{ "type": "URL", "indicator": "https://protective.kz", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://protective.kz", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4182796158, "indicator": "https://protective.kz", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "698d30c03b57c38dff915023", "name": "Double Umbrella AS15169/AS21928: This evaluates a critical structural convergence between Google (AS15169) and T-Mobile USA (AS21928) within the global Tier-1 routing backbone", "description": "Research credit: msudosos, The research identifies a high-fidelity pattern where traffic from dual origins commingles within a restricted lateral transit hub, allowing for horizontal movement across backbone providers that typically maintain distinct trust boundaries. Specifically, the Content Origin (Umbrella A) originated by Google (AS15169) reaches the core backbone through a high-trust sequence involving Arelion (AS1299), NTT (AS2914), and GTT (AS3257). Simultaneously, the Mobile Origin (Umbrella B) originated by T-Mobile USA (AS21928) enters the backbone via Cogent (AS174) and Lumen (AS3356). The findings designate Lumen (AS3356) as the central lateral hub where traffic pivots horizontally between the \u201cCore Five\u201d partners-including Zayo (AS6461) and Hurricane Electric (AS6939) \u2014before leaking to international sub-transit peers like Sparkle (AS6762) and Telxius (AS12956), finally exiting at global edge points such as PCCW (AS3491) and Tata (AS6453).", "modified": "2026-03-29T06:02:00.914000", "created": "2026-02-12T01:45:36.128000", "tags": [ "The dynamics of the mudoSOSIntersectalign with sophisticated adv" ], "references": [ "as15169" ], "public": 1, "adversary": "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URI": 1, "domain": 2661, "URL": 6810, "hostname": 2147, "email": 56, "FileHash-SHA256": 2781, "CVE": 172, "FileHash-MD5": 365, "FileHash-SHA1": 344, "IPv4": 1, "CIDR": 20940 }, "indicator_count": 36278, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b7cb05b2098c1d2bf20f", "name": "federal goverment clone cellbrite credit q vashti", "description": "", "modified": "2026-03-12T12:55:39.046000", "created": "2026-03-12T12:55:39.046000", "tags": [ "url https", "url http", "germany", "united", "ukraine", "japan", "extraction", "data upload", "urls", "url analysis", "enter sc", "extr", "iocs", "active", "france unknown", "present jan", "servers", "homair sweet", "grabber", "encrypt", "ipv4", "role title", "divx", "pitfall", "internet", "ip role", "america asn", "extraction data", "leveibielabs", "all se", "enter source", "url or", "texirag", "drop", "present nov", "united states", "america", "levdibidelabs", "failed", "idron anv", "include manualv", "review data", "iterng", "name servers", "passive dns", "incapsula", "meta name", "robots content", "x ua", "ieedge chrome1", "script head", "request", "cookie", "indicator", "msie", "chrome", "backdoor", "gmt content", "ipv4 add", "twitter", "title", "process32nextw", "ms windows", "intel", "pe32", "regopenkeyexa", "read c", "medium", "class", "write", "template", "present oct", "present jul", "aaaa", "present sep", "present aug", "url add", "http", "hostname", "related tags", "kx81xdbx0f", "x86xd3", "xa7xe28x06", "x82xd4", "delete c", "regsetvalueexa", "regbinary", "xa1xf1", "xe8xc2x14", "malware", "stream", "unknown", "win32", "persistence", "execution", "push", "present dec", "italy", "present jun", "embeddedwb", "whitelisted", "windows nt", "dns traffic", "russia", "cname", "accept", "destination", "port", "et smtp", "message", "et trojan", "components", "suspicious", "download", "hostile", "next", "logic", "gather victim", "et info", "etpro trojan", "trojan", "report spam", "interesting", "created", "pegasus", "manipulation", "service", "capture", "et", "etpro", "host", "attack", "mtb description", "windows", "shellexecuteexw", "writeconsolew", "registry", "t1031", "modify existing", "dock", "type indicator", "added active", "related pulses", "arcflex", "filehashsha1", "types of", "learn more", "filehashsha256", "cellebrite", "white label", "search", "sha1", "france", "cmanual jan", "expiration date", "domain add", "pulse submit", "files", "ip address", "gmt cache", "sameorigin", "reverse dns", "unknown ns", "admin org", "zipcode", "gmt server", "pulse pulses", "entries", "hostname add", "verdict", "germany unknown", "status", "domain", "xpirat", "netherlands", "netherlands asn", "as35280 acorus", "dns resolutions", "error", "files ip", "copy", "telnet login", "suspicious path", "busybox", "login attempt", "gpl telnet", "high", "tcp syn", "telnet root", "path", "mirai", "emails", "domain name", "jlu11q", "tqbplo", "hours ago", "found", "yahoo", "gmail", "yandex", "https://cellebrite.com/en/federal-government/", "monitoring", "monitored target", "dangerous", "spyware", "80211", "colorado", "x amz", "government", "mirai login attempt", "emotet", "c2", ".ru", ".com", "denver", "indicator role", "title added", "active related", "pulses hostname", "dead connect", "hostile", "adversarial", "abuse", "criminal intent", "block messages", "botnet" ], "references": [ "fastwebnet.it | Cellebrite White Label Spyware Service", "putrhnwl.exe", "Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "IP\u2019s Contacted : 54.230.129.165", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "Domains Contacted: pitfall.divx.com www.google.com", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Yara: Detections Tofsee", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "ET TROJAN Suspicious double Server Header", "ET DNS DNS Query to a .tk domain - Likey", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "Needs to be sorted. Actively being exploited on US", "162.159.134.42 \u2022 https://cellebrite.com/", "https://cellebrite.com/en/federal-government/", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Germany", "Ireland", "Switzerland", "Poland", "Belgium", "Netherlands", "Sweden" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Aptdrop.RU", "display_name": "Trojan:Win32/Aptdrop.RU", "target": "/malware/Trojan:Win32/Aptdrop.RU" }, { "id": "Ransomware/Win.Stop.R4529", "display_name": "Ransomware/Win.Stop.R4529", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32/BackdoorX", "display_name": "Win32/BackdoorX", "target": null }, { "id": "Win.Trojan.Dialog-9873788-0", "display_name": "Win.Trojan.Dialog-9873788-0", "target": null }, { "id": "Tsunami-6981155-0", "display_name": "Tsunami-6981155-0", "target": null }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1196", "name": "Control Panel Items", "display_name": "T1196 - Control Panel Items" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1581", "name": "Geofencing", "display_name": "T1581 - Geofencing" }, { "id": "T1582", "name": "SMS Control", "display_name": "T1582 - SMS Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Journalists", "Government", "Civil Society" ], "TLP": "green", "cloned_from": "696f7d467763ed4d4e74d133", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4994, "domain": 2519, "hostname": 3281, "FileHash-SHA256": 4467, "FileHash-MD5": 1118, "FileHash-SHA1": 1056, "email": 12, "SSLCertFingerprint": 1 }, "indicator_count": 17448, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6975c5cd4db6104ea1a3d69b", "name": "The Blender Foundation BouncyCastle-Virut | Malware /Stealer Empty FileHash | Eternal7 (Shadow Broker) Related", "description": "Empty FileHash isn\u2019t benign. Interesting relationships to the Eternal 7. Malware, Stealer and Suspicious History File Operation. BouncyCastle-Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys / Startul ErrorPageTemplate[1] netcore, BouncyCastle.", "modified": "2026-02-24T06:02:43.853000", "created": "2026-01-25T07:27:09.640000", "tags": [ "empty", "blender", "eurostile", "augustin", "butterfield", "cook", "drummer", "erickson", "fjsv", "flynn", "gorman", "holmes", "easy", "rada", "xanadu", "config", "reboot", "screen", "microsoft", "commerce server", "edition", "draw", "exchange server", "tools", "linux", "ideal link", "nsrl test", "nist", "file", "cultureneutral", "fix pack", "free download", "bouncycastle", "read c", "search", "et trojan", "w32kegotip cnc", "whitelisted", "ids detections", "intel", "write", "trojan", "malware", "yara detections", "productversion", "fileversion", "av detections", "alerts", "analysis date", "file score", "united", "aaaa", "passive dns", "ip address", "present dec", "body html", "head meta", "title", "urls", "url https", "http", "hostname", "files domain", "files related", "related tags", "beacon", "et", "ipv4", "files", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "show", "win32virut", "destination", "port", "ms windows", "pe32", "medium", "suspicious", "virustotal", "startul", "shadowbrokers", "total", "delete", "artemis", "win32.injector", "trendmicro", "data upload", "extraction", "included iocs" ], "references": [ "The Blender Foundation", "website \u2022 http://oldapps.com/blender.php?old_blender=7584", "oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download", "Google android-cts-7.1_r6-linux_x86-arm.zip", "Google android-cts-7.1_r6-linux_x86-arm.zip", "android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]", "Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community", "Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks", "ET TROJAN W32/Kegotip CnC Beacon", "IDS Detections ET POLICY Suspicious User-Agent Containing .exe", "Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit", "Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /", "Startul ErrorPageTemplate[1] netcore, BouncyCastle.", "Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BouncyCastle", "display_name": "BouncyCastle", "target": null }, { "id": "Sf:ShellCode-AU", "display_name": "Sf:ShellCode-AU", "target": null }, { "id": "Win.Trojan.Fareit-82", "display_name": "Win.Trojan.Fareit-82", "target": null }, { "id": "Win.Trojan.Agent-245901", "display_name": "Win.Trojan.Agent-245901", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "W32/Kegotip CnC", "display_name": "W32/Kegotip CnC", "target": null }, { "id": "W32.Virut.ci", "display_name": "W32.Virut.ci", "target": null }, { "id": "Downloader.Generic13.CMTW", "display_name": "Downloader.Generic13.CMTW", "target": null }, { "id": "Downloader.Generic13.BOBZ", "display_name": "Downloader.Generic13.BOBZ", "target": null }, { "id": "Win.Trojan.Injector-12138", "display_name": "Win.Trojan.Injector-12138", "target": null }, { "id": "Generic36.ADTY", "display_name": "Generic36.ADTY", "target": null }, { "id": "Generic36.AIAA.Dropper", "display_name": "Generic36.AIAA.Dropper", "target": null }, { "id": "Generic36.AJSM", "display_name": "Generic36.AJSM", "target": null }, { "id": "Win32/Virut", "display_name": "Win32/Virut", "target": null }, { "id": "Win32/Ramnit.A", "display_name": "Win32/Ramnit.A", "target": null }, { "id": "Worm.Autorun-6180", "display_name": "Worm.Autorun-6180", "target": null }, { "id": "Hider.BIY", "display_name": "Hider.BIY", "target": null }, { "id": "Win.Trojan.Rootkit-4532", "display_name": "Win.Trojan.Rootkit-4532", "target": null }, { "id": "Win32/Blacked", "display_name": "Win32/Blacked", "target": null }, { "id": "Win32.Injector", "display_name": "Win32.Injector", "target": null }, { "id": "TrendMicro", "display_name": "TrendMicro", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 71, "FileHash-SHA256": 853, "URL": 1639, "domain": 288, "FileHash-MD5": 78, "hostname": 545 }, "indicator_count": 3474, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "54 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696f7d467763ed4d4e74d133", "name": "Federal Government-Cellebrite Attack found actively targeting iOS and other devices | Mirai login attempts | TelNet Login", "description": "https://cellebrite.com/en/federal-government/ | Found on a crime victims devices. Targets abused by spyware in an unethical manner by andvesarial \u2018governmental\u2019 possibly \u2018contracted\u2019 entities. Waged against targets such as victims of crime , journalists , researchers , students. Target Users: Serves public safety, enterprise, and government sectors, aiding first responders, investigators, prosecutors, and analysts. How it's Used Law enforcement uses it to unlock devices and retrieve evidence like messages, location history, and app data for criminal investigations. It helps uncover critical information from digital devices, even recovering data that users thought was permanently deleted. Controversy & Privacy Concerns While marketed as a tool for lawful investigations, its powerful data extraction capabilities raise significant privacy concerns and ethical debates.", "modified": "2026-02-19T12:05:47.166000", "created": "2026-01-20T13:04:06.622000", "tags": [ "url https", "url http", "germany", "united", "ukraine", "japan", "extraction", "data upload", "urls", "url analysis", "enter sc", "extr", "iocs", "active", "france unknown", "present jan", "servers", "homair sweet", "grabber", "encrypt", "ipv4", "role title", "divx", "pitfall", "internet", "ip role", "america asn", "extraction data", "leveibielabs", "all se", "enter source", "url or", "texirag", "drop", "present nov", "united states", "america", "levdibidelabs", "failed", "idron anv", "include manualv", "review data", "iterng", "name servers", "passive dns", "incapsula", "meta name", "robots content", "x ua", "ieedge chrome1", "script head", "request", "cookie", "indicator", "msie", "chrome", "backdoor", "gmt content", "ipv4 add", "twitter", "title", "process32nextw", "ms windows", "intel", "pe32", "regopenkeyexa", "read c", "medium", "class", "write", "template", "present oct", "present jul", "aaaa", "present sep", "present aug", "url add", "http", "hostname", "related tags", "kx81xdbx0f", "x86xd3", "xa7xe28x06", "x82xd4", "delete c", "regsetvalueexa", "regbinary", "xa1xf1", "xe8xc2x14", "malware", "stream", "unknown", "win32", "persistence", "execution", "push", "present dec", "italy", "present jun", "embeddedwb", "whitelisted", "windows nt", "dns traffic", "russia", "cname", "accept", "destination", "port", "et smtp", "message", "et trojan", "components", "suspicious", "download", "hostile", "next", "logic", "gather victim", "et info", "etpro trojan", "trojan", "report spam", "interesting", "created", "pegasus", "manipulation", "service", "capture", "et", "etpro", "host", "attack", "mtb description", "windows", "shellexecuteexw", "writeconsolew", "registry", "t1031", "modify existing", "dock", "type indicator", "added active", "related pulses", "arcflex", "filehashsha1", "types of", "learn more", "filehashsha256", "cellebrite", "white label", "search", "sha1", "france", "cmanual jan", "expiration date", "domain add", "pulse submit", "files", "ip address", "gmt cache", "sameorigin", "reverse dns", "unknown ns", "admin org", "zipcode", "gmt server", "pulse pulses", "entries", "hostname add", "verdict", "germany unknown", "status", "domain", "xpirat", "netherlands", "netherlands asn", "as35280 acorus", "dns resolutions", "error", "files ip", "copy", "telnet login", "suspicious path", "busybox", "login attempt", "gpl telnet", "high", "tcp syn", "telnet root", "path", "mirai", "emails", "domain name", "jlu11q", "tqbplo", "hours ago", "found", "yahoo", "gmail", "yandex", "https://cellebrite.com/en/federal-government/", "monitoring", "monitored target", "dangerous", "spyware", "80211", "colorado", "x amz", "government", "mirai login attempt", "emotet", "c2", ".ru", ".com", "denver", "indicator role", "title added", "active related", "pulses hostname", "dead connect", "hostile", "adversarial", "abuse", "criminal intent", "block messages", "botnet" ], "references": [ "fastwebnet.it | Cellebrite White Label Spyware Service", "putrhnwl.exe", "Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "IP\u2019s Contacted : 54.230.129.165", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "Domains Contacted: pitfall.divx.com www.google.com", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Yara: Detections Tofsee", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "ET TROJAN Suspicious double Server Header", "ET DNS DNS Query to a .tk domain - Likey", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "Needs to be sorted. Actively being exploited on US", "162.159.134.42 \u2022 https://cellebrite.com/", "https://cellebrite.com/en/federal-government/", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Germany", "Ireland", "Switzerland", "Poland", "Belgium", "Netherlands", "Sweden" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Aptdrop.RU", "display_name": "Trojan:Win32/Aptdrop.RU", "target": "/malware/Trojan:Win32/Aptdrop.RU" }, { "id": "Ransomware/Win.Stop.R4529", "display_name": "Ransomware/Win.Stop.R4529", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32/BackdoorX", "display_name": "Win32/BackdoorX", "target": null }, { "id": "Win.Trojan.Dialog-9873788-0", "display_name": "Win.Trojan.Dialog-9873788-0", "target": null }, { "id": "Tsunami-6981155-0", "display_name": "Tsunami-6981155-0", "target": null }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1196", "name": "Control Panel Items", "display_name": "T1196 - Control Panel Items" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1581", "name": "Geofencing", "display_name": "T1581 - Geofencing" }, { "id": "T1582", "name": "SMS Control", "display_name": "T1582 - SMS Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Journalists", "Government", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4994, "domain": 2519, "hostname": 3281, "FileHash-SHA256": 4467, "FileHash-MD5": 1118, "FileHash-SHA1": 1056, "email": 12, "SSLCertFingerprint": 1 }, "indicator_count": 17448, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks", "IP\u2019s Contacted : 54.230.129.165", "https://cellebrite.com/en/federal-government/", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "putrhnwl.exe", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "Startul ErrorPageTemplate[1] netcore, BouncyCastle.", "Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "ET DNS DNS Query to a .tk domain - Likey", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "The Blender Foundation", "Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "Yara Detections: Nullsoft_NSIS", "162.159.134.42 \u2022 https://cellebrite.com/", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "Google android-cts-7.1_r6-linux_x86-arm.zip", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/", "Yara: Detections Tofsee", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "Domains Contacted: pitfall.divx.com www.google.com", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community", "ET TROJAN W32/Kegotip CnC Beacon", "ET TROJAN Suspicious double Server Header", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download", "as15169", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "Needs to be sorted. Actively being exploited on US", "android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]", "IDS Detections ET POLICY Suspicious User-Agent Containing .exe", "Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit", "website \u2022 http://oldapps.com/blender.php?old_blender=7584", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "fastwebnet.it | Cellebrite White Label Spyware Service" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act" ], "malware_families": [ "Downloader.generic13.cmtw", "Trojan:win32/danabot", "Generic36.adty", "Win.trojan.dialog-9873788-0", "Win.trojan.fareit-82", "Win32/blacked", "Generic36.aiaa.dropper", "Win32:trojan-gen", "Crypt3.bxvc", "W32.virut.ci", "#lowfienabledtcontinueafterunpacking", "Win32/ramnit.a", "Generic36.ajsm", "Win.trojan.rootkit-4532", "Win32/virut", "Pegasus", "Unix.trojan.tsunami-6981155-0", "Trojan:win32/emotet.pc!mtb", "Backdoor:linux/demonbot", "Bouncycastle", "Etpro", "Win32/backdoorx", "Trendmicro", "Trojan:win32/aptdrop.ru", "Win.trojan.injector-12138", "Win.trojan.agent-245901", "Worm.autorun-6180", "Ransomware/win.stop.r4529", "Sf:shellcode-au", "Et", "Tsunami-6981155-0", "Backdoor:win32/tofsee.t", "Downloader.generic13.bobz", "Hider.biy", "Mirai", "Win32.injector", "W32/kegotip cnc" ], "industries": [ "Government", "Journalists", "Civil society" ], "unique_indicators": 37159 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/protective.kz", "whois": "http://whois.domaintools.com/protective.kz", "domain": "protective.kz", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "698d30c03b57c38dff915023", "name": "Double Umbrella AS15169/AS21928: This evaluates a critical structural convergence between Google (AS15169) and T-Mobile USA (AS21928) within the global Tier-1 routing backbone", "description": "Research credit: msudosos, The research identifies a high-fidelity pattern where traffic from dual origins commingles within a restricted lateral transit hub, allowing for horizontal movement across backbone providers that typically maintain distinct trust boundaries. Specifically, the Content Origin (Umbrella A) originated by Google (AS15169) reaches the core backbone through a high-trust sequence involving Arelion (AS1299), NTT (AS2914), and GTT (AS3257). Simultaneously, the Mobile Origin (Umbrella B) originated by T-Mobile USA (AS21928) enters the backbone via Cogent (AS174) and Lumen (AS3356). The findings designate Lumen (AS3356) as the central lateral hub where traffic pivots horizontally between the \u201cCore Five\u201d partners-including Zayo (AS6461) and Hurricane Electric (AS6939) \u2014before leaking to international sub-transit peers like Sparkle (AS6762) and Telxius (AS12956), finally exiting at global edge points such as PCCW (AS3491) and Tata (AS6453).", "modified": "2026-03-29T06:02:00.914000", "created": "2026-02-12T01:45:36.128000", "tags": [ "The dynamics of the mudoSOSIntersectalign with sophisticated adv" ], "references": [ "as15169" ], "public": 1, "adversary": "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URI": 1, "domain": 2661, "URL": 6810, "hostname": 2147, "email": 56, "FileHash-SHA256": 2781, "CVE": 172, "FileHash-MD5": 365, "FileHash-SHA1": 344, "IPv4": 1, "CIDR": 20940 }, "indicator_count": 36278, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b7cb05b2098c1d2bf20f", "name": "federal goverment clone cellbrite credit q vashti", "description": "", "modified": "2026-03-12T12:55:39.046000", "created": "2026-03-12T12:55:39.046000", "tags": [ "url https", "url http", "germany", "united", "ukraine", "japan", "extraction", "data upload", "urls", "url analysis", "enter sc", "extr", "iocs", "active", "france unknown", "present jan", "servers", "homair sweet", "grabber", "encrypt", "ipv4", "role title", "divx", "pitfall", "internet", "ip role", "america asn", "extraction data", "leveibielabs", "all se", "enter source", "url or", "texirag", "drop", "present nov", "united states", "america", "levdibidelabs", "failed", "idron anv", "include manualv", "review data", "iterng", "name servers", "passive dns", "incapsula", "meta name", "robots content", "x ua", "ieedge chrome1", "script head", "request", "cookie", "indicator", "msie", "chrome", "backdoor", "gmt content", "ipv4 add", "twitter", "title", "process32nextw", "ms windows", "intel", "pe32", "regopenkeyexa", "read c", "medium", "class", "write", "template", "present oct", "present jul", "aaaa", "present sep", "present aug", "url add", "http", "hostname", "related tags", "kx81xdbx0f", "x86xd3", "xa7xe28x06", "x82xd4", "delete c", "regsetvalueexa", "regbinary", "xa1xf1", "xe8xc2x14", "malware", "stream", "unknown", "win32", "persistence", "execution", "push", "present dec", "italy", "present jun", "embeddedwb", "whitelisted", "windows nt", "dns traffic", "russia", "cname", "accept", "destination", "port", "et smtp", "message", "et trojan", "components", "suspicious", "download", "hostile", "next", "logic", "gather victim", "et info", "etpro trojan", "trojan", "report spam", "interesting", "created", "pegasus", "manipulation", "service", "capture", "et", "etpro", "host", "attack", "mtb description", "windows", "shellexecuteexw", "writeconsolew", "registry", "t1031", "modify existing", "dock", "type indicator", "added active", "related pulses", "arcflex", "filehashsha1", "types of", "learn more", "filehashsha256", "cellebrite", "white label", "search", "sha1", "france", "cmanual jan", "expiration date", "domain add", "pulse submit", "files", "ip address", "gmt cache", "sameorigin", "reverse dns", "unknown ns", "admin org", "zipcode", "gmt server", "pulse pulses", "entries", "hostname add", "verdict", "germany unknown", "status", "domain", "xpirat", "netherlands", "netherlands asn", "as35280 acorus", "dns resolutions", "error", "files ip", "copy", "telnet login", "suspicious path", "busybox", "login attempt", "gpl telnet", "high", "tcp syn", "telnet root", "path", "mirai", "emails", "domain name", "jlu11q", "tqbplo", "hours ago", "found", "yahoo", "gmail", "yandex", "https://cellebrite.com/en/federal-government/", "monitoring", "monitored target", "dangerous", "spyware", "80211", "colorado", "x amz", "government", "mirai login attempt", "emotet", "c2", ".ru", ".com", "denver", "indicator role", "title added", "active related", "pulses hostname", "dead connect", "hostile", "adversarial", "abuse", "criminal intent", "block messages", "botnet" ], "references": [ "fastwebnet.it | Cellebrite White Label Spyware Service", "putrhnwl.exe", "Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "IP\u2019s Contacted : 54.230.129.165", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "Domains Contacted: pitfall.divx.com www.google.com", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Yara: Detections Tofsee", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "ET TROJAN Suspicious double Server Header", "ET DNS DNS Query to a .tk domain - Likey", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "Needs to be sorted. Actively being exploited on US", "162.159.134.42 \u2022 https://cellebrite.com/", "https://cellebrite.com/en/federal-government/", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Germany", "Ireland", "Switzerland", "Poland", "Belgium", "Netherlands", "Sweden" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Aptdrop.RU", "display_name": "Trojan:Win32/Aptdrop.RU", "target": "/malware/Trojan:Win32/Aptdrop.RU" }, { "id": "Ransomware/Win.Stop.R4529", "display_name": "Ransomware/Win.Stop.R4529", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32/BackdoorX", "display_name": "Win32/BackdoorX", "target": null }, { "id": "Win.Trojan.Dialog-9873788-0", "display_name": "Win.Trojan.Dialog-9873788-0", "target": null }, { "id": "Tsunami-6981155-0", "display_name": "Tsunami-6981155-0", "target": null }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1196", "name": "Control Panel Items", "display_name": "T1196 - Control Panel Items" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1581", "name": "Geofencing", "display_name": "T1581 - Geofencing" }, { "id": "T1582", "name": "SMS Control", "display_name": "T1582 - SMS Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Journalists", "Government", "Civil Society" ], "TLP": "green", "cloned_from": "696f7d467763ed4d4e74d133", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4994, "domain": 2519, "hostname": 3281, "FileHash-SHA256": 4467, "FileHash-MD5": 1118, "FileHash-SHA1": 1056, "email": 12, "SSLCertFingerprint": 1 }, "indicator_count": 17448, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6975c5cd4db6104ea1a3d69b", "name": "The Blender Foundation BouncyCastle-Virut | Malware /Stealer Empty FileHash | Eternal7 (Shadow Broker) Related", "description": "Empty FileHash isn\u2019t benign. Interesting relationships to the Eternal 7. Malware, Stealer and Suspicious History File Operation. BouncyCastle-Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys / Startul ErrorPageTemplate[1] netcore, BouncyCastle.", "modified": "2026-02-24T06:02:43.853000", "created": "2026-01-25T07:27:09.640000", "tags": [ "empty", "blender", "eurostile", "augustin", "butterfield", "cook", "drummer", "erickson", "fjsv", "flynn", "gorman", "holmes", "easy", "rada", "xanadu", "config", "reboot", "screen", "microsoft", "commerce server", "edition", "draw", "exchange server", "tools", "linux", "ideal link", "nsrl test", "nist", "file", "cultureneutral", "fix pack", "free download", "bouncycastle", "read c", "search", "et trojan", "w32kegotip cnc", "whitelisted", "ids detections", "intel", "write", "trojan", "malware", "yara detections", "productversion", "fileversion", "av detections", "alerts", "analysis date", "file score", "united", "aaaa", "passive dns", "ip address", "present dec", "body html", "head meta", "title", "urls", "url https", "http", "hostname", "files domain", "files related", "related tags", "beacon", "et", "ipv4", "files", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "show", "win32virut", "destination", "port", "ms windows", "pe32", "medium", "suspicious", "virustotal", "startul", "shadowbrokers", "total", "delete", "artemis", "win32.injector", "trendmicro", "data upload", "extraction", "included iocs" ], "references": [ "The Blender Foundation", "website \u2022 http://oldapps.com/blender.php?old_blender=7584", "oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download", "Google android-cts-7.1_r6-linux_x86-arm.zip", "Google android-cts-7.1_r6-linux_x86-arm.zip", "android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]", "Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community", "Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks", "ET TROJAN W32/Kegotip CnC Beacon", "IDS Detections ET POLICY Suspicious User-Agent Containing .exe", "Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit", "Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /", "Startul ErrorPageTemplate[1] netcore, BouncyCastle.", "Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BouncyCastle", "display_name": "BouncyCastle", "target": null }, { "id": "Sf:ShellCode-AU", "display_name": "Sf:ShellCode-AU", "target": null }, { "id": "Win.Trojan.Fareit-82", "display_name": "Win.Trojan.Fareit-82", "target": null }, { "id": "Win.Trojan.Agent-245901", "display_name": "Win.Trojan.Agent-245901", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "W32/Kegotip CnC", "display_name": "W32/Kegotip CnC", "target": null }, { "id": "W32.Virut.ci", "display_name": "W32.Virut.ci", "target": null }, { "id": "Downloader.Generic13.CMTW", "display_name": "Downloader.Generic13.CMTW", "target": null }, { "id": "Downloader.Generic13.BOBZ", "display_name": "Downloader.Generic13.BOBZ", "target": null }, { "id": "Win.Trojan.Injector-12138", "display_name": "Win.Trojan.Injector-12138", "target": null }, { "id": "Generic36.ADTY", "display_name": "Generic36.ADTY", "target": null }, { "id": "Generic36.AIAA.Dropper", "display_name": "Generic36.AIAA.Dropper", "target": null }, { "id": "Generic36.AJSM", "display_name": "Generic36.AJSM", "target": null }, { "id": "Win32/Virut", "display_name": "Win32/Virut", "target": null }, { "id": "Win32/Ramnit.A", "display_name": "Win32/Ramnit.A", "target": null }, { "id": "Worm.Autorun-6180", "display_name": "Worm.Autorun-6180", "target": null }, { "id": "Hider.BIY", "display_name": "Hider.BIY", "target": null }, { "id": "Win.Trojan.Rootkit-4532", "display_name": "Win.Trojan.Rootkit-4532", "target": null }, { "id": "Win32/Blacked", "display_name": "Win32/Blacked", "target": null }, { "id": "Win32.Injector", "display_name": "Win32.Injector", "target": null }, { "id": "TrendMicro", "display_name": "TrendMicro", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 71, "FileHash-SHA256": 853, "URL": 1639, "domain": 288, "FileHash-MD5": 78, "hostname": 545 }, "indicator_count": 3474, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "54 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696f7d467763ed4d4e74d133", "name": "Federal Government-Cellebrite Attack found actively targeting iOS and other devices | Mirai login attempts | TelNet Login", "description": "https://cellebrite.com/en/federal-government/ | Found on a crime victims devices. Targets abused by spyware in an unethical manner by andvesarial \u2018governmental\u2019 possibly \u2018contracted\u2019 entities. Waged against targets such as victims of crime , journalists , researchers , students. Target Users: Serves public safety, enterprise, and government sectors, aiding first responders, investigators, prosecutors, and analysts. How it's Used Law enforcement uses it to unlock devices and retrieve evidence like messages, location history, and app data for criminal investigations. It helps uncover critical information from digital devices, even recovering data that users thought was permanently deleted. Controversy & Privacy Concerns While marketed as a tool for lawful investigations, its powerful data extraction capabilities raise significant privacy concerns and ethical debates.", "modified": "2026-02-19T12:05:47.166000", "created": "2026-01-20T13:04:06.622000", "tags": [ "url https", "url http", "germany", "united", "ukraine", "japan", "extraction", "data upload", "urls", "url analysis", "enter sc", "extr", "iocs", "active", "france unknown", "present jan", "servers", "homair sweet", "grabber", "encrypt", "ipv4", "role title", "divx", "pitfall", "internet", "ip role", "america asn", "extraction data", "leveibielabs", "all se", "enter source", "url or", "texirag", "drop", "present nov", "united states", "america", "levdibidelabs", "failed", "idron anv", "include manualv", "review data", "iterng", "name servers", "passive dns", "incapsula", "meta name", "robots content", "x ua", "ieedge chrome1", "script head", "request", "cookie", "indicator", "msie", "chrome", "backdoor", "gmt content", "ipv4 add", "twitter", "title", "process32nextw", "ms windows", "intel", "pe32", "regopenkeyexa", "read c", "medium", "class", "write", "template", "present oct", "present jul", "aaaa", "present sep", "present aug", "url add", "http", "hostname", "related tags", "kx81xdbx0f", "x86xd3", "xa7xe28x06", "x82xd4", "delete c", "regsetvalueexa", "regbinary", "xa1xf1", "xe8xc2x14", "malware", "stream", "unknown", "win32", "persistence", "execution", "push", "present dec", "italy", "present jun", "embeddedwb", "whitelisted", "windows nt", "dns traffic", "russia", "cname", "accept", "destination", "port", "et smtp", "message", "et trojan", "components", "suspicious", "download", "hostile", "next", "logic", "gather victim", "et info", "etpro trojan", "trojan", "report spam", "interesting", "created", "pegasus", "manipulation", "service", "capture", "et", "etpro", "host", "attack", "mtb description", "windows", "shellexecuteexw", "writeconsolew", "registry", "t1031", "modify existing", "dock", "type indicator", "added active", "related pulses", "arcflex", "filehashsha1", "types of", "learn more", "filehashsha256", "cellebrite", "white label", "search", "sha1", "france", "cmanual jan", "expiration date", "domain add", "pulse submit", "files", "ip address", "gmt cache", "sameorigin", "reverse dns", "unknown ns", "admin org", "zipcode", "gmt server", "pulse pulses", "entries", "hostname add", "verdict", "germany unknown", "status", "domain", "xpirat", "netherlands", "netherlands asn", "as35280 acorus", "dns resolutions", "error", "files ip", "copy", "telnet login", "suspicious path", "busybox", "login attempt", "gpl telnet", "high", "tcp syn", "telnet root", "path", "mirai", "emails", "domain name", "jlu11q", "tqbplo", "hours ago", "found", "yahoo", "gmail", "yandex", "https://cellebrite.com/en/federal-government/", "monitoring", "monitored target", "dangerous", "spyware", "80211", "colorado", "x amz", "government", "mirai login attempt", "emotet", "c2", ".ru", ".com", "denver", "indicator role", "title added", "active related", "pulses hostname", "dead connect", "hostile", "adversarial", "abuse", "criminal intent", "block messages", "botnet" ], "references": [ "fastwebnet.it | Cellebrite White Label Spyware Service", "putrhnwl.exe", "Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "IP\u2019s Contacted : 54.230.129.165", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "Domains Contacted: pitfall.divx.com www.google.com", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Yara: Detections Tofsee", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "ET TROJAN Suspicious double Server Header", "ET DNS DNS Query to a .tk domain - Likey", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "Needs to be sorted. Actively being exploited on US", "162.159.134.42 \u2022 https://cellebrite.com/", "https://cellebrite.com/en/federal-government/", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Germany", "Ireland", "Switzerland", "Poland", "Belgium", "Netherlands", "Sweden" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Aptdrop.RU", "display_name": "Trojan:Win32/Aptdrop.RU", "target": "/malware/Trojan:Win32/Aptdrop.RU" }, { "id": "Ransomware/Win.Stop.R4529", "display_name": "Ransomware/Win.Stop.R4529", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32/BackdoorX", "display_name": "Win32/BackdoorX", "target": null }, { "id": "Win.Trojan.Dialog-9873788-0", "display_name": "Win.Trojan.Dialog-9873788-0", "target": null }, { "id": "Tsunami-6981155-0", "display_name": "Tsunami-6981155-0", "target": null }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1196", "name": "Control Panel Items", "display_name": "T1196 - Control Panel Items" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1581", "name": "Geofencing", "display_name": "T1581 - Geofencing" }, { "id": "T1582", "name": "SMS Control", "display_name": "T1582 - SMS Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Journalists", "Government", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4994, "domain": 2519, "hostname": 3281, "FileHash-SHA256": 4467, "FileHash-MD5": 1118, "FileHash-SHA1": 1056, "email": 12, "SSLCertFingerprint": 1 }, "indicator_count": 17448, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://protective.kz", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://protective.kz", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776640543.9162612 }