{ "type": "URL", "indicator": "https://protect.mobitools.net/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://protect.mobitools.net/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4074766463, "indicator": "https://protect.mobitools.net/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "693148dc0eb85adc8edfe1a2", "name": "BeeLineRouter.Net \u2022 Isolated / Apple Baxkdoor", "description": "", "modified": "2026-01-03T07:00:45.529000", "created": "2025-12-04T08:39:56.180000", "tags": [ "mitre att", "network traffic", "ck id", "show technique", "ck matrix", "threat score", "december", "default browser", "guest system", "united", "dynadot inc", "name server", "contacted hosts", "process details", "windir", "openurl c", "prefetch2", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "access att", "t1566 phishing", "ascii text", "pattern match", "show process", "t1071", "general", "local", "path", "click", "beelinerouter", "access", "router", "apple", "regopenkeyexw", "regsz", "process32nextw", "english", "post http", "search", "observed dns", "query", "sinkhole cookie", "malware", "possible", "win32", "updater", "write", "next", "found", "ip address", "domain", "name servers", "unknown ns", "ip whois", "registrar", "cloudflare", "title", "passive dns", "urls", "files", "location united", "asn as14618", "bq dec", "virtool", "backdoor", "checkin", "ipv4 add", "trojan", "dynamicloader", "msie", "windows nt", "slcc2", "media center", "unknown", "show", "internal", "encrypt", "veailmboprd", "dns query", "wow64", "gecko http", "entries", "medium", "ransom", "khtml", "gecko", "delete", "installer", "win32cve may", "america flag", "overview ip", "asn as20940", "expiration", "url https", "no expiration", "url http", "pulse show", "type indicator", "role title", "related pulses", "record value", "domain xn" ], "references": [ "HTTPS://BeeLineRouter.Net", "eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com", "https://appleid.xn--appe-70a.com/", "https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://vgt.pl/r.n%20-", "8-25-220-162-static.reverse.queryfoundry.net", "queryfoundry.net", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://117-114-251-162-static.reverse.queryfoundry.net/", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://68-178-128-104-static.reverse.queryfoundry.net/", "0-209-98-172-static.reverse.queryfoundry.net", "154-143-182-107-static.reverse.queryfoundry.net", "http://51-235-245-104-static.reverse.queryfoundry.net/", "167-16-68-38-static.reverse.queryfoundry.net", "http://49-116-251-162-static.reverse.queryfoundry./net/", "177-231-69-38-static.reverse.queryfoundry.net", "http://36-243-60-103-static.reverse.queryfoundry.net/", "http://237-189-251-104-static.reverse.queryfoundry.net/", "http://227-98-248-162-static.reverse.queryfoundry.net/", "237-189-251-104-static.reverse.queryfoundry.net", "http://207-214-98-172-static.reverse.queryfoundry.net/", "181-135-182-107-static.reverse.queryfoundry.net", "http://201-191-251-104-static.reverse.queryfoundry.net/", "67-228-69-38-static.reverse.queryfoundry.net", "http://0-209-98-172-static.reverse.queryfoundry.net/", "http://10-241-60-103-static.reverse.queryfoundry.net/", "http://142-232-245-104-static.reverse.queryfoundry.net/", "http://154-143-182-107-static.reverse.queryfoundry.net/", "http://167-16-68-38-static.reverse.queryfoundry.net/", "http://177-231-69-38-static.reverse.queryfoundry.net/", "http://181-135-182-107-static.reverse.queryfoundry.net/", "http://195-214-98-172-static.reverse.queryfoundry.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "GandCrab Ransomware", "display_name": "GandCrab Ransomware", "target": null }, { "id": "Win.Virus.Expiro", "display_name": "Win.Virus.Expiro", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1049, "URL": 5839, "hostname": 1944, "FileHash-SHA256": 3634, "FileHash-MD5": 310, "FileHash-SHA1": 295, "CVE": 2, "email": 15, "SSLCertFingerprint": 2 }, "indicator_count": 13090, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69314920e287845f6b36a265", "name": "BeeLineRouter.Net \u2022 Apple Access", "description": "", "modified": "2026-01-03T07:00:45.529000", "created": "2025-12-04T08:41:04.190000", "tags": [ "mitre att", "network traffic", "ck id", "show technique", "ck matrix", "threat score", "december", "default browser", "guest system", "united", "dynadot inc", "name server", "contacted hosts", "process details", "windir", "openurl c", "prefetch2", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "access att", "t1566 phishing", "ascii text", "pattern match", "show process", "t1071", "general", "local", "path", "click", "beelinerouter", "access", "router", "apple", "regopenkeyexw", "regsz", "process32nextw", "english", "post http", "search", "observed dns", "query", "sinkhole cookie", "malware", "possible", "win32", "updater", "write", "next", "found", "ip address", "domain", "name servers", "unknown ns", "ip whois", "registrar", "cloudflare", "title", "passive dns", "urls", "files", "location united", "asn as14618", "bq dec", "virtool", "backdoor", "checkin", "ipv4 add", "trojan", "dynamicloader", "msie", "windows nt", "slcc2", "media center", "unknown", "show", "internal", "encrypt", "veailmboprd", "dns query", "wow64", "gecko http", "entries", "medium", "ransom", "khtml", "gecko", "delete", "installer", "win32cve may", "america flag", "overview ip", "asn as20940", "expiration", "url https", "no expiration", "url http", "pulse show", "type indicator", "role title", "related pulses", "record value", "domain xn" ], "references": [ "HTTPS://BeeLineRouter.Net", "eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com", "https://appleid.xn--appe-70a.com/", "https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://vgt.pl/r.n%20-", "8-25-220-162-static.reverse.queryfoundry.net", "queryfoundry.net", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://117-114-251-162-static.reverse.queryfoundry.net/", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://68-178-128-104-static.reverse.queryfoundry.net/", "0-209-98-172-static.reverse.queryfoundry.net", "154-143-182-107-static.reverse.queryfoundry.net", "http://51-235-245-104-static.reverse.queryfoundry.net/", "167-16-68-38-static.reverse.queryfoundry.net", "http://49-116-251-162-static.reverse.queryfoundry./net/", "177-231-69-38-static.reverse.queryfoundry.net", "http://36-243-60-103-static.reverse.queryfoundry.net/", "http://237-189-251-104-static.reverse.queryfoundry.net/", "http://227-98-248-162-static.reverse.queryfoundry.net/", "237-189-251-104-static.reverse.queryfoundry.net", "http://207-214-98-172-static.reverse.queryfoundry.net/", "181-135-182-107-static.reverse.queryfoundry.net", "http://201-191-251-104-static.reverse.queryfoundry.net/", "67-228-69-38-static.reverse.queryfoundry.net", "http://0-209-98-172-static.reverse.queryfoundry.net/", "http://10-241-60-103-static.reverse.queryfoundry.net/", "http://142-232-245-104-static.reverse.queryfoundry.net/", "http://154-143-182-107-static.reverse.queryfoundry.net/", "http://167-16-68-38-static.reverse.queryfoundry.net/", "http://177-231-69-38-static.reverse.queryfoundry.net/", "http://181-135-182-107-static.reverse.queryfoundry.net/", "http://195-214-98-172-static.reverse.queryfoundry.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "GandCrab Ransomware", "display_name": "GandCrab Ransomware", "target": null }, { "id": "Win.Virus.Expiro", "display_name": "Win.Virus.Expiro", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 310, "FileHash-SHA1": 295, "FileHash-SHA256": 3634, "URL": 5839, "CVE": 2, "domain": 1048, "email": 15, "hostname": 1944, "SSLCertFingerprint": 2 }, "indicator_count": 13089, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69314926519256e3ef0a9358", "name": "BeeLineRouter.Net \u2022 Apple Access", "description": "", "modified": "2026-01-03T07:00:45.529000", "created": "2025-12-04T08:41:06.657000", "tags": [ "mitre att", "network traffic", "ck id", "show technique", "ck matrix", "threat score", "december", "default browser", "guest system", "united", "dynadot inc", "name server", "contacted hosts", "process details", "windir", "openurl c", "prefetch2", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "access att", "t1566 phishing", "ascii text", "pattern match", "show process", "t1071", "general", "local", "path", "click", "beelinerouter", "access", "router", "apple", "regopenkeyexw", "regsz", "process32nextw", "english", "post http", "search", "observed dns", "query", "sinkhole cookie", "malware", "possible", "win32", "updater", "write", "next", "found", "ip address", "domain", "name servers", "unknown ns", "ip whois", "registrar", "cloudflare", "title", "passive dns", "urls", "files", "location united", "asn as14618", "bq dec", "virtool", "backdoor", "checkin", "ipv4 add", "trojan", "dynamicloader", "msie", "windows nt", "slcc2", "media center", "unknown", "show", "internal", "encrypt", "veailmboprd", "dns query", "wow64", "gecko http", "entries", "medium", "ransom", "khtml", "gecko", "delete", "installer", "win32cve may", "america flag", "overview ip", "asn as20940", "expiration", "url https", "no expiration", "url http", "pulse show", "type indicator", "role title", "related pulses", "record value", "domain xn" ], "references": [ "HTTPS://BeeLineRouter.Net", "eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com", "https://appleid.xn--appe-70a.com/", "https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://vgt.pl/r.n%20-", "8-25-220-162-static.reverse.queryfoundry.net", "queryfoundry.net", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://117-114-251-162-static.reverse.queryfoundry.net/", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://68-178-128-104-static.reverse.queryfoundry.net/", "0-209-98-172-static.reverse.queryfoundry.net", "154-143-182-107-static.reverse.queryfoundry.net", "http://51-235-245-104-static.reverse.queryfoundry.net/", "167-16-68-38-static.reverse.queryfoundry.net", "http://49-116-251-162-static.reverse.queryfoundry./net/", "177-231-69-38-static.reverse.queryfoundry.net", "http://36-243-60-103-static.reverse.queryfoundry.net/", "http://237-189-251-104-static.reverse.queryfoundry.net/", "http://227-98-248-162-static.reverse.queryfoundry.net/", "237-189-251-104-static.reverse.queryfoundry.net", "http://207-214-98-172-static.reverse.queryfoundry.net/", "181-135-182-107-static.reverse.queryfoundry.net", "http://201-191-251-104-static.reverse.queryfoundry.net/", "67-228-69-38-static.reverse.queryfoundry.net", "http://0-209-98-172-static.reverse.queryfoundry.net/", "http://10-241-60-103-static.reverse.queryfoundry.net/", "http://142-232-245-104-static.reverse.queryfoundry.net/", "http://154-143-182-107-static.reverse.queryfoundry.net/", "http://167-16-68-38-static.reverse.queryfoundry.net/", "http://177-231-69-38-static.reverse.queryfoundry.net/", "http://181-135-182-107-static.reverse.queryfoundry.net/", "http://195-214-98-172-static.reverse.queryfoundry.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "GandCrab Ransomware", "display_name": "GandCrab Ransomware", "target": null }, { "id": "Win.Virus.Expiro", "display_name": "Win.Virus.Expiro", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 310, "FileHash-SHA1": 295, "FileHash-SHA256": 3634, "URL": 5839, "CVE": 2, "domain": 1048, "email": 15, "hostname": 1944, "SSLCertFingerprint": 2 }, "indicator_count": 13089, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6928f8d9e4222a6a219d785e", "name": "ClipBanker Spy & Information stealer | Crazy Frost | MaaS | Chrome & Cloudflare attacks", "description": "It appears that entity CrazyFrost provides MasS among other things that include major smear campaigns.| Likely quasi government , and Law Firm contractors.. Domestic terrorizing isn\u2019t a stretch.\nClipBanker: A form of banking trojan information stealer and spy that specifically monitors and steals information, likely by modifying the clipboard contents to redirect financial transactions (e.g., changing a copied bank account number to the attacker's).\n\n[OTX populated - HOSTNAME: CloudFlare.com.., a company owned by the US government, has been added to Pulse, an anti-virus database. (Pulses) created by users.]", "modified": "2025-12-28T00:04:06.179000", "created": "2025-11-28T01:20:25.401000", "tags": [ "dynamicloader", "json", "ascii text", "high", "data", "x90uxa4xf8", "cape", "stream", "guard", "write", "trojan", "redline", "malware", "push", "local", "injection_inter_process", "recon_fingerprint", "persistence_ads", "process_creation_suspicious_location", "infostealer_browser", "infostealer_cookies", "stealth_file", "cape_detected_threat", "antivm_generic_bios", "cape_extracted_content", "united", "mtb jul", "a domains", "aaaa", "443 ma86400", "servers", "win32upatre jul", "virtool", "b778b1", "div div", "d9e4f4", "edf2f8", "present mar", "fastest privacy", "first dns", "win32", "trojandropper", "passive dns", "mtb nov", "ipv4 add", "asn as13335", "dns resolutions", "domain", "data upload", "extraction", "yara", "troja yara", "trojar data", "virto", "worn data", "included iocs", "manually add", "resolved ips", "ta0002", "evasion ta0005", "tr shared", "modules", "files", "infor", "t1027", "process t1057", "community score", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "name server", "date", "cloudflare", "data protected", "misc activity", "et info", "dns requests", "domain address", "gmt flag", "techtarget", "server", "et policy", "prefetch2", "t1179 hooking", "access windows", "installs", "mitre att", "ck techniques", "click", "windir", "country", "contacted hosts", "ip address", "process details", "contacted", "http traffic", "suricata alerts", "event category", "found" ], "references": [ "Malware : ClipBanker Entity: Crazy Frost", "www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Services : GoogleChromeElevationService = Delete", "Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap", "Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap", "Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap", "Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj", "Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap", "Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake", "Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "CS IDS: Matches rule (http_inspect) invalid status line", "CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.", "jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube/" ], "public": 1, "adversary": "Crazy Frost", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Trojan.Disfa/downloader10", "display_name": "Trojan.Disfa/downloader10", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "Rozena", "display_name": "Rozena", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 295, "FileHash-SHA1": 217, "FileHash-SHA256": 1887, "URL": 3263, "domain": 597, "hostname": 1085, "email": 2, "CVE": 1 }, "indicator_count": 7347, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "112 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cb233ba91aa1eb958b3f31", "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022 OneLouder", "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea", "modified": "2025-10-17T19:03:15.031000", "created": "2025-09-17T21:08:11.518000", "tags": [ "script urls", "meta", "moved", "x tec", "passive dns", "encrypt", "america flag", "san francisco", "extraction", "data upload", "type indicatod", "united states", "a domains", "united", "gmt server", "jose", "university", "bill", "rmhs", "information", "board", "lorin", "joseph", "all veterans", "rocky mountain", "mission", "vice", "april", "school", "austin", "prior", "ipv4 add", "urls", "files", "location united", "wordpress", "rmhs meta", "tags viewport", "rmhs og", "rmhs article", "wpbakery page", "builder", "slider plugin", "google tag", "mountain human", "denver", "connecting", "denver start", "relevance home", "providers", "contact us", "rmhs main", "server", "redacted tech", "redacted admin", "registrar abuse", "algorithm", "key identifier", "x509v3 subject", "dnssec", "country", "ttl value", "graph summary", "resolved ips", "ip address", "port", "data", "screenshots no", "involved direct", "country name", "name response", "tcp connections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "found", "spawns", "t1590 gather", "path", "ascii text", "exif standard", "tiff image", "format", "stop", "false", "soldier", "model", "youth", "baby", "june", "general", "local", "click", "strings", "core", "warrior", "green", "emotion", "flash", "nina", "hunk", "fono", "daam", "mitre att", "ck techniques", "id name", "malicious", "windows nt", "win64", "khtml", "gecko", "brand", "microsoft edge", "show process", "self", "date", "comspec", "hybrid", "form", "log id", "gmtn", "tls web", "b2 f6", "b0n timestamp", "f9401a", "record value", "x wix", "certificate", "domain add", "pulse submit", "body", "domain related", "blackbox", "apple", "helix", "dvrdns", "tracking", "remote access", "ios", "spyware", "hoax", "dynamicloader", "ptls6", "medium", "flashpix", "high", "ygjpavclsline", "officespace", "chartshared", "powershell", "write", "malware", "ygjpaulscontext", "status", "japan unknown", "domain", "pulses", "search", "accept", "apt10", "trojanspy", "win32", "entries", "susp", "backdoor", "useragent", "showing", "virtool", "twitter", "mozilla", "trojandropper", "trojan", "title", "onelouder", "yara det", "maware samoe", "genaco x", "ids detec", "ids terse", "win3 data", "include review", "exclude sugges", "targeting", "show", "copy", "reads", "dynamic", "vendor finding", "notes clamav", "files matching", "number", "sample analysis", "hide samples", "date hash", "next yara" ], "references": [ "rmhumanservices.org", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt", "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt", "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/", "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound", "https://www.mlkfoundation.net/ (Foundry DGA)", "remotewd.com x 34 devices", "South Africa based: remote.advisoroffice.com", "acc.lehigtapp.com - malware", "http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )", "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022", "Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/", "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting", "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net", "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2", "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)", "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname", "1.organization.api.powerplatform.partner.microsoftonline.cn", "chinaeast2.admin.api.powerautomate.cn", "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/", "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A", "ssa-gov.authorizeddns", "hmmm\u2026http://palander.stjernstrom.se/", "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU" ], "public": 1, "adversary": "APT 10", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "APT 10", "display_name": "APT 10", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "KoobFace", "display_name": "KoobFace", "target": null }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Nivdort Checkin", "display_name": "Nivdort Checkin", "target": null }, { "id": "Win.Malware.Installcore-6950365-0", "display_name": "Win.Malware.Installcore-6950365-0", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Golfing", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 690, "hostname": 1912, "URL": 5925, "FileHash-SHA1": 273, "email": 8, "FileHash-SHA256": 3618, "CIDR": 3, "FileHash-MD5": 254, "SSLCertFingerprint": 19, "CVE": 2 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684a93360163e8802e213158", "name": "ELF:Mirai AMAZON-02 - Autonomous System 65.0.0.0/14", "description": "ELF:Mirai-BHZ\\ [Trj]\t\n65.0.0.0/14\nAutonomous System Number\n16509\nAutonomous System Label\nAMAZON-02\nRelated to \u2022 103.252.236.26 | \n\u2022 sr2.reliedhosting.com | \n.\u2022 http://planitair.com/ |\n\u2022 bgptools-wildcard-confirmed.acemalibu.com | \n\u2022 https://www.anyxxxtube.net/search-porn/tsara-brashears/ | \t\t\t\n\u2022 static.ads-twitter.com\t\n\u2022 https://twitter.com/PORNO_SEXYBABES\t\n\u2022 analytics.twitter.com\n\u2022 appleupdate.org\n\u2022 apps.apple.com\n\u2022 pin.it |\n\u2022 https://pin.it/ |\n\u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian Critical issue. Cyber weaponry [Unclear] Stealth contractual US cyber defense entity, endless DGA\u2019s. India IP block.\nAdversary named by bupyeongop:\n\ubd80\ud3c9\uc624\ud53c \ucd9c\uc7a5\ub9c8\uc0ac\uc9c0\uc548\ub0b4.COM \ubd80\ud3c9OP (massage service?)\n*DoS with many OTX features", "modified": "2025-07-12T07:04:05.635000", "created": "2025-06-12T08:43:34.719000", "tags": [ "thumbprint", "apnic", "apnic whois", "database", "please", "arin whois", "north america", "caribbean", "africa", "internet", "iana", "address range", "cidr", "network name", "allocation type", "whois server", "algorithm", "v3 serial", "number", "cbe oglobalsign", "r6 alphassl", "validity", "subject public", "key info", "key algorithm", "key identifier", "link", "search", "united", "a domains", "ip address", "creation date", "record value", "date", "showing", "india unknown", "status", "passive dns", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "location india", "india asn", "as133296 web", "dns resolutions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "APNIC", "display_name": "APNIC", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 27, "domain": 2499, "hostname": 2651, "URL": 10986, "CIDR": 2, "FileHash-SHA256": 3596, "email": 1, "FileHash-MD5": 23, "CVE": 7 }, "indicator_count": 19792, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "281 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68468500f573317422968c7c", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:53:52.404000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68468501eb091ae414509121", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:53:53.417000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68468505ee31db44fe063e82", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:53:57.123000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6846850783baea1a6beb7e71", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. I won\u2019t be surprised if OTX cannot pull the threat. My account isn\u2019t allowing me full permissions. \n\n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:53:59.933000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68468511340fb7ba8eeb7aae", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:54:09.116000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6846860a0c5ff214f345717c", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:58:17.902000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6846860ee9b4faefae8d4cf9", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:58:22.091000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://117-114-251-162-static.reverse.queryfoundry.net/", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/", "https://www.sweetheartvideo.com/tsara-brashears", "http://237-189-251-104-static.reverse.queryfoundry.net/", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://49-116-251-162-static.reverse.queryfoundry./net/", "http://10-241-60-103-static.reverse.queryfoundry.net/", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe", "rmhumanservices.org", "remotewd.com x 34 devices", "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "ssa-gov.authorizeddns", "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "http://201-191-251-104-static.reverse.queryfoundry.net/", "http://167-16-68-38-static.reverse.queryfoundry.net/", "Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A", "queryfoundry.net", "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt", "hmmm\u2026http://palander.stjernstrom.se/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "237-189-251-104-static.reverse.queryfoundry.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube", "8-25-220-162-static.reverse.queryfoundry.net", "1.organization.api.powerplatform.partner.microsoftonline.cn", "Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap", "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "https://appleid.xn--appe-70a.com/", "http://227-98-248-162-static.reverse.queryfoundry.net/", "http://195-214-98-172-static.reverse.queryfoundry.net/", "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound", "Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap", "chinaeast2.admin.api.powerautomate.cn", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "http://154-143-182-107-static.reverse.queryfoundry.net/", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069", "Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake", "acc.lehigtapp.com - malware", "http://207-214-98-172-static.reverse.queryfoundry.net/", "http://51-235-245-104-static.reverse.queryfoundry.net/", "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022", "http://181-135-182-107-static.reverse.queryfoundry.net/", "https://www.mlkfoundation.net/ (Foundry DGA)", "Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj", "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)", "HTTPS://BeeLineRouter.Net", "http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )", "http://142-232-245-104-static.reverse.queryfoundry.net/", "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU", "http://www.anyxxxtube/", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net", "CS IDS: Matches rule (http_inspect) invalid status line", "154-143-182-107-static.reverse.queryfoundry.net", "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com", "South Africa based: remote.advisoroffice.com", "http://177-231-69-38-static.reverse.queryfoundry.net/", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt", "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe", "Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap", "0-209-98-172-static.reverse.queryfoundry.net", "jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8", "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname", "eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com", "181-135-182-107-static.reverse.queryfoundry.net", "Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap", "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/", "http://81-26-68-38-static.reverse.queryfoundry.net/", "Malware : ClipBanker Entity: Crazy Frost", "http://68-178-128-104-static.reverse.queryfoundry.net/", "Services : GoogleChromeElevationService = Delete", "www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost", "http://0-209-98-172-static.reverse.queryfoundry.net/", "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2", "http://vgt.pl/r.n%20-", "67-228-69-38-static.reverse.queryfoundry.net", "CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.", "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting", "167-16-68-38-static.reverse.queryfoundry.net", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player", "http://36-243-60-103-static.reverse.queryfoundry.net/", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt", "177-231-69-38-static.reverse.queryfoundry.net" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Crazy Frost", "APT 10" ], "malware_families": [ "Alf:heraklezeval:trojan:win32/clipbanker", "Sality", "Gandcrab ransomware", "Andromeda", "Other malware", "Simda", "Bayrob", "#virtool:win32/obfuscator.adb", "Onelouder", "Trojan:win32/zusy", "Rozena", "Nivdort checkin", "Apt 10", "Mydoom", "Win.virus.expiro", "Apnic", "Win.malware.installcore-6950365-0", "Koobface", "Trojan.disfa/downloader10" ], "industries": [ "Golfing", "Government", "Healthcare" ], "unique_indicators": 58302 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/mobitools.net", "whois": "http://whois.domaintools.com/mobitools.net", "domain": "mobitools.net", "hostname": "protect.mobitools.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "693148dc0eb85adc8edfe1a2", "name": "BeeLineRouter.Net \u2022 Isolated / Apple Baxkdoor", "description": "", "modified": "2026-01-03T07:00:45.529000", "created": "2025-12-04T08:39:56.180000", "tags": [ "mitre att", "network traffic", "ck id", "show technique", "ck matrix", "threat score", "december", "default browser", "guest system", "united", "dynadot inc", "name server", "contacted hosts", "process details", "windir", "openurl c", "prefetch2", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "access att", "t1566 phishing", "ascii text", "pattern match", "show process", "t1071", "general", "local", "path", "click", "beelinerouter", "access", "router", "apple", "regopenkeyexw", "regsz", "process32nextw", "english", "post http", "search", "observed dns", "query", "sinkhole cookie", "malware", "possible", "win32", "updater", "write", "next", "found", "ip address", "domain", "name servers", "unknown ns", "ip whois", "registrar", "cloudflare", "title", "passive dns", "urls", "files", "location united", "asn as14618", "bq dec", "virtool", "backdoor", "checkin", "ipv4 add", "trojan", "dynamicloader", "msie", "windows nt", "slcc2", "media center", "unknown", "show", "internal", "encrypt", "veailmboprd", "dns query", "wow64", "gecko http", "entries", "medium", "ransom", "khtml", "gecko", "delete", "installer", "win32cve may", "america flag", "overview ip", "asn as20940", "expiration", "url https", "no expiration", "url http", "pulse show", "type indicator", "role title", "related pulses", "record value", "domain xn" ], "references": [ "HTTPS://BeeLineRouter.Net", "eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com", "https://appleid.xn--appe-70a.com/", "https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://vgt.pl/r.n%20-", "8-25-220-162-static.reverse.queryfoundry.net", "queryfoundry.net", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://117-114-251-162-static.reverse.queryfoundry.net/", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://68-178-128-104-static.reverse.queryfoundry.net/", "0-209-98-172-static.reverse.queryfoundry.net", "154-143-182-107-static.reverse.queryfoundry.net", "http://51-235-245-104-static.reverse.queryfoundry.net/", "167-16-68-38-static.reverse.queryfoundry.net", "http://49-116-251-162-static.reverse.queryfoundry./net/", "177-231-69-38-static.reverse.queryfoundry.net", "http://36-243-60-103-static.reverse.queryfoundry.net/", "http://237-189-251-104-static.reverse.queryfoundry.net/", "http://227-98-248-162-static.reverse.queryfoundry.net/", "237-189-251-104-static.reverse.queryfoundry.net", "http://207-214-98-172-static.reverse.queryfoundry.net/", "181-135-182-107-static.reverse.queryfoundry.net", "http://201-191-251-104-static.reverse.queryfoundry.net/", "67-228-69-38-static.reverse.queryfoundry.net", "http://0-209-98-172-static.reverse.queryfoundry.net/", "http://10-241-60-103-static.reverse.queryfoundry.net/", "http://142-232-245-104-static.reverse.queryfoundry.net/", "http://154-143-182-107-static.reverse.queryfoundry.net/", "http://167-16-68-38-static.reverse.queryfoundry.net/", "http://177-231-69-38-static.reverse.queryfoundry.net/", "http://181-135-182-107-static.reverse.queryfoundry.net/", "http://195-214-98-172-static.reverse.queryfoundry.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "GandCrab Ransomware", "display_name": "GandCrab Ransomware", "target": null }, { "id": "Win.Virus.Expiro", "display_name": "Win.Virus.Expiro", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1049, "URL": 5839, "hostname": 1944, "FileHash-SHA256": 3634, "FileHash-MD5": 310, "FileHash-SHA1": 295, "CVE": 2, "email": 15, "SSLCertFingerprint": 2 }, "indicator_count": 13090, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69314920e287845f6b36a265", "name": "BeeLineRouter.Net \u2022 Apple Access", "description": "", "modified": "2026-01-03T07:00:45.529000", "created": "2025-12-04T08:41:04.190000", "tags": [ "mitre att", "network traffic", "ck id", "show technique", "ck matrix", "threat score", "december", "default browser", "guest system", "united", "dynadot inc", "name server", "contacted hosts", "process details", "windir", "openurl c", "prefetch2", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "access att", "t1566 phishing", "ascii text", "pattern match", "show process", "t1071", "general", "local", "path", "click", "beelinerouter", "access", "router", "apple", "regopenkeyexw", "regsz", "process32nextw", "english", "post http", "search", "observed dns", "query", "sinkhole cookie", "malware", "possible", "win32", "updater", "write", "next", "found", "ip address", "domain", "name servers", "unknown ns", "ip whois", "registrar", "cloudflare", "title", "passive dns", "urls", "files", "location united", "asn as14618", "bq dec", "virtool", "backdoor", "checkin", "ipv4 add", "trojan", "dynamicloader", "msie", "windows nt", "slcc2", "media center", "unknown", "show", "internal", "encrypt", "veailmboprd", "dns query", "wow64", "gecko http", "entries", "medium", "ransom", "khtml", "gecko", "delete", "installer", "win32cve may", "america flag", "overview ip", "asn as20940", "expiration", "url https", "no expiration", "url http", "pulse show", "type indicator", "role title", "related pulses", "record value", "domain xn" ], "references": [ "HTTPS://BeeLineRouter.Net", "eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com", "https://appleid.xn--appe-70a.com/", "https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://vgt.pl/r.n%20-", "8-25-220-162-static.reverse.queryfoundry.net", "queryfoundry.net", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://117-114-251-162-static.reverse.queryfoundry.net/", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://68-178-128-104-static.reverse.queryfoundry.net/", "0-209-98-172-static.reverse.queryfoundry.net", "154-143-182-107-static.reverse.queryfoundry.net", "http://51-235-245-104-static.reverse.queryfoundry.net/", "167-16-68-38-static.reverse.queryfoundry.net", "http://49-116-251-162-static.reverse.queryfoundry./net/", "177-231-69-38-static.reverse.queryfoundry.net", "http://36-243-60-103-static.reverse.queryfoundry.net/", "http://237-189-251-104-static.reverse.queryfoundry.net/", "http://227-98-248-162-static.reverse.queryfoundry.net/", "237-189-251-104-static.reverse.queryfoundry.net", "http://207-214-98-172-static.reverse.queryfoundry.net/", "181-135-182-107-static.reverse.queryfoundry.net", "http://201-191-251-104-static.reverse.queryfoundry.net/", "67-228-69-38-static.reverse.queryfoundry.net", "http://0-209-98-172-static.reverse.queryfoundry.net/", "http://10-241-60-103-static.reverse.queryfoundry.net/", "http://142-232-245-104-static.reverse.queryfoundry.net/", "http://154-143-182-107-static.reverse.queryfoundry.net/", "http://167-16-68-38-static.reverse.queryfoundry.net/", "http://177-231-69-38-static.reverse.queryfoundry.net/", "http://181-135-182-107-static.reverse.queryfoundry.net/", "http://195-214-98-172-static.reverse.queryfoundry.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "GandCrab Ransomware", "display_name": "GandCrab Ransomware", "target": null }, { "id": "Win.Virus.Expiro", "display_name": "Win.Virus.Expiro", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 310, "FileHash-SHA1": 295, "FileHash-SHA256": 3634, "URL": 5839, "CVE": 2, "domain": 1048, "email": 15, "hostname": 1944, "SSLCertFingerprint": 2 }, "indicator_count": 13089, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69314926519256e3ef0a9358", "name": "BeeLineRouter.Net \u2022 Apple Access", "description": "", "modified": "2026-01-03T07:00:45.529000", "created": "2025-12-04T08:41:06.657000", "tags": [ "mitre att", "network traffic", "ck id", "show technique", "ck matrix", "threat score", "december", "default browser", "guest system", "united", "dynadot inc", "name server", "contacted hosts", "process details", "windir", "openurl c", "prefetch2", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "access att", "t1566 phishing", "ascii text", "pattern match", "show process", "t1071", "general", "local", "path", "click", "beelinerouter", "access", "router", "apple", "regopenkeyexw", "regsz", "process32nextw", "english", "post http", "search", "observed dns", "query", "sinkhole cookie", "malware", "possible", "win32", "updater", "write", "next", "found", "ip address", "domain", "name servers", "unknown ns", "ip whois", "registrar", "cloudflare", "title", "passive dns", "urls", "files", "location united", "asn as14618", "bq dec", "virtool", "backdoor", "checkin", "ipv4 add", "trojan", "dynamicloader", "msie", "windows nt", "slcc2", "media center", "unknown", "show", "internal", "encrypt", "veailmboprd", "dns query", "wow64", "gecko http", "entries", "medium", "ransom", "khtml", "gecko", "delete", "installer", "win32cve may", "america flag", "overview ip", "asn as20940", "expiration", "url https", "no expiration", "url http", "pulse show", "type indicator", "role title", "related pulses", "record value", "domain xn" ], "references": [ "HTTPS://BeeLineRouter.Net", "eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com", "https://appleid.xn--appe-70a.com/", "https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://vgt.pl/r.n%20-", "8-25-220-162-static.reverse.queryfoundry.net", "queryfoundry.net", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://117-114-251-162-static.reverse.queryfoundry.net/", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://68-178-128-104-static.reverse.queryfoundry.net/", "0-209-98-172-static.reverse.queryfoundry.net", "154-143-182-107-static.reverse.queryfoundry.net", "http://51-235-245-104-static.reverse.queryfoundry.net/", "167-16-68-38-static.reverse.queryfoundry.net", "http://49-116-251-162-static.reverse.queryfoundry./net/", "177-231-69-38-static.reverse.queryfoundry.net", "http://36-243-60-103-static.reverse.queryfoundry.net/", "http://237-189-251-104-static.reverse.queryfoundry.net/", "http://227-98-248-162-static.reverse.queryfoundry.net/", "237-189-251-104-static.reverse.queryfoundry.net", "http://207-214-98-172-static.reverse.queryfoundry.net/", "181-135-182-107-static.reverse.queryfoundry.net", "http://201-191-251-104-static.reverse.queryfoundry.net/", "67-228-69-38-static.reverse.queryfoundry.net", "http://0-209-98-172-static.reverse.queryfoundry.net/", "http://10-241-60-103-static.reverse.queryfoundry.net/", "http://142-232-245-104-static.reverse.queryfoundry.net/", "http://154-143-182-107-static.reverse.queryfoundry.net/", "http://167-16-68-38-static.reverse.queryfoundry.net/", "http://177-231-69-38-static.reverse.queryfoundry.net/", "http://181-135-182-107-static.reverse.queryfoundry.net/", "http://195-214-98-172-static.reverse.queryfoundry.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "GandCrab Ransomware", "display_name": "GandCrab Ransomware", "target": null }, { "id": "Win.Virus.Expiro", "display_name": "Win.Virus.Expiro", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 310, "FileHash-SHA1": 295, "FileHash-SHA256": 3634, "URL": 5839, "CVE": 2, "domain": 1048, "email": 15, "hostname": 1944, "SSLCertFingerprint": 2 }, "indicator_count": 13089, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6928f8d9e4222a6a219d785e", "name": "ClipBanker Spy & Information stealer | Crazy Frost | MaaS | Chrome & Cloudflare attacks", "description": "It appears that entity CrazyFrost provides MasS among other things that include major smear campaigns.| Likely quasi government , and Law Firm contractors.. Domestic terrorizing isn\u2019t a stretch.\nClipBanker: A form of banking trojan information stealer and spy that specifically monitors and steals information, likely by modifying the clipboard contents to redirect financial transactions (e.g., changing a copied bank account number to the attacker's).\n\n[OTX populated - HOSTNAME: CloudFlare.com.., a company owned by the US government, has been added to Pulse, an anti-virus database. (Pulses) created by users.]", "modified": "2025-12-28T00:04:06.179000", "created": "2025-11-28T01:20:25.401000", "tags": [ "dynamicloader", "json", "ascii text", "high", "data", "x90uxa4xf8", "cape", "stream", "guard", "write", "trojan", "redline", "malware", "push", "local", "injection_inter_process", "recon_fingerprint", "persistence_ads", "process_creation_suspicious_location", "infostealer_browser", "infostealer_cookies", "stealth_file", "cape_detected_threat", "antivm_generic_bios", "cape_extracted_content", "united", "mtb jul", "a domains", "aaaa", "443 ma86400", "servers", "win32upatre jul", "virtool", "b778b1", "div div", "d9e4f4", "edf2f8", "present mar", "fastest privacy", "first dns", "win32", "trojandropper", "passive dns", "mtb nov", "ipv4 add", "asn as13335", "dns resolutions", "domain", "data upload", "extraction", "yara", "troja yara", "trojar data", "virto", "worn data", "included iocs", "manually add", "resolved ips", "ta0002", "evasion ta0005", "tr shared", "modules", "files", "infor", "t1027", "process t1057", "community score", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "name server", "date", "cloudflare", "data protected", "misc activity", "et info", "dns requests", "domain address", "gmt flag", "techtarget", "server", "et policy", "prefetch2", "t1179 hooking", "access windows", "installs", "mitre att", "ck techniques", "click", "windir", "country", "contacted hosts", "ip address", "process details", "contacted", "http traffic", "suricata alerts", "event category", "found" ], "references": [ "Malware : ClipBanker Entity: Crazy Frost", "www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Services : GoogleChromeElevationService = Delete", "Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap", "Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap", "Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap", "Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj", "Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap", "Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake", "Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "CS IDS: Matches rule (http_inspect) invalid status line", "CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.", "jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube/" ], "public": 1, "adversary": "Crazy Frost", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Trojan.Disfa/downloader10", "display_name": "Trojan.Disfa/downloader10", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "Rozena", "display_name": "Rozena", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 295, "FileHash-SHA1": 217, "FileHash-SHA256": 1887, "URL": 3263, "domain": 597, "hostname": 1085, "email": 2, "CVE": 1 }, "indicator_count": 7347, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "112 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cb233ba91aa1eb958b3f31", "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022 OneLouder", "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea", "modified": "2025-10-17T19:03:15.031000", "created": "2025-09-17T21:08:11.518000", "tags": [ "script urls", "meta", "moved", "x tec", "passive dns", "encrypt", "america flag", "san francisco", "extraction", "data upload", "type indicatod", "united states", "a domains", "united", "gmt server", "jose", "university", "bill", "rmhs", "information", "board", "lorin", "joseph", "all veterans", "rocky mountain", "mission", "vice", "april", "school", "austin", "prior", "ipv4 add", "urls", "files", "location united", "wordpress", "rmhs meta", "tags viewport", "rmhs og", "rmhs article", "wpbakery page", "builder", "slider plugin", "google tag", "mountain human", "denver", "connecting", "denver start", "relevance home", "providers", "contact us", "rmhs main", "server", "redacted tech", "redacted admin", "registrar abuse", "algorithm", "key identifier", "x509v3 subject", "dnssec", "country", "ttl value", "graph summary", "resolved ips", "ip address", "port", "data", "screenshots no", "involved direct", "country name", "name response", "tcp connections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "found", "spawns", "t1590 gather", "path", "ascii text", "exif standard", "tiff image", "format", "stop", "false", "soldier", "model", "youth", "baby", "june", "general", "local", "click", "strings", "core", "warrior", "green", "emotion", "flash", "nina", "hunk", "fono", "daam", "mitre att", "ck techniques", "id name", "malicious", "windows nt", "win64", "khtml", "gecko", "brand", "microsoft edge", "show process", "self", "date", "comspec", "hybrid", "form", "log id", "gmtn", "tls web", "b2 f6", "b0n timestamp", "f9401a", "record value", "x wix", "certificate", "domain add", "pulse submit", "body", "domain related", "blackbox", "apple", "helix", "dvrdns", "tracking", "remote access", "ios", "spyware", "hoax", "dynamicloader", "ptls6", "medium", "flashpix", "high", "ygjpavclsline", "officespace", "chartshared", "powershell", "write", "malware", "ygjpaulscontext", "status", "japan unknown", "domain", "pulses", "search", "accept", "apt10", "trojanspy", "win32", "entries", "susp", "backdoor", "useragent", "showing", "virtool", "twitter", "mozilla", "trojandropper", "trojan", "title", "onelouder", "yara det", "maware samoe", "genaco x", "ids detec", "ids terse", "win3 data", "include review", "exclude sugges", "targeting", "show", "copy", "reads", "dynamic", "vendor finding", "notes clamav", "files matching", "number", "sample analysis", "hide samples", "date hash", "next yara" ], "references": [ "rmhumanservices.org", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt", "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt", "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/", "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound", "https://www.mlkfoundation.net/ (Foundry DGA)", "remotewd.com x 34 devices", "South Africa based: remote.advisoroffice.com", "acc.lehigtapp.com - malware", "http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )", "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022", "Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/", "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting", "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net", "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2", "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)", "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname", "1.organization.api.powerplatform.partner.microsoftonline.cn", "chinaeast2.admin.api.powerautomate.cn", "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/", "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A", "ssa-gov.authorizeddns", "hmmm\u2026http://palander.stjernstrom.se/", "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU" ], "public": 1, "adversary": "APT 10", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "APT 10", "display_name": "APT 10", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "KoobFace", "display_name": "KoobFace", "target": null }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Nivdort Checkin", "display_name": "Nivdort Checkin", "target": null }, { "id": "Win.Malware.Installcore-6950365-0", "display_name": "Win.Malware.Installcore-6950365-0", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Golfing", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 690, "hostname": 1912, "URL": 5925, "FileHash-SHA1": 273, "email": 8, "FileHash-SHA256": 3618, "CIDR": 3, "FileHash-MD5": 254, "SSLCertFingerprint": 19, "CVE": 2 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684a93360163e8802e213158", "name": "ELF:Mirai AMAZON-02 - Autonomous System 65.0.0.0/14", "description": "ELF:Mirai-BHZ\\ [Trj]\t\n65.0.0.0/14\nAutonomous System Number\n16509\nAutonomous System Label\nAMAZON-02\nRelated to \u2022 103.252.236.26 | \n\u2022 sr2.reliedhosting.com | \n.\u2022 http://planitair.com/ |\n\u2022 bgptools-wildcard-confirmed.acemalibu.com | \n\u2022 https://www.anyxxxtube.net/search-porn/tsara-brashears/ | \t\t\t\n\u2022 static.ads-twitter.com\t\n\u2022 https://twitter.com/PORNO_SEXYBABES\t\n\u2022 analytics.twitter.com\n\u2022 appleupdate.org\n\u2022 apps.apple.com\n\u2022 pin.it |\n\u2022 https://pin.it/ |\n\u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian Critical issue. Cyber weaponry [Unclear] Stealth contractual US cyber defense entity, endless DGA\u2019s. India IP block.\nAdversary named by bupyeongop:\n\ubd80\ud3c9\uc624\ud53c \ucd9c\uc7a5\ub9c8\uc0ac\uc9c0\uc548\ub0b4.COM \ubd80\ud3c9OP (massage service?)\n*DoS with many OTX features", "modified": "2025-07-12T07:04:05.635000", "created": "2025-06-12T08:43:34.719000", "tags": [ "thumbprint", "apnic", "apnic whois", "database", "please", "arin whois", "north america", "caribbean", "africa", "internet", "iana", "address range", "cidr", "network name", "allocation type", "whois server", "algorithm", "v3 serial", "number", "cbe oglobalsign", "r6 alphassl", "validity", "subject public", "key info", "key algorithm", "key identifier", "link", "search", "united", "a domains", "ip address", "creation date", "record value", "date", "showing", "india unknown", "status", "passive dns", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "location india", "india asn", "as133296 web", "dns resolutions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "APNIC", "display_name": "APNIC", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 27, "domain": 2499, "hostname": 2651, "URL": 10986, "CIDR": 2, "FileHash-SHA256": 3596, "email": 1, "FileHash-MD5": 23, "CVE": 7 }, "indicator_count": 19792, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "281 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68468500f573317422968c7c", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:53:52.404000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68468501eb091ae414509121", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:53:53.417000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68468505ee31db44fe063e82", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:53:57.123000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6846850783baea1a6beb7e71", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. I won\u2019t be surprised if OTX cannot pull the threat. My account isn\u2019t allowing me full permissions. \n\n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:53:59.933000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://protect.mobitools.net/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://protect.mobitools.net/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776630522.0782015 }