{ "type": "URL", "indicator": "https://proxy.infimotiontec.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://proxy.infimotiontec.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4154159462, "indicator": "https://proxy.infimotiontec.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "693de4a8a72cf95b028365f0", "name": "Bot Block 162.159.128.0/19 | X Fake tweets | Tofsee", "description": "Tofsee.Trojan.T malware infection affects infected devices. \n\n\n#unlocked #injection #dead_host #compromised_devices #folk_in _browser #botnets", "modified": "2026-01-12T21:02:35.560000", "created": "2025-12-13T22:11:52.474000", "tags": [ "network", "ip address", "subnet", "dynamicloader", "port", "destination", "high", "windows", "united", "write", "tofsee", "stream", "win64", "push", "urls", "url analysis", "dnssec", "script domains", "encrypt", "url add", "http", "related nids", "flag united", "germany", "address google", "passive dns", "ipv4 add", "files", "asn as13335", "dns resolutions", "domains top", "level", "unique tlds", "location united", "asn asnone", "present dec", "backdoor", "lowfi", "win32autoit mar", "urls show", "date checked", "connection", "httponly", "secure", "path", "expiressat", "dynamic cfray", "medium", "delete c", "displayname", "show", "unknown", "next", "rndhex", "malware", "cname", "next associated", "url hostname", "server response", "google safe", "read c", "unicode", "png image", "rgba", "memcommit", "dock", "execution", "files location", "china flag", "china hostname", "hostname", "domain", "files ip", "address", "asn as45102", "gmt content", "certificate", "associated urls", "location china", "china asn", "as4808 china", "present aug", "object", "present apr", "present oct", "alman", "present sep", "error", "present jul", "rmndrp", "present feb", "expiration", "url https", "url http", "iocs", "review iocs", "expireswed", "samesitenone", "maxage86400", "maxage0", "server", "expires", "victina nulcac", "data upload", "extraction", "enter", "enter source", "url data", "type", "extract indic", "included iocs", "china unknown", "botnet", "folk in browser", "japan unknown", "asnone country", "as13335", "a domains", "script urls", "servers", "title", "moved", "record value", "entries", "whitelisted", "powershell", "xf9xb5xf9", "xxcexf6x8fr", "k2xe7xcbxxeaxa2", "x99x19", "x88yxf9xc858", "x83x12x8da", "zx9bx8ex84", "attempts", "yara detections", "contacted", "tags none", "file type", "pe packer", "dll compilation", "guard", "botnets" ], "references": [ "https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet", "x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )", "foundry.neconsside.com \u2022 http://foundry.neconsside.com", "http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside", "IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America", "Russian Federation", "T\u00fcrkiye", "Netherlands" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "HtBot", "display_name": "HtBot", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1481", "name": "Web Service", "display_name": "T1481 - Web Service" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8145, "domain": 1389, "FileHash-SHA256": 1545, "CIDR": 2, "hostname": 2533, "FileHash-MD5": 209, "FileHash-SHA1": 190, "email": 6, "SSLCertFingerprint": 4 }, "indicator_count": 14023, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693b7dc3cf1996347652ef92", "name": "Google Site Redirector - Tesla Hackers", "description": "Silencing. By Tesla hackers. Awful example of how any victim of a crime; can become a target of the government..\nThis is especially true when the actual perpetrators work for the government are government affiliated, very wealthy, a celebrity or someone who is deemed important. In this instance the Quasi government sought to keep target seeking and obtaining life saving medical treatment, financial settlement that she was entitled to from assault, injuries from assault, false imprisonment, punitive damgages, pain and suffering, humiliation, premise liability, permanent (whole body disability @MMI ), many other crimes. The victims suffered from a great sadness and betrayal. \n\nObviously racist Elon Musk and crew have access to all government tools. Musk, All things cyber are at his disposal as \ncontinues to abuse privilege.\n They keep playing a God they don\u2019t believe in. God is the Ultimate Avenger.", "modified": "2026-01-11T00:03:08.581000", "created": "2025-12-12T02:28:19.107000", "tags": [ "compromised_site_redirector_fromcharcode", "site_redirector", "string", "regexp", "error", "number", "sxa0", "amptoken", "optout", "retrieving", "notfound", "write", "form", "flash", "vd", "tesla hackers", "nxdomain", "passive dns", "ip address", "domain", "a nxdomain", "urls", "files", "ip related", "pulses otx", "google", "unknown", "oracle", "dynamicloader", "medium", "high", "windows", "rndhex", "write c", "rndchar", "displayname", "tofsee", "yara rule", "stream", "strings", "push", "lte all", "search otx", "ource url", "or text", "paste", "data upload", "extraction", "elon musk", "indicator role", "active related", "ipv4", "exploitsource", "url https", "url http", "desktopinternet", "title added", "pulses ipv4", "less see", "ids detections", "vuze bt", "udp connection", "contacted", "filehash", "av detections", "yara detections", "alerts", "0x8aa42", "0xe3107", "upnp", "http request", "bittorrent", "file", "module load", "t1129", "post http", "install", "execution", "malware", "hostile", "crawl", "windows nt", "wow64", "get zona", "get httpget", "hash", "entries", "read c", "suspicious", "next", "united" ], "references": [ "Tesla Hackers | https://www.teslarati.com/spacex", "Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint", "142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source", "IDS Detections Win32/ZonaInstaller Install Beacon", "https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\", "https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=", "https://www.google-analytics.com/debug/bootstrap?id=\\", "https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga", "https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022", "https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=", "This is why our team tells a back story. It can and does happen to anyone.", "We apologize for so may typos and errors. We strive to do better at that." ], "public": 1, "adversary": "Tesla Hackers", "targeted_countries": [], "malware_families": [ { "id": "Vd", "display_name": "Vd", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Trojan.12382640-1", "display_name": "Win.Trojan.12382640-1", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65, "FileHash-SHA1": 34, "FileHash-SHA256": 2032, "URL": 4921, "domain": 567, "hostname": 1586, "SSLCertFingerprint": 4 }, "indicator_count": 9209, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e8cd886e0bb692e8a9d08", "name": "Blocker Ransomware affecting Apple and iCloud | Injection", "description": "Wild! Hackers attack-ack-acking!\nThey\u2019re quite good. Persistent. Angry. \nIt\u2019s the same group of hackers.", "modified": "2026-01-01T06:01:02.583000", "created": "2025-12-02T06:53:12.823000", "tags": [ "url https", "url http", "domain", "fh no", "ipv4", "united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "mitre att", "ck id", "ck matrix", "ascii text", "href", "network traffic", "general", "local", "click", "strings", "learn", "name tactics", "suspicious", "informative", "found", "command", "adversaries", "spawns", "defense evasion", "dynamicloader", "windows nt", "wow64", "khtml", "gecko", "write c", "unknown", "virtool", "write", "defender", "malware", "delete", "alerts", "backdoor", "high", "ip address", "t1045", "packing", "t1055", "injection", "t1060", "run keys", "startup", "folder", "t1119", "t1027", "tools", "families", "mirai", "indicator role", "active related", "hackers", "ahmann", "usual suspects" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Backdoor:Win32/Drixed", "display_name": "Backdoor:Win32/Drixed", "target": "/malware/Backdoor:Win32/Drixed" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Ransom:Win32/Blocker.NN!MTB", "display_name": "Ransom:Win32/Blocker.NN!MTB", "target": "/malware/Ransom:Win32/Blocker.NN!MTB" }, { "id": "Unix.Trojan.Mirai-7135937-0", "display_name": "Unix.Trojan.Mirai-7135937-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1066", "name": "Indicator Removal from Tools", "display_name": "T1066 - Indicator Removal from Tools" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1408", "name": "Disguise Root/Jailbreak Indicators", "display_name": "T1408 - Disguise Root/Jailbreak Indicators" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 234, "FileHash-SHA1": 219, "FileHash-SHA256": 841, "URL": 2606, "domain": 298, "hostname": 772, "SSLCertFingerprint": 2, "CVE": 1 }, "indicator_count": 4973, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=", "We apologize for so may typos and errors. We strive to do better at that.", "https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\", "x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )", "https://www.google-analytics.com/debug/bootstrap?id=\\", "This is why our team tells a back story. It can and does happen to anyone.", "IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com", "https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet", "142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source", "foundry.neconsside.com \u2022 http://foundry.neconsside.com", "Tesla Hackers | https://www.teslarati.com/spacex", "https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga", "https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022", "Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint", "IDS Detections Win32/ZonaInstaller Install Beacon", "https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=", "http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Tesla Hackers" ], "malware_families": [ "Autoit", "Backdoor:win32/drixed", "Backdoor:win32/tofsee", "Htbot", "Win.trojan.12382640-1", "Backdoor:win32/tofsee.t", "Unix.trojan.mirai-7135937-0", "Tofsee", "#virtool:win32/obfuscator.adb", "Vd", "Ransom:win32/blocker.nn!mtb", "Virtool:win32/injector", "Mirai" ], "industries": [], "unique_indicators": 27566 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/infimotiontec.com", "whois": "http://whois.domaintools.com/infimotiontec.com", "domain": "infimotiontec.com", "hostname": "proxy.infimotiontec.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "693de4a8a72cf95b028365f0", "name": "Bot Block 162.159.128.0/19 | X Fake tweets | Tofsee", "description": "Tofsee.Trojan.T malware infection affects infected devices. \n\n\n#unlocked #injection #dead_host #compromised_devices #folk_in _browser #botnets", "modified": "2026-01-12T21:02:35.560000", "created": "2025-12-13T22:11:52.474000", "tags": [ "network", "ip address", "subnet", "dynamicloader", "port", "destination", "high", "windows", "united", "write", "tofsee", "stream", "win64", "push", "urls", "url analysis", "dnssec", "script domains", "encrypt", "url add", "http", "related nids", "flag united", "germany", "address google", "passive dns", "ipv4 add", "files", "asn as13335", "dns resolutions", "domains top", "level", "unique tlds", "location united", "asn asnone", "present dec", "backdoor", "lowfi", "win32autoit mar", "urls show", "date checked", "connection", "httponly", "secure", "path", "expiressat", "dynamic cfray", "medium", "delete c", "displayname", "show", "unknown", "next", "rndhex", "malware", "cname", "next associated", "url hostname", "server response", "google safe", "read c", "unicode", "png image", "rgba", "memcommit", "dock", "execution", "files location", "china flag", "china hostname", "hostname", "domain", "files ip", "address", "asn as45102", "gmt content", "certificate", "associated urls", "location china", "china asn", "as4808 china", "present aug", "object", "present apr", "present oct", "alman", "present sep", "error", "present jul", "rmndrp", "present feb", "expiration", "url https", "url http", "iocs", "review iocs", "expireswed", "samesitenone", "maxage86400", "maxage0", "server", "expires", "victina nulcac", "data upload", "extraction", "enter", "enter source", "url data", "type", "extract indic", "included iocs", "china unknown", "botnet", "folk in browser", "japan unknown", "asnone country", "as13335", "a domains", "script urls", "servers", "title", "moved", "record value", "entries", "whitelisted", "powershell", "xf9xb5xf9", "xxcexf6x8fr", "k2xe7xcbxxeaxa2", "x99x19", "x88yxf9xc858", "x83x12x8da", "zx9bx8ex84", "attempts", "yara detections", "contacted", "tags none", "file type", "pe packer", "dll compilation", "guard", "botnets" ], "references": [ "https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet", "x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )", "foundry.neconsside.com \u2022 http://foundry.neconsside.com", "http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside", "IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America", "Russian Federation", "T\u00fcrkiye", "Netherlands" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "HtBot", "display_name": "HtBot", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1481", "name": "Web Service", "display_name": "T1481 - Web Service" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8145, "domain": 1389, "FileHash-SHA256": 1545, "CIDR": 2, "hostname": 2533, "FileHash-MD5": 209, "FileHash-SHA1": 190, "email": 6, "SSLCertFingerprint": 4 }, "indicator_count": 14023, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693b7dc3cf1996347652ef92", "name": "Google Site Redirector - Tesla Hackers", "description": "Silencing. By Tesla hackers. Awful example of how any victim of a crime; can become a target of the government..\nThis is especially true when the actual perpetrators work for the government are government affiliated, very wealthy, a celebrity or someone who is deemed important. In this instance the Quasi government sought to keep target seeking and obtaining life saving medical treatment, financial settlement that she was entitled to from assault, injuries from assault, false imprisonment, punitive damgages, pain and suffering, humiliation, premise liability, permanent (whole body disability @MMI ), many other crimes. The victims suffered from a great sadness and betrayal. \n\nObviously racist Elon Musk and crew have access to all government tools. Musk, All things cyber are at his disposal as \ncontinues to abuse privilege.\n They keep playing a God they don\u2019t believe in. God is the Ultimate Avenger.", "modified": "2026-01-11T00:03:08.581000", "created": "2025-12-12T02:28:19.107000", "tags": [ "compromised_site_redirector_fromcharcode", "site_redirector", "string", "regexp", "error", "number", "sxa0", "amptoken", "optout", "retrieving", "notfound", "write", "form", "flash", "vd", "tesla hackers", "nxdomain", "passive dns", "ip address", "domain", "a nxdomain", "urls", "files", "ip related", "pulses otx", "google", "unknown", "oracle", "dynamicloader", "medium", "high", "windows", "rndhex", "write c", "rndchar", "displayname", "tofsee", "yara rule", "stream", "strings", "push", "lte all", "search otx", "ource url", "or text", "paste", "data upload", "extraction", "elon musk", "indicator role", "active related", "ipv4", "exploitsource", "url https", "url http", "desktopinternet", "title added", "pulses ipv4", "less see", "ids detections", "vuze bt", "udp connection", "contacted", "filehash", "av detections", "yara detections", "alerts", "0x8aa42", "0xe3107", "upnp", "http request", "bittorrent", "file", "module load", "t1129", "post http", "install", "execution", "malware", "hostile", "crawl", "windows nt", "wow64", "get zona", "get httpget", "hash", "entries", "read c", "suspicious", "next", "united" ], "references": [ "Tesla Hackers | https://www.teslarati.com/spacex", "Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint", "142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source", "IDS Detections Win32/ZonaInstaller Install Beacon", "https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\", "https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=", "https://www.google-analytics.com/debug/bootstrap?id=\\", "https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga", "https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022", "https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=", "This is why our team tells a back story. It can and does happen to anyone.", "We apologize for so may typos and errors. We strive to do better at that." ], "public": 1, "adversary": "Tesla Hackers", "targeted_countries": [], "malware_families": [ { "id": "Vd", "display_name": "Vd", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Trojan.12382640-1", "display_name": "Win.Trojan.12382640-1", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65, "FileHash-SHA1": 34, "FileHash-SHA256": 2032, "URL": 4921, "domain": 567, "hostname": 1586, "SSLCertFingerprint": 4 }, "indicator_count": 9209, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e8cd886e0bb692e8a9d08", "name": "Blocker Ransomware affecting Apple and iCloud | Injection", "description": "Wild! Hackers attack-ack-acking!\nThey\u2019re quite good. Persistent. Angry. \nIt\u2019s the same group of hackers.", "modified": "2026-01-01T06:01:02.583000", "created": "2025-12-02T06:53:12.823000", "tags": [ "url https", "url http", "domain", "fh no", "ipv4", "united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "mitre att", "ck id", "ck matrix", "ascii text", "href", "network traffic", "general", "local", "click", "strings", "learn", "name tactics", "suspicious", "informative", "found", "command", "adversaries", "spawns", "defense evasion", "dynamicloader", "windows nt", "wow64", "khtml", "gecko", "write c", "unknown", "virtool", "write", "defender", "malware", "delete", "alerts", "backdoor", "high", "ip address", "t1045", "packing", "t1055", "injection", "t1060", "run keys", "startup", "folder", "t1119", "t1027", "tools", "families", "mirai", "indicator role", "active related", "hackers", "ahmann", "usual suspects" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Backdoor:Win32/Drixed", "display_name": "Backdoor:Win32/Drixed", "target": "/malware/Backdoor:Win32/Drixed" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Ransom:Win32/Blocker.NN!MTB", "display_name": "Ransom:Win32/Blocker.NN!MTB", "target": "/malware/Ransom:Win32/Blocker.NN!MTB" }, { "id": "Unix.Trojan.Mirai-7135937-0", "display_name": "Unix.Trojan.Mirai-7135937-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1066", "name": "Indicator Removal from Tools", "display_name": "T1066 - Indicator Removal from Tools" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1408", "name": "Disguise Root/Jailbreak Indicators", "display_name": "T1408 - Disguise Root/Jailbreak Indicators" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 234, "FileHash-SHA1": 219, "FileHash-SHA256": 841, "URL": 2606, "domain": 298, "hostname": 772, "SSLCertFingerprint": 2, "CVE": 1 }, "indicator_count": 4973, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://proxy.infimotiontec.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://proxy.infimotiontec.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776631433.4964867 }