2022 http://f7194.vip/login", "xfe-URL-Enom.com-stix2-2.1-export 2.json", "socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov", "ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996", "api.acumatica.flex.redteam.com", "Ransomware File Modifications Exec Crash", "https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf", "There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise", "https://www.colorfulbox.jp/", "This is not shown. Route \u2022 184.92.0.0/16 (Route of ASN) PTR", "Remote Process Static Pe Anomaly Https Urls Virus Process Creation Suspicious", "2012647\tDropbox.com Offsite File Backup in Use", "https://otx.alienvault.com/indicator/ip/210.172.192.15", "https://ametrine-containers.palantirfoundry.com \u2022 https://amfp.palantirfoundry.com", "alohatube.xyz", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C", "https://hybrid-analysis.com/sample/d30cf86f09e3ab7bb7d0a4ac2608aafb31e07c94fe77f5a264ccdb35fe153c59/689505ded9be5613900509fd", "xfe-URL-Serverhub.com-stix2-2.1-export.json", "https://polling.portal.gov.bd/js/npc.script.js", "UrlVoid", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/68e72a3b96eaf61daf0eb13f", "https://js.hscollectedforms.net/collectedforms.js", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "palantirfoundry.com \u2022 https://edenglobalpartners.palantirfoundry.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210", "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114", "https://176.113.115.136/ohhiiiii/", "https://alohatube.xyz/search/tsara-brashears", "https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE", "aohhpesayw.lawsonengineers.co.", "https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex", "Urlscan", "pornhub.com\t \u2022 www.pornhub.com", "xfe-URL-Intercom.io-stix2-2.1-export.json", "Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.", "https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "dev-app.project-cicada.com \u2022 project-cicada.com", "Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53", "Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2", "device-7de2fab7-44a1-494e-8f36-8d135628c33a.remotewd.com 104.190.139.162 AT&T", "Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283", "https://hybrid-analysis.com/sample/64e591d43f920a5194806bba9da40e0344db5333cd773da4df4f27259222529d/692a7e373e637b291e0a0957", "https://hybrid-analysis.com/sample/713944cb1accb541622bf99d55f34876b5ff13d042c6c203bab89632a15b9248/689c0eca8dd0033cbb064d12", "https://widget.intercom.io/widget/rbc8ok9w", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "https://hybrid-analysis.com/sample/f6e628e57373bf795bae87c883dcaefdbb720960133edc1adacc6146d10fc88a", "airinthemorning.net", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)", "Remotewd.com research - Devices under command and control. Malicious / adversarial | 3000 + devices in Pulse", "http://deposito.hostance.net/dialer/", "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "Alerts: packer_unknown", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "Resource: https://urlscan.io/domain/privaterelay.appleid.com", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://twitter.com/PORNO_SEXYBABES", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.exito.com/galaxy-m12-64-gb-negro-samsung-sm-m127fzkkcoo-3016108/p", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "IRemotePanel", "\u2193Command and Control \u2193", "https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com", "Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA", "news-publisher.pictures", "https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d", "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net", "http://notredamewormhoutnet.appleid.com/", "https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "https://serverhub.com/combine/a059fe7a562c0b582328162f0ee69fda-1426025688", "ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "https://www.mumuplayer.com/redirect/customerservice/_wig", "https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf", "https://js.hs-scripts.com/3844463.js", "https://hybrid-analysis.com/sample/41859e0b198fbe88772ef12c577023c0481ec19867e410bab335e67fea87c1bb/642ca80cde2048242a0e097d", "Infostealer Cookies Infostealer Mail Procmem Yara Suricata Alert Modify Proxy Powershell", "Apple - 162.55.158.153", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://d31qbv1cthcecs.cloudfront.net/atrk.js", "No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.", "https://remote.downloadnow-1.com/", "Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "http://certs.apple.com/appleistca2g1_bc.cer", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/", "consolefoundry.date \u2022 http://consolefoundry.date", "She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.", "platform.twitter.co \u2022 rm.twitter.co \u2022 upload.twitter.co \u2022 http://2fsyndication.twitter.co/", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "device-local-**********. remotewd.com", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Registrant Org: Japan Computer Emergency Response Team Coordination Center", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "Geo\tMcKinney, Texas, United States (US) \u2014 AS \u2022AS11427 - TWC-11427-TEXAS, US", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "https://embaxter.palantirfoundry.com \u2022 https://amgistudios.palantirfoundry.com", "https://alohatube.xyz/search/sex-mom-dog-animal", "Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5", "Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft", "ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.", "https://api.strem.io/api/addonCollectionGet%", "Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com", "Researched: 210.172.192.15 | p192015.mirai.ne.jp | sanso-mirai.jp", "https://test-1.washington.palantircloud.com \u2022 https://tarn.palantirgov.com \u2022 https://stateplatform.palantirgov.com", "http://freedns.afraid.org/images/apple.gif", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "p155-fmfmobile.icloud.com", "https://meumundogay-com.sexogratis.page/locker", "3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "palantir-staging.staging.candidate.app.paulsjob.ai", "Target agreed and complied with all lie detector measures.", "ASP.net Open source. A framework for building web apps and services with .NET and C#", "xfe-URL-Cloudfront.net-stix2-2.1-export.json", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "appleaustralia.com", "afraid.org | evergreen.afraid.org", "Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT", "CNC Hostname: urlspirit.spiritsoft.cn", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "http://titasgas.portal.gov.bd/dead.php", "fmfmobile.fe.apple-dns.net", "https://www.meritshealth.com/ Defense.Gov Mobility Co? ", "https://4.img-dpreview.com/files/p/articles/2356747397/samsung_nv24hd_bk.jpeg", "247seekscenter.com \u2022 ns-1986.awsdns-56.co.uk: | 365-notifcation.com", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet", "https://imperium-dev-1.palantircloud.com \u2022 https://hii.palantirgov.com \u2022 https://genoa.washington.palantircloud.com", "ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys", "Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f", "http://www.salesmanago.pl/static/sm.js", "Suspicious New Service Creation (1).yml", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/691924001d6dc4fa2d04d0b2", "truist.palantirfoundry.com \u2022 nissansandbox.palantirfoundry.com", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "Windows_Trojan_Tofsee.yar", "1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ec2-44-228-94-74.us-west-2.compute.amazonaws.com \u2022 defender.palantirfoundry.com", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113", "Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "https://brandyallen.com/2022/11/23/sexy", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/", "http://catgirls.foundation/main \u2022 https://spaceship.com/", "https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |", "Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.mylifelawyer.com/services/denver-affordable-lawyer-child-custody/", "http://mincom.gov.bd/dead.php", "Hostname: hcl-dna-sandbox.palantirfoundry.com", "Handled by Lumen Technologies | What kind of darkness is this?", "https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "xfe-URL-Eonix.net-stix2-2.1-export.json", "Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx", "dev.myhpnmedicaid.com", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "https://polling.portal.gov.bd/js/npop.script.js", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "syn-184-092-221-096.res.spectrum.com(PTR record of primary IP) IPv4\t184.92.221.96", "https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85", "https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "https://serverhub.com/modules/system/assets/js/framework.js", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0", "http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc", "developer.huawei.com", "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "https://hybrid-analysis.com/sample/ff37a006ed8677bafa412d653ce9adfe84744702f28f7dfe9f5f4ec51b599419/689505a3a647793a0300f73f", "http://remote.edikamin.com/", "https://www.passcreator.com/en/apple-wallet-passes", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .", "http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com", "Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com", "http://watchhers.net/index.php", "applestore.net", "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider", "Contains Pe Overlay Queries Locale Api Language Check Registry", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "Note: An IP might be announced by multiple ASs.Spectrum | Charter Communications", "Stealth Hiddenreg Cape Detected Threat Stealth Timeout Accesses Public Folder Deletes", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "https://shell-gift.website/sweeps/de/amazon-voucher/question1000-agg/index.html?uclick=qdlpqnvr&uclickhash=qdlpqnvr-qdlpqnvr-pmwj-0-xsi4-hovr-hoi4-9b6533", "https://goo.gl/9p2vKq", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "registrant in its WHOIS record, often due to regulations like GDPR or ICANN policies.", "https://otx.alienvault.com/indicator/domain/sanso-mirai.jp", "Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "MITRE ATT&CK (T1057) Monitoring Target/s. Can be reviewed in Hybrid-Analysis sample.", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members", "http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne", "https://dotnet.microsoft.com/en-us/apps/aspnet", "https://sms-apple.com/login", "http://netuser.joymeng.com/charge_apple/notify", "tsystems.palantirfoundry.com \u2022 https://statemed.palantirgov.com \u2022 https://statecms.palantirgov.com", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67", "Mirai Communication Network Inc. (AS7690) Seto, Japan ASN is a BGP Network", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "Subject: DE Certificate Subject: Berlin Certificate Subject", "https://ameteklms.palantirfoundry.com \u2022 https://ametrine-compute.palantirfoundry.com", "ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114", "Statutory Masking Enabled - a domain registrar is hiding the public contact information for a domains", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com", "HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba", "http://consolefoundry.date/one/gate.php", "I am very upset. Whoever is doing this is sick.", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com", "There is fear in silence or speaking out", "If someone is believed to be a threat they have right to due process.", "ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check", "https://bilety.polregio.pl", "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "target.dropboxbusiness.com", "MicCerLisCA2011_2011-03-29.crt0nF", "https://amiable-constellation.palantirfoundry.com \u2022 https://amplifi.palantirfoundry.com", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA", "iamrobert.com Y.A.S.", "Monitored Target/s", "Malicious IP Contacted: 69.42.215.252", "http://cabinet.gov.bd/dead.php", "apple-business.cancom.at", "http://bilety.polregio.pl", "http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf", "http://emrd.gov.bd/dead.php", "ecs-80-158-49-8.reverse.open-telekom-cloud.com", "https://www.hyundaitx.com/", "http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box", "Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.", "Request Queries Keyboard Layout Antivm Generic Disk Resumethread", "DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net", "ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection", "polling.portal.gov.bd", "Monitored Target: Queries DNS server details \"www.hyundaitx.com\" source Network Traffic T1071.004", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com TWC-11427-TEXAS, US \u2022 Spectrum", "Hybrid Analysis", "https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html", "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "Mirai" ], "malware_families": [ "Unruy", "Trojan:win32/salgorea", "Trackingclient", "Neshta", "Ddos:linux/lightaidra", "!#addscopy-tostartup", "Win32:cabmod\\ [drp]", "Mirai", "Kraddare", "Wormwin32/mofksys.rnd!mtb", "Backdoor:win32/fynloski.a", "Srpanj", "Trojan:win32/daws", "Detplock", "Trojan:win32/eyestye.t", "Emotet", "Worm:win32/lightmoon.h", "Virtool:win32/obfuscator.jm", "Xrat", "Other malware", "Alf:hstr:krunchymalpacker!mtb", "Trojan:win32/zombie.a", "Win.trojan.gh0strat-9955419-1", "Trojan.spy-59563", "Trojan:win32/salgorea.c!mtb", "Ghandi", "Worm:vbs/dapato", "Worm:win32/locksky.gen!a", "Nids", "Trojan:win32/aenjaris.al!bit", "#lowfi:hstr:win32/obfuscatordynmemjmpapi", "Palantir spyware", "Banload", "Trojan.vundo-5335", "Generic31.bkfg", "Virtool:win32/obfuscator.k", "Win.malware.hd0kzai-9985588-0", "Win32/blacked", "Win32:evo-gen", "Trojan:win32/qqpass", "Union", "Tofsee", "Rabu", "Worm:win32/autorun!atmn", "Trojan:win32/startpage.aea", "Win.packed.remcos-10024510-0", "Cymt", "Tiggre", "Trojandropper:win32/hupigon.gen!a", "Softcnapp", "Malware", "Trojandropper:win32/vb.il", "Win.trojan.filerepmalware-10008115-0", "Win.malware.barys-6840738-0", "Bambernek", "Trojan:win32/agent.ag!mtb", "Noname057", "Sova", "Mirai (elf)", "Trojandropper:win32/muldrop.v!mtb", "Win.packed.generic-9967832-0", "Trojan.adload-2492", "Win.virus.polyransom-5704625-0", "#lowfi:linkularnsis", "Racoon stealer", "Worm:win32/yuner.a", "Win.trojan.agent-316098", "Trojandownloader:win32/dadobra.e", "Androp", "Trojan:win32/blihan.a", "Alf:heraklezeval:pua:win32/keygen", "Ransom:win32/wannacrypt.h", "Trojandownloader:win32/banload.d", "Fareit", "Silk road", "Win.packed.krucky-6941986-0", "Win.trojan.dcrat-10039889-0", "Backdoor:win32/drixed.j ,", "Psw.sinowal.x", "Win.trojan.crypt-142", "Trojan:win32/diamin.f", "Win.dropper.nanocore-10021490-0", "#lowfi:tool:win32/vbstoexev2e", "Alf:heraklezeval:trojan:win32/amsitamper.b", "Alf:jasyp:trojan:win32/ircbot!atmn", "Pws:win32/qqpass", "Tinba", "Win32:androp", "Virus:dos/nanjing", "Trojan:win32/pariham.a", "Formbook", "Ransom:win32/crowti.a", "Muldrop", "Trojan.agensla/msil", "Tente", "Apnic", "Mirai communications", "Win.trojan.agent-920890", "Inject.brdv", "Elf:mirai-ati", "Trojan:win32/glupteba.mt!mtb", "Trojan.kazy-237", "Suppobox", "Wannacry kill switch", "Win.malware.vtflooder-9783271-0", "Vasaris", "Win.trojan.zegost", "#lowfi:sigattr:urlshortner", "Win32/trickler", "Win.packer.pkr_ce1a-9980177-0", "Cve 2007695", "Nanocore rat", "Wacatac.", "Win.trojan.cycbot-1584", "Kentuchy", "Code overlap", "Dialer", "Worm:win32/autorun.xfv", "Swrort", "Swort", "Backdoor:linux/demonbot.aa!mtb", "Maltiverse", "Trojan:win32/vflooder", "Quasar rat", "Virtool:win32/injector.gen!bq", "Psw:win32/vb.cu", "Alf:heraklezeval:ransom:win32/cve", "Malware tool", "Trojan:win32/ircbot", "Win.trojan.generic", "Outubro", "Crypt2.azdi", "Worm:win32/autorun.b", "Trojan:win32/wacatac", "Bazaar loader", "Telper:hstr:clean:ninite", "Win.trojan.cycbot-764", "Blacknet", "Cve-2023-22518", "Alf:heraklezeval:pws:win32/ldpinch!rfn", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Vui", "Zbot", "Zegost", "Networm", "Win.trojan.agent", "Malwarex-gen", "Anda", "Backdoor:linux/mirai", "Win.trojan.14278494-1", "Win.trojan.jorik-10365", "Custom malware", "Win:zgrat", "Trojandownloader:win32/upatre.aa", "Trojanspy", "Win.trojan.blacknetrat-7838854-0", "Worm:win32/autorun.xxy!bit", "Fusioncore", "Win.trojan.emotet-9850453", "#virtool:win32/obfuscator.adb", "Njrat - s0385", "Alf:heraklezeval:pua:win32/spyrixkeylogger", "Alf:heraklezeval:trojan:win32/clipbanker", "Redline", "Trojan.vb-47534", "Ransom:win32/cryptor", "Zeus", "Nircmd", "Systweak", "Doc.downloader.emotetred02220-9938909-0", "Trojandownloader:win32/cutwail.bs", "Virtool:win32/autinject.cz!bit", "Win32:malob-bx", "Tel:msil/dlsocconsend", "Alfper", "Ransomexx", "Et", "Warzonerat - s0670" ], "industries": [ "Government", "Contracts", "Civil society", "Telecommunications", "Insurance", "Media", "Telecom", "Technology", "Finance" ], "unique_indicators": 429944 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/window.open", "whois": "http://whois.domaintools.com/window.open", "domain": "window.open", "hostname": "pmang.window.open" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69e4e7cfdc3bb3cdffeecf7c", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:51.385000", "created": "2026-04-19T14:33:51.385000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "8 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e4e7c6ddf646eb4e645bd5", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:42.400000", "created": "2026-04-19T14:33:42.400000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "8 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e434769e2a43c088066ca2", "name": "Kraddare \u2022 Agent Tesla \u2022 CVE Jar clone credit octoseek", "description": "", "modified": "2026-04-19T07:36:41.138000", "created": "2026-04-19T01:48:38.335000", "tags": [ "heur", "cisco umbrella", "site", "alexa top", "malware", "million", "xcnfe", "maltiverse", "malware site", "safe site", "malicious", "trojan", "artemis", "vidar", "redline stealer", "raccoon", "keylogger", "riskware", "agent tesla", "remcos", "stealer", "miner", "hacktool", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "detplock", "networm", "win64", "service", "smokeloader", "dropper", "crack", "alexa", "trojanspy", "detection list", "blacklist https", "kyriazhs1975", "noname057", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cyber threat", "united", "engineering", "phishing", "covid19", "facebook", "phishing site", "paypal", "njrat", "emotet", "nanocore rat", "meterpreter", "azorult", "download", "msil", "bladabindi", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "cve201711882", "redline", "ssl certificate", "tsara brashears", "cyberstalking", "spyware", "apple ios", "quasar", "ransomware", "malware norad", "cry kill", "attack", "installer", "formbook", "lockbit", "open", "banker", "bazarloader", "core", "ransomexx", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "ascii text", "null", "date", "error", "span", "refresh", "class", "generator", "critical", "body", "look", "verify", "restart", "meta", "hybrid", "general", "click", "strings", "tools", "as141773", "as63932", "moved", "passive dns", "search", "entries", "gmt content", "type", "keep alive", "scan endpoints", "all octoseek", "pulse pulses", "as17806 mango", "blacklist http", "phishtank", "malicious site", "apple", "blockchain", "runescape", "twitter", "qakbot", "asyncrat", "team", "internet storm", "generic", "union", "bazaloader", "media", "generic malware", "hostname", "suppobox", "netwire rc", "installcore", "conduit", "iobit", "mediaget", "outbreak", "acint", "installpack", "phish", "rostpay", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "dapato", "cleaner", "softonic", "encpk", "qbot", "predator", "swrort", "kraddare", "systweak", "dllinject", "driverpack", "iframe", "downldr", "presenoker", "as61317", "asnone united", "urls", "files", "next", "as15169 google", "japan unknown", "as17506 arteria", "as32244 liquid", "as49505", "russia unknown", "expired", "domain", "falcon", "as19969", "ipv4", "ransom", "encrypt", "file", "windows nt", "indicator", "response", "appdata", "gmt contenttype", "png image", "local", "contacted", "fali malicious", "dropped", "communicating", "referrer", "fali contacted", "silk road", "immediate", "cymulate2", "tsara brashears", "malvertizing" ], "references": [ "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://alohatube.xyz/search/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "ww.google.com.uy", "https://alohatube.xyz/search/tsara-brashears", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://polling.portal.gov.bd/js/npc.script.js", "polling.portal.gov.bd", "https://polling.portal.gov.bd/js/npop.script.js", "http://watchhers.net/index.php", "https://brandyallen.com/2022/11/23/sexy", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc", "http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf", "https://twitter.com/PORNO_SEXYBABES", "https://alohatube.xyz/search/sex-mom-dog-animal", "https://www.colorfulbox.jp/", "Hybrid Analysis", "Any.run", "OTX AlienVault", "Urlscan", "UrlVoid", "http://emrd.gov.bd/dead.php", "http://titasgas.portal.gov.bd/dead.php", "http://mincom.gov.bd/dead.php", "http://cabinet.gov.bd/dead.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia", "Bangladesh" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Racoon Stealer", "display_name": "Racoon Stealer", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Bazaar Loader", "display_name": "Bazaar Loader", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Detplock", "display_name": "Detplock", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null }, { "id": "Ghandi", "display_name": "Ghandi", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swort", "display_name": "Swort", "target": null }, { "id": "Silk Road", "display_name": "Silk Road", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:VBS/Dapato", "display_name": "Worm:VBS/Dapato", "target": "/malware/Worm:VBS/Dapato" }, { "id": "Kraddare", "display_name": "Kraddare", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" } ], "industries": [], "TLP": "green", "cloned_from": "654a7a53317c717d1f4fee7f", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2522, "FileHash-SHA1": 862, "FileHash-SHA256": 2855, "URL": 7963, "domain": 1168, "hostname": 3181, "CVE": 13, "email": 2, "IPv4": 1 }, "indicator_count": 18567, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "15 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c1bd40f81db45dc044697c", "name": "Masterkey Clone By CallmeDoris", "description": "", "modified": "2026-03-23T22:22:56.940000", "created": "2026-03-23T22:22:56.940000", "tags": [ "dropped file", "chromeua", "runtime data", "drmedgeua", "edgeua", "generator", "win64", "null", "template", "unknown", "critical", "addressbar", "desktop", "dark", "light", "iframe", "cookie", "meta", "body", "legend", "dwis", "core", "tear", "malicious", "mozilla", "strings", "qakbot", "://masterkey.com.ua/download/MKClientSetup.exe" ], "references": [ "https://hybrid-analysis.com/sample/41859e0b198fbe88772ef12c577023c0481ec19867e410bab335e67fea87c1bb/642ca80cde2048242a0e097d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": "642db7b656049e54b2f71c20", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 949, "URL": 5642, "CVE": 2, "domain": 509, "FileHash-SHA256": 293, "FileHash-MD5": 550, "FileHash-SHA1": 60, "email": 5 }, "indicator_count": 8010, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "27 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6940b852c28f2a2c6abb4aad", "name": "FRITZ!Box \u2026.Connecting to Apple devices", "description": "Connecting to targeted Apple\ndevices overnight. \n\nHow to connect to the FRITZ!Box, how to access all of the product's functions, and what to do with the device if you are not connected to it in your home network.", "modified": "2026-01-15T01:02:47.757000", "created": "2025-12-16T01:39:30.381000", "tags": [ "fritz", "strong", "main navigation", "deutsch", "englisch", "funktionen der", "verbindung zur", "wifi", "ip address", "box avm", "lowfi", "win32", "susp", "urls", "files", "asn as44716", "related tags", "indicator facts", "germany unknown", "a domains", "meta", "typo3", "body doctype", "kasper skaarhoj", "gmt server", "pragma", "a nxdomain", "nxdomain", "whitelisted", "present aug", "present jul", "present oct", "present jun", "united", "present sep", "present nov", "next http", "scans show", "title", "div div", "a li", "wir suchen", "li ul", "avm karriere", "dich a", "reverse dns", "berlin", "germany asn", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "none related", "passive dns", "ipv4", "url analysis", "present dec", "moved", "certificate", "vertriebs gmbh", "aaaa", "as12732 gutcon", "domain", "hostname", "verdict", "files ip", "address", "germany", "as13335", "as8220 colt", "present may", "united kingdom", "regsetvalueexa", "regdword", "regbinary", "show", "yara detections", "regsetvalueexw", "regsz", "medium", "suspicious", "delphi", "malware", "write", "as6878", "msie", "chrome", "gmt content", "germany showing", "createobject", "set http", "search", "high", "read c", "et trojan", "jfif", "ascii text", "detected", "trojan generic", "checkin", "pony downloader", "http library", "virustotal", "riskware", "mcafee", "drweb", "vipre", "trojan", "panda", "next", "unknown", "as15169 google", "status", "name servers", "record value", "emails", "error", "trojandropper", "results dec", "ddos", "worm", "mtb trojan", "mtb apr", "exev2e", "ia256", "extraction", "get http", "post http", "learn", "command", "ck id", "name tactics", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "germany germany", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "show technique", "ck matrix", "show process", "network traffic", "t1057", "t1071", "hybrid", "local", "path", "t1204 user", "defense evasion", "t1480 execution", "sha1", "sha256", "size", "script", "null", "span", "refresh", "footer", "body", "june", "general", "click", "strings", "tools", "tracker", "code", "look", "verify", "restart", "bad traffic", "et info", "tls handshake", "failure", "process details", "flag", "link", "present feb", "servers", "redacted for", "as20546 soprado", "encrypt", "mtb sep", "ransom", "next associated", "twitter", "virtool", "hostname add", "location russia", "as200350", "russia unknown", "federation flag", "ipv4 add", "asn as200350", "related", "domain add", "unknown ns", "expiration date", "http version", "windows nt", "gbot", "post method", "port", "destination", "delete", "get na", "as15169", "expiration", "url https", "no expiration", "showing", "entries", "url add", "pulse pulses", "http", "files domain", "files related", "pulses none", "unknown cname", "cname", "asn as24940", "less", "date", "pulse submit" ], "references": [ "https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |", "https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1", "AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US", "Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA", "Subject: DE Certificate Subject: Berlin Certificate Subject", "https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d", "http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com", "https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud", "ecs-80-158-49-8.reverse.open-telekom-cloud.com", "http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne", "HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba", "Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet", "Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0", "Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft", "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System", "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114", "ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114", "ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114", "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114", "http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box", "http://netuser.joymeng.com/charge_apple/notify", "https://www.passcreator.com/en/apple-wallet-passes", "https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No", "apple-business.cancom.at", "Apple - 162.55.158.153", "Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f", "Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283", "Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc", "Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53", "ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#LowFi:Tool:Win32/VbsToExeV2E", "display_name": "#LowFi:Tool:Win32/VbsToExeV2E", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Androp", "display_name": "Androp", "target": null }, { "id": "Inject.BRDV", "display_name": "Inject.BRDV", "target": null }, { "id": "Win32:Androp", "display_name": "Win32:Androp", "target": null }, { "id": "Crypt2.AZDI", "display_name": "Crypt2.AZDI", "target": null }, { "id": "TEL:MSIL/DlSocConSend", "display_name": "TEL:MSIL/DlSocConSend", "target": "/malware/TEL:MSIL/DlSocConSend" }, { "id": "DDOS:Linux/Lightaidra", "display_name": "DDOS:Linux/Lightaidra", "target": "/malware/DDOS:Linux/Lightaidra" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Trojan:Win32/Salgorea.C!MTB", "display_name": "Trojan:Win32/Salgorea.C!MTB", "target": "/malware/Trojan:Win32/Salgorea.C!MTB" }, { "id": "Worm:Win32/Autorun.XFV", "display_name": "Worm:Win32/Autorun.XFV", "target": "/malware/Worm:Win32/Autorun.XFV" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "Worm:Win32/Yuner.A", "display_name": "Worm:Win32/Yuner.A", "target": "/malware/Worm:Win32/Yuner.A" }, { "id": "Win.Trojan.Zegost", "display_name": "Win.Trojan.Zegost", "target": null }, { "id": "PWS:Win32/QQpass", "display_name": "PWS:Win32/QQpass", "target": "/malware/PWS:Win32/QQpass" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win.Trojan.Generic", "display_name": "Win.Trojan.Generic", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win32/Trickler", "display_name": "Win32/Trickler", "target": null }, { "id": "Win.Malware.Hd0kzai-9985588-0", "display_name": "Win.Malware.Hd0kzai-9985588-0", "target": null }, { "id": "Trojan:Win32/Aenjaris.AL!bit", "display_name": "Trojan:Win32/Aenjaris.AL!bit", "target": "/malware/Trojan:Win32/Aenjaris.AL!bit" }, { "id": "Trojan:Win32/Agent.AG!MTB", "display_name": "Trojan:Win32/Agent.AG!MTB", "target": "/malware/Trojan:Win32/Agent.AG!MTB" }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Win.Malware.Barys-6840738-0", "display_name": "Win.Malware.Barys-6840738-0", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "wormWin32/Mofksys.RND!MTB", "display_name": "wormWin32/Mofksys.RND!MTB", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "CVE 2007695", "display_name": "CVE 2007695", "target": null } ], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 927, "hostname": 2093, "FileHash-SHA256": 1474, "URL": 5935, "FileHash-MD5": 351, "FileHash-SHA1": 252, "email": 5, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11040, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "94 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693f3ef3b05672ba47b903e3", "name": "Create Amazing Password Forms - Project Cicada", "description": "Huge pulse of multiple IoC\u2019 from Project Cicada URL\n(not the 3301 Mystery) | Monitored Target | Indont know if it\u2019s related to Havana Syndrome. Is related to State of Colorado , Christopher P. \u2018Buzz\u2019 Ahmann and Tesla Hackers, \n\u201cThe right of a man or woman to retreat into his/her own home and there be free is from UNREASONABLE government intrusion is at the \u201c very core\u201d of the Fourth Amendment.\u201d\nFlorida vs. Jardines 569 U.S. 1 (2013)", "modified": "2026-01-13T22:02:50.260000", "created": "2025-12-14T22:49:23.114000", "tags": [ "cicada", "project cicada", "united states", "quasi government", "asnone country", "united", "moved", "agent", "meta", "title error", "reverse dns", "servers", "urls", "url analysis", "aaaa", "present dec", "ip address", "america flag", "unknown", "Christopher P. \u2018Buzz\u2019 Ahmann", "brian sabey.", "State of Colorado", "date checked", "url hostname", "server response", "google safe", "results mar", "avast avg", "qualified immunity", "address google", "freeman", "mathis", "special forces", "tailored access", "tao", "hacker force", "infiltrate", "manipulate", "sabotage", "tools", "show", "results nov", "9b", "tao operations", "root9b", "hunt operations", "error mar", "over watch", "overkill", "read c", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "local", "msie", "windows nt", "wow64", "slcc2", "media center", "suspicious_write_exe", "network_icmp", "antisandbox_restart", "creates_largekey", "infostealer_keylogger", "proess_martian", "injection_resumethread", "allocates_rwx", "targeted intelligence", "js_eval", "network_http", "name servers", "value domain", "domain name", "expiration date", "safe browsing", "unknown ns", "record value", "vercel", "certificate", "domain add", "refresh", "encrypt", "x vercel", "k jun", "mtb jul", "next http", "scans record", "value", "deployment not", "ransom", "trojan", "a domains", "safari", "android", "webkit", "animation", "click", "title", "passive dns", "gmt content", "arial helvetica", "ipv4 add", "status", "search", "emails", "as15169 google", "virtool", "cryp", "as396982", "win32", "error", "code", "domain", "showing", "query", "hostile", "observed dns", "et dns", "et info", "dns query", "malware", "push", "gmt cache", "sameorigin", "files", "url add", "http", "related nids", "files location", "flag united", "as44273 host", "hostname add", "unknown aaaa", "win32upatre dec", "mtb dec", "trojandropper", "hstr", "next associated", "backdoor", "entity", "tempe", "present sep", "hostname", "verdict", "lowfi", "usesscrrun", "ipv4", "element", "password", "developers", "create", "forms web", "group", "make sure", "autocomplete", "currentpassword", "make", "extraction", "data upload", "search otx", "ider data", "asn na", "ag da", "source level", "url text", "general full", "url https", "protocol h2", "security tls", "asn16509", "amazon02", "resource", "hash", "as16509", "us note", "route", "redacted for", "script urls", "japan unknown", "present apr", "present mar", "accept", "cookie", "path", "sectigo https", "encrypt https", "log id", "trustasia https", "amazon", "search criteria", "22965417271", "summary leaf", "timestamp entry", "log operator", "https", "script script", "cname", "present jun", "coup", "files ip", "address", "location united", "asn as16509", "color value", "item tile", "gmt max", "primary text", "text color", "play button", "search bar", "dasher", "flag", "bad traffic", "tls handshake", "failure", "analysis tip", "windir", "openurl c", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "network traffic", "beginstring", "show process", "null", "span", "general", "strings", "look", "verify", "restart", "dynamicloader", "ee fc", "yara rule", "ff d5", "c1 e0", "f0 ff", "ff ff", "eb e2", "ed b8", "fe ff", "june", "polymorphic", "network cnc", "cnc", "dead connect", "present nov", "france unknown", "generic http", "exe upload", "uploading exe", "intel", "ms windows", "medium", "http traffic", "monitored target", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "t1071", "t1057", "segoe ui", "script", "html", "body", "twitter", "formbook cnc", "checkin", "pegasus", "get updates", "p2p zeus", "downloader", "mpress", "win32upatre sep", "win32upatre oct", "win32upatre nov", "india unknown", "r61afin", "common upatre", "write c", "cts exe", "ids detections", "open", "present aug", "singapore", "date", "creation date", "pentest people", "tesla hackers", "vietnam unknown", "viet nam", "company limited", "pulse pulses" ], "references": [ "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "dev-app.project-cicada.com \u2022 project-cicada.com", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "api.acumatica.flex.redteam.com", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://goo.gl/9p2vKq", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "IDS Detections Gh0stCringe CnC Activity M2", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com" ], "public": 1, "adversary": "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Cymt", "display_name": "Cymt", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win32:MalOb-BX", "display_name": "Win32:MalOb-BX", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "VirTool:Win32/Obfuscator.K", "display_name": "VirTool:Win32/Obfuscator.K", "target": "/malware/VirTool:Win32/Obfuscator.K" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11102, "hostname": 4142, "domain": 4251, "email": 15, "FileHash-SHA256": 3108, "FileHash-MD5": 624, "FileHash-SHA1": 490, "CIDR": 1, "SSLCertFingerprint": 3 }, "indicator_count": 23736, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e2bb5d9ee8577ab5519f2c", "name": "Meritshealth with DoD links? ", "description": "", "modified": "2026-01-13T00:05:56.401000", "created": "2025-10-05T18:39:25.286000", "tags": [ "gtmk5nxqc6", "utc amazon", "utc na", "acceptencoding", "gmt contenttype", "connection", "true pragma", "gmt setcookie", "httponly", "gmt vary", "nc000000 up", "html document", "unicode text", "utf8 text", "oc0006 http", "http traffic", "https http", "mitre att", "control ta0011", "protocol t1071", "match info", "t1573 severity", "info", "number", "ja3s", "algorithm", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft cus", "get http", "dns resolutions", "registrar", "markmonitor inc", "country", "resolver domain", "type name", "html", "apnic", "apnic whois", "please", "rirs", "cidr", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "development att", "name tactics", "binary file", "ck matrix", "wheelchair", "iamrobert", "pattern match", "ascii text", "href", "united", "general", "local", "path", "encrypt", "click", "passive dns", "urls", "files", "reverse dns", "netherlands", "present aug", "a domains", "moved", "first pqc", "ip address", "unknown ns", "unknown aaaa", "title", "body", "meta", "window", "accept", "body doctype", "welcome", "ok server", "gmt content", "present jul", "present sep", "aaaa", "hostname", "error", "defense evasion", "windows nt", "response", "vary", "strings", "core", "t1027.013 encrypted/encoded", "michelin lazy k", "prefetch8", "flag", "date", "starfield", "hybrid", "mobility cr", "extraction", "data upload", "include", "o url", "url url", "included i0", "review ioc", "excluded ic", "suggested", "find sugi", "failed", "cre pul", "enter", "enter sc", "type", "enric", "extra", "type opaste", "data u", "included", "copy md5", "copy sha1", "copy sha256", "null", "refresh", "tools", "look", "verify", "restart", "t1480 execution", "expiration", "url https", "no expiration", "iocs", "ipv4", "text drag", "drop or", "browse to", "select file", "redacted for", "server", "privacy tech", "privacy admin", "postal code", "stateprovince", "organization", "email", "code", "quantum rooms", "sam somalia", "emp", "porn", "media defense", "gov porn", "suck my nips", "reimer suspect", "jeffrey reimer", "dod", "department of defense", "show", "date checked", "url hostname", "server response", "google safe", "results may", "entries http", "scans record", "value status", "sabey type", "merits fake", "y.a.s.", "pornography", "ramsom" ], "references": [ "https://www.meritshealth.com/ Defense.Gov Mobility Co? ", "zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67", "https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf", "https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf", "https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html", "https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com", "https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/", "https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp", "https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg", "https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)", "https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members", "https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210", "https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex", "https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf", "https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo", "https://meumundogay-com.sexogratis.page/locker", "https://es.pornhat.com/models/the-sex-creator/", "Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA", "Can the DoD no questions asked target a SA victim", "Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.", "There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise", "socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov", "There is fear in silence or speaking out", "Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.", "3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?", "If someone is believed to be a threat they have right to due process.", "Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.", "She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.", "Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.", "Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.", "ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot", "iamrobert.com Y.A.S.", "1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam", "Target agreed and complied with all lie detector measures.", "Is the family allowed to have a funeral for Tsara or print an obituary", "No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.", "I am very upset. Whoever is doing this is sick." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "TA0042", "name": "Resource Development", "display_name": "TA0042 - Resource Development" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1562.008", "name": "Disable Cloud Logs", "display_name": "T1562.008 - Disable Cloud Logs" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1180", "name": "Screensaver", "display_name": "T1180 - Screensaver" } ], "industries": [], "TLP": "white", "cloned_from": "68e2b14d83bb63502feac65e", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1365, "URL": 11172, "hostname": 2780, "FileHash-MD5": 381, "FileHash-SHA256": 4420, "FileHash-SHA1": 338, "CIDR": 4, "SSLCertFingerprint": 24, "CVE": 1, "email": 1 }, "indicator_count": 20486, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e2b14d83bb63502feac65e", "name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.", "description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?", "modified": "2026-01-07T00:00:30.717000", "created": "2025-10-05T17:56:29.109000", "tags": [ "gtmk5nxqc6", "utc amazon", "utc na", "acceptencoding", "gmt contenttype", "connection", "true pragma", "gmt setcookie", "httponly", "gmt vary", "nc000000 up", "html document", "unicode text", "utf8 text", "oc0006 http", "http traffic", "https http", "mitre att", "control ta0011", "protocol t1071", "match info", "t1573 severity", "info", "number", "ja3s", "algorithm", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft cus", "get http", "dns resolutions", "registrar", "markmonitor inc", "country", "resolver domain", "type name", "html", "apnic", "apnic whois", "please", "rirs", "cidr", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "development att", "name tactics", "binary file", "ck matrix", "wheelchair", "iamrobert", "pattern match", "ascii text", "href", "united", "general", "local", "path", "encrypt", "click", "passive dns", "urls", "files", "reverse dns", "netherlands", "present aug", "a domains", "moved", "first pqc", "ip address", "unknown ns", "unknown aaaa", "title", "body", "meta", "window", "accept", "body doctype", "welcome", "ok server", "gmt content", "present jul", "present sep", "aaaa", "hostname", "error", "defense evasion", "windows nt", "response", "vary", "strings", "core", "t1027.013 encrypted/encoded", "michelin lazy k", "prefetch8", "flag", "date", "starfield", "hybrid", "mobility cr", "extraction", "data upload", "include", "o url", "url url", "included i0", "review ioc", "excluded ic", "suggested", "find sugi", "failed", "cre pul", "enter", "enter sc", "type", "enric", "extra", "type opaste", "data u", "included", "copy md5", "copy sha1", "copy sha256", "null", "refresh", "tools", "look", "verify", "restart", "t1480 execution", "expiration", "url https", "no expiration", "iocs", "ipv4", "text drag", "drop or", "browse to", "select file", "redacted for", "server", "privacy tech", "privacy admin", "postal code", "stateprovince", "organization", "email", "code", "quantum rooms", "sam somalia", "emp", "porn", "media defense", "gov porn", "suck my nips", "reimer suspect", "jeffrey reimer", "dod", "department of defense", "show", "date checked", "url hostname", "server response", "google safe", "results may", "entries http", "scans record", "value status", "sabey type", "merits fake", "y.a.s.", "pornography", "ramsom" ], "references": [ "https://www.meritshealth.com/ Defense.Gov Mobility Co? ", "zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67", "https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf", "https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf", "https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html", "https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com", "https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/", "https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp", "https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg", "https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)", "https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members", "https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210", "https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex", "https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf", "https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo", "https://meumundogay-com.sexogratis.page/locker", "https://es.pornhat.com/models/the-sex-creator/", "Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA", "Can the DoD no questions asked target a SA victim", "Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.", "There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise", "socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov", "There is fear in silence or speaking out", "Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.", "3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?", "If someone is believed to be a threat they have right to due process.", "Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.", "She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.", "Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.", "Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.", "ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot", "iamrobert.com Y.A.S.", "1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam", "Target agreed and complied with all lie detector measures.", "Is the family allowed to have a funeral for Tsara or print an obituary", "No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.", "I am very upset. Whoever is doing this is sick." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "TA0042", "name": "Resource Development", "display_name": "TA0042 - Resource Development" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1562.008", "name": "Disable Cloud Logs", "display_name": "T1562.008 - Disable Cloud Logs" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1180", "name": "Screensaver", "display_name": "T1180 - Screensaver" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1328, "URL": 9931, "hostname": 2621, "FileHash-MD5": 381, "FileHash-SHA256": 4360, "FileHash-SHA1": 338, "CIDR": 4, "SSLCertFingerprint": 24, "CVE": 1, "email": 1 }, "indicator_count": 18989, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692a86b454eea18b993a2078", "name": "DC RAT Injection | Endgame Systems | Lazarus Group related", "description": "Monitoring. MITRE ATT&CK (T1057) Monitored target/s. DNS requests. Property discovery \n\nRelated to Lazarus Groups expansion", "modified": "2025-12-29T03:02:56.986000", "created": "2025-11-29T05:37:56.021000", "tags": [ "ukraine", "win32", "dynamicloader", "ssl cert", "write c", "asyncrat", "various rat", "dcrat", "write", "guard", "malware", "all ipv4", "ukraine asn", "dns resolutions", "domains top", "level", "read c", "memcommit", "user execution", "delete", "msie", "windows nt", "dock", "execution", "masking", "yara rule", "high", "windows", "msvisualcpp60", "process", "intel", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "access att", "t1566 phishing", "flag", "ukraine ukraine", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "dynu", "mitre att", "ck matrix", "ascii text", "pattern match", "network traffic", "t1071", "t1057", "general", "local", "path", "beginstring", "segoe ui", "null", "refresh", "body", "click", "strings", "error", "tools", "title", "look", "verify", "restart" ], "references": [ "https://hybrid-analysis.com/sample/64e591d43f920a5194806bba9da40e0344db5333cd773da4df4f27259222529d/692a7e373e637b291e0a0957", "Statutory Masking Enabled - a domain registrar is hiding the public contact information for a domains", "registrant in its WHOIS record, often due to regulations like GDPR or ICANN policies.", "MITRE ATT&CK (T1057) Monitoring Target/s. Can be reviewed in Hybrid-Analysis sample." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/AmsiTamper.B", "display_name": "ALF:HeraklezEval:Trojan:Win32/AmsiTamper.B", "target": null }, { "id": "Win.Trojan.DcRat-10039889-0", "display_name": "Win.Trojan.DcRat-10039889-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "TA0039", "name": "Remote Service Effects", "display_name": "TA0039 - Remote Service Effects" }, { "id": "TA0038", "name": "Network Effects", "display_name": "TA0038 - Network Effects" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 482, "URL": 819, "FileHash-SHA256": 274, "domain": 102, "email": 1, "FileHash-MD5": 73, "FileHash-SHA1": 65, "SSLCertFingerprint": 1 }, "indicator_count": 1817, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eea19a23474b8c7dca351f", "name": "All Items - find from the UA archive disk", "description": "Again have zero idea 'what these are' - just uploading from the 'archives' as I sort through things", "modified": "2025-12-24T08:28:47.628000", "created": "2024-03-11T06:15:54.351000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://pmang.window.open", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://pmang.window.open", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776638883.673952 }