{ "type": "URL", "indicator": "https://qy.jiexigu.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://qy.jiexigu.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3376547140, "indicator": "https://qy.jiexigu.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 34, "pulses": [ { "id": "69a9cad6633206ba1204cf8f", "name": "clone school board ", "description": "", "modified": "2026-03-06T11:26:19.137000", "created": "2026-03-05T18:26:30.062000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6211397913dcdae410959042", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2975, "URL": 9041, "domain": 2214, "FileHash-SHA256": 3044, "FileHash-MD5": 280, "FileHash-SHA1": 327, "CIDR": 6, "email": 64, "CVE": 24, "SSLCertFingerprint": 6 }, "indicator_count": 17981, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a9cad78745fdea3001aec9", "name": "clone school board ", "description": "", "modified": "2026-03-06T05:11:24.929000", "created": "2026-03-05T18:26:31.303000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6211397913dcdae410959042", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2975, "URL": 9041, "domain": 2214, "FileHash-SHA256": 3044, "FileHash-MD5": 280, "FileHash-SHA1": 327, "CIDR": 6, "email": 64, "CVE": 24, "SSLCertFingerprint": 6 }, "indicator_count": 17981, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692d02f096f3ec8b5b507496", "name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace", "description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.", "modified": "2025-12-31T02:01:50.101000", "created": "2025-12-01T02:52:32.483000", "tags": [ "business", "enterprise", "drive", "english", "google drive", "try drive", "business small", "workspace", "sign", "strong", "find", "life", "tools", "protect", "cloud", "simple", "android", "indonesia", "video", "mb download", "shared may", "shared", "learn", "drive drive", "name date", "javascript", "dynamicloader", "medium", "minimal headers", "high", "observed get", "get http", "united", "yara rule", "http", "write", "guard", "malware", "read c", "ms windows", "intel", "png image", "rgba", "pe32", "get na", "explorer", "music", "virlock", "media", "ho chi", "minh city", "viet nam", "storage company", "limited", "google", "address as", "luutruso", "cloudflar", "domain", "asn15169", "asn56153", "asn13335", "cisco", "umbrella rank", "apex domain", "url https", "kb stylesheet", "kb font", "kb image", "image", "kb script", "november", "resource path", "size", "type mimetype", "primary request", "redirect chain", "kb document", "urls", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "t1590 gather", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "domain address", "rsdsq jfu", "ollydbg ollydbg", "wireshark", "external", "binary file", "mitre att", "ck matrix", "aaaa", "cong ty", "co phan", "code", "province hcm", "files", "ip address", "request", "flag", "country", "contacted hosts", "process details", "link initial", "t1480 execution", "domains", "moved", "gmt content", "all ipv4", "url analysis", "location viet", "title", "error", "problem", "url add", "related nids", "files location", "flag united", "development att", "name server", "markmonitor", "localappdata", "programfiles", "edge", "hyundai", "social engineering", ".mil", "hackers", "phishing eml", "summary", "cisco umbrella", "google safe", "browsing", "current dns", "a record", "ip information", "ipasns ip", "detail domain", "domain tree", "links apex", "transfer", "b script", "b stylesheet", "frame b830", "b document", "value", "december", "degurafregistry", "gat object", "jsl object", "gapijstiming", "iframe function", "domainpath name", "nid value", "source level", "files domain", "files related", "tags", "related tags", "virustotal", "foundry", "pulse otx", "dark", "vietnam", "present aug", "present nov", "present jul", "present sep", "unknown aaaa", "search", "name servers", "present oct", "trojan", "data upload", "extraction", "se https", "include review", "exclude sugges", "find s", "failed", "typ don", "faith", "study", "romeo\u2019s", "juliettes", "femme fatales", "strategy", "honey pot", "honey traps", "spy", "helix", "anons", "passive dns", "pulse pulses", "files ip", "address", "location united", "asn as400519", "whois registrar", "ms defender", "files matching", "number", "sample analysis", "hide samples", "date hash", "cameras", "cams", "spycam", "botnet", "vietnam", "company limited", "dnssec", "status", "india unknown", "present may", "espionage", "hostname add", "generic", "cnc activity", "backdoor", "ipv4", "anonsecbotnet", "iptv" ], "references": [ "drive.google.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "zalo.me | href | Binary File | ATT&CK ID T1566.002", "https://account.helix.com/activate/start", "anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022", "https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]", "Terse Unencrypted Request for Google - Likely Connectivity Check", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6", "cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com", "https://hyundaibariavungtau3s.com/vehicle/stargazer", "https://hyundaibariavungtau3s.com/vehicle/ioniq-5", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade", "https://hyundaibariavungtau3s.com/vehicle/hyundai-custin", "https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/", "https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com", "https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com", "http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/", "http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466", "https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam", "feedback-pa.clients6.google.com/v1/survey/trigger/", "https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg", "anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Virus.Virlock-6804475-0", "display_name": "Win.Virus.Virlock-6804475-0", "target": null }, { "id": "Win.Malware.Bzub-6727003-0", "display_name": "Win.Malware.Bzub-6727003-0", "target": null }, { "id": "Win.Trojan.Generic-9801687-0", "display_name": "Win.Trojan.Generic-9801687-0", "target": null }, { "id": "NID", "display_name": "NID", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Dropper.njRAT-10015886-0", "display_name": "Win.Dropper.njRAT-10015886-0", "target": null }, { "id": "Win.Packed.Generic-9795615-0", "display_name": "Win.Packed.Generic-9795615-0", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ GC!", "display_name": "Backdoor:MSIL/Bladabindi.AJ GC!", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!" }, { "id": "Win.Packed.Generic-9795615-0\t.", "display_name": "Win.Packed.Generic-9795615-0\t.", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ", "display_name": "Backdoor:MSIL/Bladabindi.AJ", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ" }, { "id": "Win.Packed.Fecn-7077459-0", "display_name": "Win.Packed.Fecn-7077459-0", "target": null }, { "id": "Trojan:MSIL/Ranos.A", "display_name": "Trojan:MSIL/Ranos.A", "target": "/malware/Trojan:MSIL/Ranos.A" }, { "id": "Win.Trojan.Generic-6417450-0", "display_name": "Win.Trojan.Generic-6417450-0", "target": null }, { "id": "ALF:Backdoor:MSIL/Noancooe.KA", "display_name": "ALF:Backdoor:MSIL/Noancooe.KA", "target": null }, { "id": "Win.Packed.Msilperseus-9956592-0", "display_name": "Win.Packed.Msilperseus-9956592-0", "target": null }, { "id": "Trojan:MSIL/ClipBanker", "display_name": "Trojan:MSIL/ClipBanker", "target": "/malware/Trojan:MSIL/ClipBanker" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1194", "name": "Spearphishing via Service", "display_name": "T1194 - Spearphishing via Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1911, "hostname": 714, "FileHash-SHA256": 1304, "FileHash-MD5": 159, "FileHash-SHA1": 71, "SSLCertFingerprint": 2, "domain": 421, "CVE": 1, "email": 4 }, "indicator_count": 4587, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67fe9f3c682800301b89c556", "name": "Sitemap This page shows the most recent scans (manual, API, automatic) to be picked up by spiders.", "description": "https://urlscan.io/sitemap/", "modified": "2025-09-01T08:05:18.611000", "created": "2025-04-15T18:02:36.693000", "tags": [ "new run", "key pointing", "run key", "roth", "nextron", "markus neis", "sander wiebing", "public", "imagestartswith", "delnoderundll32", "vhash", "imphash", "rich pe", "ssdeep", "data sheetfinal", "wbn1", "mobil ip", "hsotu tin", "firmar", "statement", "ebook", "uwaaj moesz" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 168, "FileHash-MD5": 106, "FileHash-SHA1": 101, "FileHash-SHA256": 415, "hostname": 63, "domain": 61, "CVE": 1 }, "indicator_count": 915, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68629f622fe936e3141a1ed0", "name": "APT33 (by ilyailya)", "description": "", "modified": "2025-06-30T14:29:54.892000", "created": "2025-06-30T14:29:54.892000", "tags": [ "apfs encryption", "adguard extra", "jumpcloud go", "chrome web", "store", "privacy badger", "safety checker", "stay", "mywot", "flowcrypt", "encrypt gmail", "simple", "facebook", "apollo", "future", "assistant", "excbreakpoint", "sigtrap", "excguard", "renderer", "vallumes", "excbadaccess", "sigsegv", "helper", "chrome helper", "exccrash", "rave scout", "cookies", "public folder", "browsersignin", "denyactivation", "disableoverride", "loginwindowtext", "jumpcloud", "disableairdrop", "enablefirewall", "macos14action", "macos13action", "showfullname", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "yubico", "daemon", "service", "server", "open directory", "account", "kerberos admin", "kerberos change", "io daemon", "device daemon", "network", "bridge", "desktop", "installer", "calendar", "screensaver", "agent", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "command line", "cloud", "remote assist", "aesxtsarm", "aesecbarm", "darwin kernel", "version", "fri apr", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "user", "coregraphics", "quartzcore", "dock", "corefoundation", "cgimage", "cgcolorspace", "load address", "identifier", "build info", "code type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6816697e166bba8972d8d4a3", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 125, "hostname": 402, "FileHash-SHA256": 38, "URL": 582, "CVE": 1 }, "indicator_count": 1148, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "292 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6816697e166bba8972d8d4a3", "name": "APT33", "description": "APT33", "modified": "2025-06-02T18:02:26.651000", "created": "2025-05-03T19:07:42.325000", "tags": [ "apfs encryption", "adguard extra", "jumpcloud go", "chrome web", "store", "privacy badger", "safety checker", "stay", "mywot", "flowcrypt", "encrypt gmail", "simple", "facebook", "apollo", "future", "assistant", "excbreakpoint", "sigtrap", "excguard", "renderer", "vallumes", "excbadaccess", "sigsegv", "helper", "chrome helper", "exccrash", "rave scout", "cookies", "public folder", "browsersignin", "denyactivation", "disableoverride", "loginwindowtext", "jumpcloud", "disableairdrop", "enablefirewall", "macos14action", "macos13action", "showfullname", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "yubico", "daemon", "service", "server", "open directory", "account", "kerberos admin", "kerberos change", "io daemon", "device daemon", "network", "bridge", "desktop", "installer", "calendar", "screensaver", "agent", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "command line", "cloud", "remote assist", "aesxtsarm", "aesecbarm", "darwin kernel", "version", "fri apr", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "user", "coregraphics", "quartzcore", "dock", "corefoundation", "cgimage", "cgcolorspace", "load address", "identifier", "build info", "code type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 125, "hostname": 402, "FileHash-SHA256": 38, "URL": 582, "CVE": 1 }, "indicator_count": 1148, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "320 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "342 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6783747341bbde9b111920d8", "name": "SP10 \u2013 Szko\u0142a Podstawowa nr 10 im. Marii Sk\u0142odowskiej-Curie w Jeleniej G\u00f3rze", "description": "CVE-2024-1975\nHere is a full list of annotations and links to the work of the University ofzechoslovakia's research team, which has been working on the topic for the past two years. \u00c2\u00a31.", "modified": "2025-02-11T07:03:07.817000", "created": "2025-01-12T07:51:13.989000", "tags": [ "user", "datamodule info", "sha256", "ssdeep", "hashes cape", "sandbox", "zenbox", "file system", "color space", "cache c", "shell" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "FileHash-MD5": 9, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 248, "hostname": 39, "CVE": 2 }, "indicator_count": 331, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "671fd3b07ffb71116f2db7fa", "name": "dragonforce.io", "description": "Throw your MacBook in the trash, where the hackers belong.", "modified": "2024-11-27T17:01:13.516000", "created": "2024-10-28T18:10:56.355000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "column", "tiff", "linus walleij", "triad", "greg roelofs", "html", "daniel quinlan", "aiff", "music", "wave", "formats", "magic", "form", "crunch", "freeze", "maker", "format", "postscript", "this", "ifmodule", "include", "virtualhost", "directory", "require", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "apache", "win32", "example", "main", "webdav", "internet", "mime type", "xlm xla", "xlc xlt", "xlam", "xlsb", "xlsm", "xltm", "z7 z8", "xhtml xht", "addiconbytype", "adddescription", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "full", "minrate500", "keepalive", "prod", "email", "apache http", "server", "timeout", "number", "minimal", "major", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "browsermatch", "davlockdb", "requireany", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "pidfile", "mpms", "threadstacksize", "extendedstatus", "change", "sethandler", "require host", "get information", "allow server", "allow", "userdir sites", "control access", "userdir", "sslsessioncache", "configure", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "first", "refer", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "loadfile c", "proxyhtmllinks", "ascii", "unicode", "windows", "must", "location", "w3c html", "directoryindex", "allowoverride", "manual", "provide access", "options indexes", "files", "removetype tr", "traditionally", "addlanguage da", "addtype", "a facility", "claim", "file", "level error", "sender", "store", "level", "facility", "category", "time", "host", "threadid", "function", "line", "message", "guest", "access", "kernel", "usereventagent", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "use directory", "home autohome", "automounter map", "get home", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "level info", "broadcast", "ignore", "rules", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "limit", "order deny", "authtype", "default require", "require user", "owner", "authkey", "lpadmin", "order", "system", "local", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "group value", "restrict access", "cups", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "host database", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "readline", "error", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "flags", "bcgjnuwz", "d0 j", "ldap defaults", "base dcexample", "uri ldap", "sizelimit", "timelimit", "deref", "syntax", "kerberos", "name", "corba object", "desc", "schema", "openldap", "redistribution", "public license", "license", "collective", "shall not", "ldap", "co llective", "equality", "sup name", "structural must", "singlevalue", "auxiliary must", "auxiliary may", "guid", "desc account", "desc mount", "desc password", "service", "info", "tiger", "multi", "d esc", "rfc1274", "structural may", "quality", "substr caseigno", "corba", "ldap directory", "reserved", "ldap server", "dynamic group", "netscape", "not recommended", "for production", "attribute", "name managedby", "name leaf", "duas", "internetdrafts", "coast", "project", "java object", "java class", "de sc", "pkcs", "inetorgperson", "rfc2798", "signeddata", "smime", "openldap note", "hold", "code", "java", "jndi reference", "jndi", "with syntax", "definitions", "kerberos v", "kdc schema", "oid base", "size", "subclass of", "may contain", "objectclass", "must contain", "matches for", "obsolete", "des c", "abstract must", "sup person", "microsoft", "advanced server", "schema mapping", "netinfo", "config", "groups", "netinfo preset", "crypt", "netinfo rpcs", "rpcs number", "oncrpcnumber", "ipnetmasknumber", "assistant", "may description", "rfc2307", "rfc2252", "match syntax", "openldaproot", "openldaporg", "openldapou", "equal ity", "kind", "rule", "attcertpath", "rolesyntax", "ldif", "blank", "ldap entry", "spaces", "cosine pilot", "directory forum", "password policy", "false", "april", "auxiliary", "passwd", "account", "desc pool", "unix", "structural", "sup rpcentry", "sup container", "abstract may", "sup ipsecbase", "Chelsea Manning Help Me", "Aishah Siti Lazim", "Aishah Lazim", "194 Green Street", "Human Subjects", "cybernetic", "RNA molecule", "matches", "postfix smtp", "domain", "ipv6 host", "reject", "reply", "prior", "bugs", "reject empty", "canonical", "tables", "post", "replace user", "address", "generic", "smtp", "isp mail", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "only", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "path", "beware", "class", "uucp", "shell", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "update", "usrsbin", "file format", "no group", "daemondirectory", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "bashno", "r etcbashrc", "protocol", "ipv6", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "kame", "id key", "specification", "auto exit", "vpn socket", "networkup", "term", "devnull", "common setup", "set command", "sunnet manager", "rpcsrc", "netlicense", "apple", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "auditing", "solaris", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "integer", "array", "data", "state", "opendirectoryd", "ipv4", "plist", "dict", "session", "commcenter", "airport", "cfbasichash", "thread", "cfrunloop", "cfrunloopmode", "usrbinsudo", "usrsbinnetbiosd", "removed" ], "references": [ "afpovertcp.cfg", "aliases", "magic", "httpd.conf", "mime.types", "httpd-autoindex.conf", "httpd-default.conf", "httpd-languages.conf", "httpd-dav.conf", "httpd-multilang-errordoc.conf", "httpd-mpm.conf", "httpd-info.conf", "httpd-userdir.conf", "httpd-ssl.conf", "httpd-vhosts.conf", "proxy-html.conf", "httpd-manual.conf", "php7.conf", "mpm.conf", "com.apple.eventmonitor", "com.apple.authd", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.install", "com.apple.coreduetd", "com.apple.login.guest", "com.apple.mkb", "com.apple.mail", "com.apple.MessageTracer", "com.apple.mkb.internal", "com.apple.iokit.power", "com.apple.performance", "com.apple.networking.boringssl", "auto_master", "auto_home", "bashrc", "asl.conf", "autofs.conf", "bashrc_Apple_Terminal", "csh.cshrc", "csh.logout", "com.apple.screensharing.agent.launchd", "csh.login", "cupsd.conf", "cups-files.conf.default", "cupsd.conf.O", "cupsd.conf.default", "cups-files.conf", "snmp.conf", "snmp.conf.default", "dragonforce.io", "find.codes", "ftpusers", "hosts.equiv", "gettytab", "hosts", "kern_loader.conf", "irbrc", "locate.rc", "mail.rc", "group", "man.conf", "networks", "manpaths", "newsyslog.conf", "com.apple.slapconfig.conf", "files.conf", "com.apple.xscertd.conf", "wifi.conf", "com.apple.slapd.conf", "nfs.conf", "ntp.conf", "notify.conf", "ntp_opendirectory.conf", "AppleOpenLDAP.plist", "ldap.conf", "ldap.conf.default", "apple_auxillary.schema", "corba.ldif", "collective.schema", "collective.ldif", "core.ldif", "apple.schema", "cosine.ldif", "core.schema", "corba.schema", "duaconf.ldif", "dyngroup.ldif", "fmserver.schema", "duaconf.schema", "java.ldif", "inetorgperson.schema", "inetorgperson.ldif", "java.schema", "krb5-kdc.schema", "cosine.schema", "misc.ldif", "microsoft.std.schema", "misc.schema", "netinfo.schema", "nis.schema", "nis.ldif", "openldap.schema", "dyngroup.schema", "pmi.ldif", "ppolicy.ldif", "pmi.schema", "openldap.ldif", "README", "ppolicy.schema", "samba.schema", "microsoft.schema", "access", "custom_header_checks", "canonical", "generic", "bounce.cf.default", "header_checks", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "master.cf", "main.cf.proto", "master.cf.proto", "postfix-files", "relocated", "TLS_LICENSE", "virtual", "main.cf.default", "transport", "profile", "protocols", "racoon.conf", "rmtab", "rc.common", "rpc", "rtadvd.conf", "rc.netboot", "audit_class", "audit_warn", "audit_event", "audit_control" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bahrain", "Israel", "India" ], "malware_families": [ { "id": "DirectoryIndex", "display_name": "DirectoryIndex", "target": null }, { "id": "AllowOverride", "display_name": "AllowOverride", "target": null }, { "id": "Malaysia, Truly Asia", "display_name": "Malaysia, Truly Asia", "target": null }, { "id": "9002 RAT", "display_name": "9002 RAT", "target": null }, { "id": "Virus:DOS/PSMPC_386", "display_name": "Virus:DOS/PSMPC_386", "target": "/malware/Virus:DOS/PSMPC_386" }, { "id": "TEL:TrojanSpy:Win32/KediRat", "display_name": "TEL:TrojanSpy:Win32/KediRat", "target": null }, { "id": "TrojanSpy:iOS/XcodeGhost", "display_name": "TrojanSpy:iOS/XcodeGhost", "target": "/malware/TrojanSpy:iOS/XcodeGhost" }, { "id": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "display_name": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "target": null }, { "id": "Ultra VNC", "display_name": "Ultra VNC", "target": null }, { "id": "TrojanDownloader:Win32/Bridge", "display_name": "TrojanDownloader:Win32/Bridge", "target": "/malware/TrojanDownloader:Win32/Bridge" }, { "id": "Virus:DOS/Cyberwar_5300", "display_name": "Virus:DOS/Cyberwar_5300", "target": "/malware/Virus:DOS/Cyberwar_5300" }, { "id": "Backdoor:Win32/Espion", "display_name": "Backdoor:Win32/Espion", "target": "/malware/Backdoor:Win32/Espion" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:BackdoorLinux/Mirai", "display_name": "ALF:HeraklezEval:BackdoorLinux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1026", "name": "Multiband Communication", "display_name": "T1026 - Multiband Communication" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Media", "LGBTQ+ Activists", "Technology", "Telecommunications", "Hospitality", "Energy", "NGO", "Semiconductor", "Human Subjects" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 669, "URL": 1976, "email": 21, "hostname": 1198, "FileHash-SHA256": 277, "CVE": 2, "CIDR": 3 }, "indicator_count": 4146, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "507 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "671fd3afa974b93284d6bac1", "name": "dragonforce.io", "description": "Throw your MacBook in the trash, where the hackers belong.", "modified": "2024-11-27T17:01:13.516000", "created": "2024-10-28T18:10:55.712000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "column", "tiff", "linus walleij", "triad", "greg roelofs", "html", "daniel quinlan", "aiff", "music", "wave", "formats", "magic", "form", "crunch", "freeze", "maker", "format", "postscript", "this", "ifmodule", "include", "virtualhost", "directory", "require", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "apache", "win32", "example", "main", "webdav", "internet", "mime type", "xlm xla", "xlc xlt", "xlam", "xlsb", "xlsm", "xltm", "z7 z8", "xhtml xht", "addiconbytype", "adddescription", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "full", "minrate500", "keepalive", "prod", "email", "apache http", "server", "timeout", "number", "minimal", "major", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "browsermatch", "davlockdb", "requireany", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "pidfile", "mpms", "threadstacksize", "extendedstatus", "change", "sethandler", "require host", "get information", "allow server", "allow", "userdir sites", "control access", "userdir", "sslsessioncache", "configure", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "first", "refer", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "loadfile c", "proxyhtmllinks", "ascii", "unicode", "windows", "must", "location", "w3c html", "directoryindex", "allowoverride", "manual", "provide access", "options indexes", "files", "removetype tr", "traditionally", "addlanguage da", "addtype", "a facility", "claim", "file", "level error", "sender", "store", "level", "facility", "category", "time", "host", "threadid", "function", "line", "message", "guest", "access", "kernel", "usereventagent", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "use directory", "home autohome", "automounter map", "get home", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "level info", "broadcast", "ignore", "rules", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "limit", "order deny", "authtype", "default require", "require user", "owner", "authkey", "lpadmin", "order", "system", "local", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "group value", "restrict access", "cups", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "host database", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "readline", "error", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "flags", "bcgjnuwz", "d0 j", "ldap defaults", "base dcexample", "uri ldap", "sizelimit", "timelimit", "deref", "syntax", "kerberos", "name", "corba object", "desc", "schema", "openldap", "redistribution", "public license", "license", "collective", "shall not", "ldap", "co llective", "equality", "sup name", "structural must", "singlevalue", "auxiliary must", "auxiliary may", "guid", "desc account", "desc mount", "desc password", "service", "info", "tiger", "multi", "d esc", "rfc1274", "structural may", "quality", "substr caseigno", "corba", "ldap directory", "reserved", "ldap server", "dynamic group", "netscape", "not recommended", "for production", "attribute", "name managedby", "name leaf", "duas", "internetdrafts", "coast", "project", "java object", "java class", "de sc", "pkcs", "inetorgperson", "rfc2798", "signeddata", "smime", "openldap note", "hold", "code", "java", "jndi reference", "jndi", "with syntax", "definitions", "kerberos v", "kdc schema", "oid base", "size", "subclass of", "may contain", "objectclass", "must contain", "matches for", "obsolete", "des c", "abstract must", "sup person", "microsoft", "advanced server", "schema mapping", "netinfo", "config", "groups", "netinfo preset", "crypt", "netinfo rpcs", "rpcs number", "oncrpcnumber", "ipnetmasknumber", "assistant", "may description", "rfc2307", "rfc2252", "match syntax", "openldaproot", "openldaporg", "openldapou", "equal ity", "kind", "rule", "attcertpath", "rolesyntax", "ldif", "blank", "ldap entry", "spaces", "cosine pilot", "directory forum", "password policy", "false", "april", "auxiliary", "passwd", "account", "desc pool", "unix", "structural", "sup rpcentry", "sup container", "abstract may", "sup ipsecbase", "Chelsea Manning Help Me", "Aishah Siti Lazim", "Aishah Lazim", "194 Green Street", "Human Subjects", "cybernetic", "RNA molecule", "matches", "postfix smtp", "domain", "ipv6 host", "reject", "reply", "prior", "bugs", "reject empty", "canonical", "tables", "post", "replace user", "address", "generic", "smtp", "isp mail", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "only", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "path", "beware", "class", "uucp", "shell", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "update", "usrsbin", "file format", "no group", "daemondirectory", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "bashno", "r etcbashrc", "protocol", "ipv6", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "kame", "id key", "specification", "auto exit", "vpn socket", "networkup", "term", "devnull", "common setup", "set command", "sunnet manager", "rpcsrc", "netlicense", "apple", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "auditing", "solaris", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "integer", "array", "data", "state", "opendirectoryd", "ipv4", "plist", "dict", "session", "commcenter", "airport", "cfbasichash", "thread", "cfrunloop", "cfrunloopmode", "usrbinsudo", "usrsbinnetbiosd", "removed" ], "references": [ "afpovertcp.cfg", "aliases", "magic", "httpd.conf", "mime.types", "httpd-autoindex.conf", "httpd-default.conf", "httpd-languages.conf", "httpd-dav.conf", "httpd-multilang-errordoc.conf", "httpd-mpm.conf", "httpd-info.conf", "httpd-userdir.conf", "httpd-ssl.conf", "httpd-vhosts.conf", "proxy-html.conf", "httpd-manual.conf", "php7.conf", "mpm.conf", "com.apple.eventmonitor", "com.apple.authd", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.install", "com.apple.coreduetd", "com.apple.login.guest", "com.apple.mkb", "com.apple.mail", "com.apple.MessageTracer", "com.apple.mkb.internal", "com.apple.iokit.power", "com.apple.performance", "com.apple.networking.boringssl", "auto_master", "auto_home", "bashrc", "asl.conf", "autofs.conf", "bashrc_Apple_Terminal", "csh.cshrc", "csh.logout", "com.apple.screensharing.agent.launchd", "csh.login", "cupsd.conf", "cups-files.conf.default", "cupsd.conf.O", "cupsd.conf.default", "cups-files.conf", "snmp.conf", "snmp.conf.default", "dragonforce.io", "find.codes", "ftpusers", "hosts.equiv", "gettytab", "hosts", "kern_loader.conf", "irbrc", "locate.rc", "mail.rc", "group", "man.conf", "networks", "manpaths", "newsyslog.conf", "com.apple.slapconfig.conf", "files.conf", "com.apple.xscertd.conf", "wifi.conf", "com.apple.slapd.conf", "nfs.conf", "ntp.conf", "notify.conf", "ntp_opendirectory.conf", "AppleOpenLDAP.plist", "ldap.conf", "ldap.conf.default", "apple_auxillary.schema", "corba.ldif", "collective.schema", "collective.ldif", "core.ldif", "apple.schema", "cosine.ldif", "core.schema", "corba.schema", "duaconf.ldif", "dyngroup.ldif", "fmserver.schema", "duaconf.schema", "java.ldif", "inetorgperson.schema", "inetorgperson.ldif", "java.schema", "krb5-kdc.schema", "cosine.schema", "misc.ldif", "microsoft.std.schema", "misc.schema", "netinfo.schema", "nis.schema", "nis.ldif", "openldap.schema", "dyngroup.schema", "pmi.ldif", "ppolicy.ldif", "pmi.schema", "openldap.ldif", "README", "ppolicy.schema", "samba.schema", "microsoft.schema", "access", "custom_header_checks", "canonical", "generic", "bounce.cf.default", "header_checks", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "master.cf", "main.cf.proto", "master.cf.proto", "postfix-files", "relocated", "TLS_LICENSE", "virtual", "main.cf.default", "transport", "profile", "protocols", "racoon.conf", "rmtab", "rc.common", "rpc", "rtadvd.conf", "rc.netboot", "audit_class", "audit_warn", "audit_event", "audit_control" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bahrain", "Israel", "India" ], "malware_families": [ { "id": "DirectoryIndex", "display_name": "DirectoryIndex", "target": null }, { "id": "AllowOverride", "display_name": "AllowOverride", "target": null }, { "id": "Malaysia, Truly Asia", "display_name": "Malaysia, Truly Asia", "target": null }, { "id": "9002 RAT", "display_name": "9002 RAT", "target": null }, { "id": "Virus:DOS/PSMPC_386", "display_name": "Virus:DOS/PSMPC_386", "target": "/malware/Virus:DOS/PSMPC_386" }, { "id": "TEL:TrojanSpy:Win32/KediRat", "display_name": "TEL:TrojanSpy:Win32/KediRat", "target": null }, { "id": "TrojanSpy:iOS/XcodeGhost", "display_name": "TrojanSpy:iOS/XcodeGhost", "target": "/malware/TrojanSpy:iOS/XcodeGhost" }, { "id": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "display_name": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "target": null }, { "id": "Ultra VNC", "display_name": "Ultra VNC", "target": null }, { "id": "TrojanDownloader:Win32/Bridge", "display_name": "TrojanDownloader:Win32/Bridge", "target": "/malware/TrojanDownloader:Win32/Bridge" }, { "id": "Virus:DOS/Cyberwar_5300", "display_name": "Virus:DOS/Cyberwar_5300", "target": "/malware/Virus:DOS/Cyberwar_5300" }, { "id": "Backdoor:Win32/Espion", "display_name": "Backdoor:Win32/Espion", "target": "/malware/Backdoor:Win32/Espion" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:BackdoorLinux/Mirai", "display_name": "ALF:HeraklezEval:BackdoorLinux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1026", "name": "Multiband Communication", "display_name": "T1026 - Multiband Communication" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Media", "LGBTQ+ Activists", "Technology", "Telecommunications", "Hospitality", "Energy", "NGO", "Semiconductor", "Human Subjects" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 669, "URL": 1976, "email": 21, "hostname": 1198, "FileHash-SHA256": 277, "CVE": 2, "CIDR": 3 }, "indicator_count": 4146, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "507 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65aab954f5f03a1f2906b39c", "name": "Zerobot", "description": "", "modified": "2024-10-12T07:01:26.973000", "created": "2024-01-19T18:03:00.966000", "tags": [ "ssl certificate", "whois record", "referrer", "historical ssl", "resolutions", "whois whois", "communicating", "subdomains", "contacted", "c1on", "cmdwget http", "metro", "zerobot", "execution", "skynet", "june" ], "references": [ "https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities Source" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZeroBot", "display_name": "ZeroBot", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65aa168aeddea4851fc47cc3", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "FileHash-SHA1": 123, "FileHash-SHA256": 2498, "domain": 1600, "hostname": 2749, "URL": 6303, "CVE": 1 }, "indicator_count": 13397, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d32648280eb859dfca1c19", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:48.037000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d3264283628d23b8f28b9d", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:42.621000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6687495ad1e4ef814ec26c75", "name": "Remote Network Attack | JakyllHyde: Malicious Keyword Tool Index | Sabey Data Centers", "description": "Research shows compromise originated from Sabey Data Centers. High Priority 'Malicious' \nRemotely connects to victim network is injection,", "modified": "2024-09-05T06:26:17.295000", "created": "2024-07-05T01:16:10.251000", "tags": [ "read c", "get na", "sthubei", "otaokexing", "unknown", "write c", "outaokexing", "cntaokexing", "ms windows", "pe32", "win64", "write", "next", "win32", "malware", "copy", "keyword tool", "historical ssl", "referrer", "vs2010", "file", "sections", "signature", "file version", "windows system", "internal name", "version", "portable", "info compiler", "analyzer paste", "iocs", "url https", "samples", "cisco umbrella", "site", "safe site", "alexa top", "million", "heur", "malware site", "malicious site", "iframe", "alexa", "deepscan", "crack", "fusioncore", "cleaner", "riskware", "jakyllhyde", "china unknown", "asnone china", "cname", "as4812 china", "as4134 chinanet", "date", "moved", "search", "status", "body", "as4837 china", "bad request", "passive dns", "gmt content", "type", "scan endpoints", "all scoreblue", "twitter", "trojan", "urls", "machinename", "alibaba cloud", "computing", "beijing", "domains", "contacted", "ip detections", "country", "files", "file type", "signals mutexes", "local", "localc", "mutexes", "as31122 digiweb", "ireland unknown", "a domains", "gmt server", "pulse pulses", "pragma", "ipv4", "apache", "get http", "request", "host", "accept", "response", "date mon", "http requests", "connection", "server", "pluginrun", "ip traffic", "hashes", "user", "dns resolutions", "ff ff", "lowdatetime", "mofresourcename", "portclsmof", "hdaudiomofname", "processorwmi", "acpimofresource", "mofresource", "registry keys", "counter", "files written", "files dropped", "registry", "samplepath", "windir", "created c", "shell commands", "monitor", "arg0", "tree", "synchronization", "yara signature", "match", "thor apt", "scanner rule", "livehunt", "ruletype", "rule feed", "rulelink", "microsoft", "ruleauthor", "backdoor", "injection", "sabey data centers", "vbs", "remote attack", "extreme targeting", "116.207.118.87", "192.168.56.103", "linux", "locate linux deployed", "track", "tracking", "track all devices", "android", "apple", "apple webkit" ], "references": [ "Win32/JakyllHyde - RUNDLL32.EXE FileHash-SHA1 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17", "Found in a malicious keyword index: http://m.xiang5.com/keyword/17655.html&htE5-: Family", "IDS Detections: Win32/JakyllHyde C2 Activity Win32/JakyllHyde C2 Activity M2 PE EXE or DLL Windows file download HTTP", "Alerts: dead_host injection_runpe network_icmp allocates_execute_remote_process disables_proxy injection_modifies_memory modifies_proxy_wpad", "Alerts: origin_langid multiple_useragents process_interest recon_beacon injection_resumethread antivm_vmware_in_instruction dumped_buffer network_bind network_http allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "Trojan:Win32/JakyllHyde: CnC IP's -183.95.89.203 116.211.100.182 Exploit Source: IPv4 116.207.118.87 163.171.134.109", "Trojan:Win32/JakyllHyde: FileHash-SHA256 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 37a641988cfb33066c12b68b23bec0623e3d0715d21d6e3b7304bdd7238c8790 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 002d9916a54c7ea70c931dca29c0a4500020d8040b9e446a5472b9089c29c8bc - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 440165588e14516e1ef13b6240aad27a0e8c49744c8383590425b3cc9d7f23f1 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 47d9e427da3dfe5253d0047c40fb773db59dbccb0ff650e86ce7490b2c520c2d - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 7512f88162744b57efd14cc5fb98bc7cf5588fa25c218a1e92fe8048932450a8 -trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 0c795954123ebf1806cdafef2b66322f8d40d3ac - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f971b96cd514dc62a43b51f32e3a440fe3e0c6d4 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 732198087c6a88afa356ea729bd3b8bb16c41901 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f02ebf4d8955c363d615a53cc44b048d75b7cefb - adware", "Trojan:Win32/JakyllHyde: FileHash-SHA1 800c8a5f93b04d6c5dc491ab582cd75165918f5f - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 b45c02987811425c672f56e011f394f94cc29a7b - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 be97e5638139ee689312e23022d2e55e58d123c6 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 0dd69941b0f01d1ee4d49c228f832bed - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 2f237a35379a5fa46168e3a01667f32c - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 35fc2b92d534f652ffe4ec3cbc3347b6 - adware", "Trojan:Win32/JakyllHyde: FileHash-MD5: 4d4cd0582109e110967bce75534031ed -trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 8eeda8077a13f12aa72c8b7b5f457734 -trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: d6d906a1c4061d3f41053b4548c7ea69 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: fa7d0ef6c2c634e4f0e890c3d5b4cf4f - trojan", "YARA Signature Match - THOR APT Scanner: RULE_TYPE: Valhalla Rule Feed Only \u26a1", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "DESCRIPTION: Detects malformed Microsoft copyright statements in executables RULE_AUTHOR: Florian Roth", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/ RULE_AUTHOR: Florian Roth", "#copyright #statements #malformed_copyright_statements", "ETPRO MALWARE Win32/JakyllHyde C2: https://www.joesandbox.com/analysis/754158/0/html", "Snort IDS: 2836073 ETPRO MALWARE Win32/JakyllHyde C2 Activity 192.168.2.3:49698 ->", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET TROJAN W32/Witch.3FA0!tr CnC Actiivty M2 - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "System process connects to network (likely due to code injection or exploit)", "Snort IDS alert for network traffic | Detected VMProtect packer", "W32/Witch.3FA0!tr: FileHash-MD5 38be6c6b799140f435bc1b1d42275d7c", "W32/Witch.3FA0!tr: FileHash-SHA1 13ed578302cc1f302a8a9df9308859486aeb4d0b", "W32/Witch.3FA0!tr: 601928c4508162aed7491ea4995eca7361be6faeac3c06ee5fc5302e686e26448", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.cs", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.css", "http://tuijian.adhei.com/douyu/v /encrypt/gamebox_m.css", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+U;+Android+4.3.1;+en-us;+GT-I8190+Build/JZO54K)+AppleWebKit/534.30+", "http://57d7.zhanyu66.com/air.thinlinuxforandroid.apk", "http://sdk.1rtb.com/sdk/req_ad?app_package=com.scpp.plus&device_type=1&device_adid=92841014150fc3fd&device_geo_lat=&app_name=%E8%B", "http://ssp.1rtb.com/tracker?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)", "https://simulator-api.666phonemanager.com/advert/gamebox_winpop/online", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Version/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "China", "Hong Kong", "Singapore" ], "malware_families": [ { "id": "Trojan:Win32/JakyllHyde", "display_name": "Trojan:Win32/JakyllHyde", "target": "/malware/Trojan:Win32/JakyllHyde" }, { "id": "SecuriteInfo.com.Trojan.GenericKD.32885218.16582.30886.dll", "display_name": "SecuriteInfo.com.Trojan.GenericKD.32885218.16582.30886.dll", "target": null }, { "id": "W32/Witch.3FA0!tr", "display_name": "W32/Witch.3FA0!tr", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1037.001", "name": "Logon Script (Windows)", "display_name": "T1037.001 - Logon Script (Windows)" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 682, "FileHash-SHA1": 327, "FileHash-SHA256": 2911, "SSLCertFingerprint": 4, "URL": 13039, "domain": 1038, "hostname": 2764, "email": 2, "CVE": 2 }, "indicator_count": 20769, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65aa168aeddea4851fc47cc3", "name": "Zerobot & Skynet", "description": "Zerobot is a new botnet written in the Go programming language. It communicates via the WebSocket protocol", "modified": "2024-03-23T01:01:38.014000", "created": "2024-01-19T06:28:26.343000", "tags": [ "ssl certificate", "whois record", "referrer", "historical ssl", "resolutions", "whois whois", "communicating", "subdomains", "contacted", "c1on", "cmdwget http", "metro", "zerobot", "execution", "skynet", "june" ], "references": [ "https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities Source" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZeroBot", "display_name": "ZeroBot", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 78, "FileHash-SHA1": 78, "FileHash-SHA256": 2290, "domain": 1491, "hostname": 2611, "URL": 5879, "CVE": 8 }, "indicator_count": 12435, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "757 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be8f1e5db08cf140cdea23", "name": "TinyNote | Douglas County, Co Sheriff's Office | Pegasus Attacks SA victim ", "description": "", "modified": "2024-02-03T19:08:14.934000", "created": "2024-02-03T19:08:14.934000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": "65b85d301a253bd67048cbba", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "805 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a2e3ebbb1bdfd541af3e91", "name": "TinyNote | Douglas County, Colorado Sheriff's Office?", "description": "", "modified": "2024-02-01T07:00:20.140000", "created": "2024-01-13T19:26:35.621000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": "6593c7224a0e8926c28f73d5", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85d301a253bd67048cbba", "name": "TinyNote | Douglas County, Co Sheriff's Office | Pegasus Attacks SA victim ", "description": "", "modified": "2024-02-01T07:00:20.140000", "created": "2024-01-30T02:21:36.334000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": "65a2e3ebbb1bdfd541af3e91", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6593c7224a0e8926c28f73d5", "name": "TinyNote | Douglas County, Colorado Sheriff's Office?", "description": "Sent to me by D*n*i* M. P*r**h. I can't comprehend. Looks like framing and cyber tracking pf a SA victim by a sheriff best friend of reporting doctor whose wife is Douglas Co coroner. Reporting MD threatened and warned Brashears of what would happen then warned SA PT by relating issues. Targets and associated as severe risk.", "modified": "2024-02-01T07:00:20.140000", "created": "2024-01-02T08:19:45.693000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6558c481715409563073cb79", "name": "Fraud Services", "description": "http://kramtechnology.com/, fraud services, network, rat, trojan, phishing, malvertizing, malware hosting, scanning host, archives browser events.", "modified": "2023-12-18T05:05:36.760000", "created": "2023-11-18T14:04:48.923000", "tags": [ "methodpost", "dropped", "contacted", "ssl certificate", "whois record", "zva8k4ghshhpcb5", "contacted urls", "q0gpyr1balpdgpo", "historical ssl", "page dow", "blacklist http", "cisco umbrella", "site", "alexa top", "safe site", "million", "paypal", "team phishing", "malicious url", "alexa", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "malware", "united", "passive dns", "scan endpoints", "all search", "otx octoseek", "ipv4", "pulse pulses", "urls", "files", "reverse dns", "twitter", "log id", "gmtn", "sectigo rsa", "secure server", "tls web", "salford", "sectigo limited", "ocsp", "false", "california", "british virgin", "locality", "d3 a5", "url http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14816, "FileHash-MD5": 41, "FileHash-SHA1": 33, "FileHash-SHA256": 5158, "domain": 3758, "hostname": 2961, "email": 4, "SSLCertFingerprint": 3, "CVE": 3 }, "indicator_count": 26777, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a958f96f9b29641ea020", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-12-06T17:03:20.219000", "created": "2023-12-06T17:03:20.219000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 17, "FileHash-SHA256": 3730, "hostname": 1052, "domain": 446, "URL": 2806, "FileHash-MD5": 173, "FileHash-SHA1": 168, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a927b24b94cdd5d344d1", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-12-06T17:02:31.854000", "created": "2023-12-06T17:02:31.854000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 17, "FileHash-SHA256": 3730, "hostname": 1052, "domain": 446, "URL": 2806, "FileHash-MD5": 173, "FileHash-SHA1": 168, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a0bc9f2837fed9426cdd", "name": "Apple Music.app (by @kailula)", "description": "", "modified": "2023-12-06T16:26:36.394000", "created": "2023-12-06T16:26:36.394000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1235, "domain": 324, "hostname": 1559, "URL": 2278, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570810b6b17147085608503", "name": "Apple Music.app", "description": "", "modified": "2023-12-06T14:11:23.015000", "created": "2023-12-06T14:11:23.015000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1235, "domain": 324, "hostname": 1559, "URL": 2278, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707e9819da1f2e8e26e78e", "name": "recallsfschoolboard.org", "description": "", "modified": "2023-12-06T14:00:56.019000", "created": "2023-12-06T14:00:56.019000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 24, "domain": 2214, "URL": 9040, "FileHash-MD5": 280, "FileHash-SHA256": 3044, "hostname": 2973, "FileHash-SHA1": 327, "SSLCertFingerprint": 6, "CIDR": 6, "email": 64 }, "indicator_count": 17978, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707e0e3c8fc67d6f4a474e", "name": "xred.mooo.com", "description": "", "modified": "2023-12-06T13:58:38.360000", "created": "2023-12-06T13:58:38.360000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 301, "hostname": 265, "URL": 482, "domain": 95, "FileHash-MD5": 8, "FileHash-SHA1": 2 }, "indicator_count": 1153, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f147a7e55dd916fe9e3e2", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-30T02:27:06.140000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "652b2a8048e6a285461c4a5d", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "887 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652b2a8048e6a285461c4a5d", "name": "Fitbit app link IoC's", "description": "Critical. Fitbit download link found in Google search results.\n[https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile]\n\nBlackNET is a Remote Access Trojan (RAT) - Advanced Windows Botnet.\nCapabilities: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. \n\nOpenCandy , PUP\nCapabilities: Browser home page hijacker, installs unwanted toolbars, plug-ins, and extensions to web browsers, collects information, user\u2019s surfing habits, distribution to third parties without user consent.\n\nProcess Injection: Privilege escalation adversaries use to inject arbitrary code.", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-14T23:55:42.972000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "887 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652b2a50c4487060d52346fd", "name": "Fitbit app link IoC's", "description": "Critical. Fitbit download link found in Google search results.\n[https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile]\n\nBlackNET is a Remote Access Trojan (RAT) - Advanced Windows Botnet.\nCapabilities: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. \n\nOpenCandy , PUP\nCapabilities: Browser home page hijacker, installs unwanted toolbars, plug-ins, and extensions to web browsers, collects information, user\u2019s surfing habits, distribution to third parties without user consent.\n\nProcess Injection: Privilege escalation adversaries use to inject arbitrary code.", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-14T23:54:55.973000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "887 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64e7febe244cb68794edc480", "name": "Dropbox exploit via httrack-3.49.2.exe (malicious) trojan.darkkomet/zorexRAT MALWARE", "description": "httrack-3.49.2.exe\ntrojan.darkkomet/zorex\nRuleset:\n ET POLICY Dropbox.com Offsite File Backup in Use\nET HUNTING Suspicious User-Agent Containing .exe\nET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com\nUnique rule identifier:\nThis rule belongs to a private collection.", "modified": "2023-09-24T00:00:49.866000", "created": "2023-08-25T01:07:10.740000", "tags": [ "delphi", "vhash", "authentihash", "imphash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "serial number", "valid from", "valid", "time stamping", "pointing device", "symantec time", "stamping", "name symantec", "signer", "from valid", "chi2", "entropy", "type rtstring", "type rtbitmap", "type rtrcdata", "type rtcursor", "default entropy", "type rticon", "dos exe", "functionality", "verqueryvaluea", "couninitialize", "virtual address", "virtual size", "raw size", "chi2 1", "sections", "md5 code", "data" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 73, "FileHash-MD5": 16, "FileHash-SHA1": 14, "domain": 18, "hostname": 43, "URL": 70 }, "indicator_count": 234, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "938 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64e7ab22bbbb24b60b0ede98", "name": "Apple Music.app (by @kailula)", "description": "", "modified": "2023-08-24T19:10:26.385000", "created": "2023-08-24T19:10:26.385000", "tags": [ "whois", "whois record", "ssl certificate", "chinese", "ip check", "mac malware", "collection ii", "steg icons", "wired", "collection", "korlia", "trickbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6228c8698878b924d3b309b6", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2278, "hostname": 1559, "domain": 324, "FileHash-SHA256": 1235, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "968 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6228c8698878b924d3b309b6", "name": "Apple Music.app", "description": "", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-09T15:31:53.378000", "tags": [ "whois", "whois record", "ssl certificate", "chinese", "ip check", "mac malware", "collection ii", "steg icons", "wired", "collection", "korlia", "trickbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2278, "hostname": 1559, "domain": 324, "FileHash-SHA256": 1235, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 409, "modified_text": "1472 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6211397913dcdae410959042", "name": "recallsfschoolboard.org", "description": "garry tan has no hand", "modified": "2022-03-26T19:02:17.827000", "created": "2022-02-19T18:39:53.002000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2973, "URL": 9040, "domain": 2214, "FileHash-SHA256": 3044, "FileHash-MD5": 280, "FileHash-SHA1": 327, "CIDR": 6, "email": 64, "CVE": 24, "SSLCertFingerprint": 6 }, "indicator_count": 17978, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1484 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6209766a002a61265d53ce47", "name": "xred.mooo.com", "description": "", "modified": "2022-03-15T00:00:20.682000", "created": "2022-02-13T21:21:45.995000", "tags": [ "whois", "ssl certificate", "whois record", "file size", "win32 dll", "name", "win32 exe", "kb file", "file type", "kb pe", "detections file", "akamai", "ltd dba", "com laude", "enom", "chengdu west", "chengdu", "ascii text", "neutral", "data rtbitmap", "data rtcursor", "lotus", "default", "trid win32", "data rtrcdata", "intel", "delphi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 265, "URL": 482, "FileHash-SHA256": 301, "domain": 95, "FileHash-MD5": 8, "FileHash-SHA1": 2 }, "indicator_count": 1153, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1496 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "systemInfo.csv", "https://twitter.com/sheriffspurlock?lang=en", "Trojan:Win32/JakyllHyde: FileHash-MD5: 2f237a35379a5fa46168e3a01667f32c - trojan", "hosts.equiv", "deadlineday.twitter.com", "main.cf.proto", "Trojan:Win32/JakyllHyde: FileHash-SHA256 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: fa7d0ef6c2c634e4f0e890c3d5b4cf4f - trojan", "certificates.csv", "inetorgperson.ldif", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022", "snmp.conf", "http://57d7.zhanyu66.com/air.thinlinuxforandroid.apk", "virtual", "master.cf.proto", "https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "dyngroup.schema", "main.cf", "duaconf.schema", "Trojan:Win32/JakyllHyde: FileHash-MD5: 4d4cd0582109e110967bce75534031ed -trojan", "http://ssp.1rtb.com/tracker?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)", "MCPeerID.h", "group", "com.apple.screensharing.agent.launchd", "fmserver.schema", "AppleOpenLDAP.plist", "content-negotiation.html", "process_list.txt", "generic", "com.apple.mail", "https://www.anyxxxtube.net/media/favicon/apple", "java.schema", "chromeExtensions.csv", "com.apple.mkb.internal", "kernel.csv", "core.schema", "version.plist", "ET TROJAN W32/Witch.3FA0!tr CnC Actiivty M2 - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "pf.os", "Trojan:Win32/JakyllHyde: FileHash-SHA1 b45c02987811425c672f56e011f394f94cc29a7b - trojan", "canonical", "ppolicy.ldif", "apfs_boot_mount.tbd", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "ldap.h", "corba.schema", "https://hyundaibariavungtau3s.com/vehicle/hyundai-custin", "launchdaemons.txt", "kern_loader.conf", "BUILDING", "69.197.153.180", "autofs.conf", "httpd-userdir.conf", "netinfo.schema", "feedback-pa.clients6.google.com/v1/survey/trigger/", "samba.schema", "http://tuijian.adhei.com/douyu/v /encrypt/gamebox_m.css", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "managedPolicies.csv", "index.html.en", "aliases", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "mpm.conf", "http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/", "custom_header_checks", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue", "postfix-files", "Info.plist", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.cs", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f971b96cd514dc62a43b51f32e3a440fe3e0c6d4 - trojan", "resolv.conf", "httpd-ssl.conf", "disk_structure.txt", "irbrc", "caching.html", "CodeResources", "cosine.schema", "sharingPreferences.csv", "MCNearbyServiceAdvertiser.h", "ntp.conf", "com.apple.install", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+U;+Android+4.3.1;+en-us;+GT-I8190+Build/JZO54K)+AppleWebKit/534.30+", "quackbot? Qbot qakbot positive", "core.ldif", "http://watchhers.net/index.php", "users.csv", "user_launchagents.txt", "auto_home", "com.apple.eventmonitor", "misc.schema", "cupsd.conf.O", "https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam", "pmi.schema", "audit_class", "audit_event", "MCAdvertiserAssistant.h", "mounts.csv", "joebiden.com", "relocated", "mounts.txt", "nis.ldif", "cupsd.conf.default", "dyngroup.ldif", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "module.modulemap", "Trojan:Win32/JakyllHyde: FileHash-SHA256 47d9e427da3dfe5253d0047c40fb773db59dbccb0ff650e86ce7490b2c520c2d - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 002d9916a54c7ea70c931dca29c0a4500020d8040b9e446a5472b9089c29c8bc - trojan", "csh.logout", "ETPRO MALWARE Win32/JakyllHyde C2: https://www.joesandbox.com/analysis/754158/0/html", "asl.conf", "bounce.cf.default", "https://account.helix.com/activate/start", "x86_64-apple-ios-macabi.swiftinterface", "com.apple.slapconfig.conf", "security_status.txt", "files.conf", "DESCRIPTION: Detects malformed Microsoft copyright statements in executables RULE_AUTHOR: Florian Roth", "networks", "ldap.conf.default", "etcHosts.csv", "systemControls.csv", "sharedFolders.csv", "find.codes", "manpaths", "cups-files.conf", "drive.google.com/", "pmi.ldif", "duaconf.ldif", "wifi.conf", "launchagents.txt", "Driver_xst.h", "AirPlayReceiver.tbd", "rc.netboot", "LICENSE", "dragonforce.io", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/ RULE_AUTHOR: Florian Roth", "Trojan:Win32/JakyllHyde: FileHash-MD5: d6d906a1c4061d3f41053b4548c7ea69 - trojan", "newsyslog.conf", "protocols", "This is all too strange! Corruption or Spoofed?", "kexts.txt", "AOSKit.tbd", "0-i-0.xyz", "cupsd.conf", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade", "openldap.schema", "MultipeerConnectivity.h", "afpovertcp.cfg", "sipConfig.csv", "com.apple.login.guest", "profile", "MCError.h", "makedefs.out", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "php7.conf", "zshrc_Apple_Terminal", "ldap.conf", "bashrc", "https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com", "Win32/JakyllHyde - RUNDLL32.EXE FileHash-SHA1 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17", "Snort IDS: 2836073 ETPRO MALWARE Win32/JakyllHyde C2 Activity 192.168.2.3:49698 ->", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/", "MCNearbyServiceBrowser.h", "mime.types", "Alerts: dead_host injection_runpe network_icmp allocates_execute_remote_process disables_proxy injection_modifies_memory modifies_proxy_wpad", "dbivport.h", "gettytab", "convenience.map", "com.apple.authd", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f02ebf4d8955c363d615a53cc44b048d75b7cefb - adware", "https://foundry2-lbl.dvr.dn2.n-helix.com/", "access", "interfaceAddrs.csv", "interfaceDetails.csv", "shells", "com.apple.coreduetd", "https://hyundaibariavungtau3s.com/vehicle/ioniq-5", "locate.rc", "AppleFirmwareUpdate.tbd", "message.htm.com", "ppolicy.schema", "x86_64-apple-macos.swiftinterface", "custom-error.html", "#copyright #statements #malformed_copyright_statements", "httpd-info.conf", "configuring.html", "usbDevices.csv", "snmp.conf.default", "IDS Detections: Win32/JakyllHyde C2 Activity Win32/JakyllHyde C2 Activity M2 PE EXE or DLL Windows file download HTTP", "com.apple.MessageTracer", "https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]", "master.cf", "Trojan:Win32/JakyllHyde: FileHash-SHA1 732198087c6a88afa356ea729bd3b8bb16c41901 - trojan", "com.apple.contacts.ContactsAutocomplete", "collective.ldif", "familyhandyman.com", "httpd-vhosts.conf", "com.apple.networking.boringssl", "smb.conf", "syslog.conf", "dbd_xsh.h", "master.cf.default", "httpd-default.conf", "Terse Unencrypted Request for Google - Likely Connectivity Check", "diskEncryption.csv", "microsoft.std.schema", "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "Trojan:Win32/JakyllHyde: FileHash-SHA1 800c8a5f93b04d6c5dc491ab582cd75165918f5f - trojan", "notify.conf", "https://simulator-api.666phonemanager.com/advert/gamebox_winpop/online", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "collective.schema", "httpd-manual.conf", "com.apple.iokit.power", "pf.conf", "arm64e-apple-ios-macabi.swiftinterface", "https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/", "command_args.json", "MCSession.h", "Trojan:Win32/JakyllHyde: FileHash-SHA256 37a641988cfb33066c12b68b23bec0623e3d0715d21d6e3b7304bdd7238c8790 - trojan", "openldap.ldif", "httpd.conf", "auto_master", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "crashes.csv", "microsoft.schema", "http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466", "cs001.informativeremail-apple.zoom.com.cn", "main.cf.default", "Admin.tbd", "java.ldif", "audit_control", "inetorgperson.schema", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.css", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6", "hook_op_check.h", "LocalAuthentication.tbd", "System process connects to network (likely due to code injection or exploit)", "rtadvd.conf", "httpd-languages.conf", "Trojan:Win32/JakyllHyde: FileHash-MD5: 35fc2b92d534f652ffe4ec3cbc3347b6 - adware", "zshrc", "DBIXS.h", "header_checks", "Found in a malicious keyword index: http://m.xiang5.com/keyword/17655.html&htE5-: Family", "apple_auxillary.schema", "csh.cshrc", "apple.schema", "apple-identifiant.info", "dbixs_rev.h", "Trojan:Win32/JakyllHyde: FileHash-SHA1 0c795954123ebf1806cdafef2b66322f8d40d3ac - trojan", "dbi_sql.h", "ftpusers", "com.apple.performance", "https://hyundaibariavungtau3s.com/vehicle/stargazer", "Snort IDS alert for network traffic | Detected VMProtect packer", "MultipeerConnectivity.tbd", "httpd-dav.conf", "ntp_opendirectory.conf", "MCBrowserViewController.h", "TLS_LICENSE", "W32/Witch.3FA0!tr: FileHash-SHA1 13ed578302cc1f302a8a9df9308859486aeb4d0b", "com.apple.mkb", "nr-data.net", "bind.html", "mail.rc", "nfs.conf", "com.apple.slapd.conf", "transport", "APConfigurationSystem.tbd", "W32/Witch.3FA0!tr: FileHash-MD5 38be6c6b799140f435bc1b1d42275d7c", "bashrc_Apple_Terminal", "rpc", "LDAP.tbd", "csh.login", "arm64e-apple-macos.swiftinterface", "Trojan:Win32/JakyllHyde: FileHash-SHA256 7512f88162744b57efd14cc5fb98bc7cf5588fa25c218a1e92fe8048932450a8 -trojan", "http://sdk.1rtb.com/sdk/req_ad?app_package=com.scpp.plus&device_type=1&device_adid=92841014150fc3fd&device_geo_lat=&app_name=%E8%B", "ttys", "sudo_lecture", "0-courier.push.apple.com", "Trojan:Win32/JakyllHyde: CnC IP's -183.95.89.203 116.211.100.182 Exploit Source: IPv4 116.207.118.87 163.171.134.109", "Trojan:Win32/JakyllHyde: FileHash-MD5: 8eeda8077a13f12aa72c8b7b5f457734 -trojan", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "launchD.csv", "Trojan:Win32/JakyllHyde: FileHash-SHA1 be97e5638139ee689312e23022d2e55e58d123c6 - trojan", "anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net", "rc.common", "MultipeerConnectivity.apinotes", "com.apple.xscertd.conf", "rmtab", "preboot_archive_errors.log", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Version/", "passwd", "httpd-multilang-errordoc.conf", "krb5-kdc.schema", "W32/Witch.3FA0!tr: 601928c4508162aed7491ea4995eca7361be6faeac3c06ee5fc5302e686e26448", "lber.h", "cups-files.conf.default", "nis.schema", "zprofile", "https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com", "applications.csv", "magic", "Trojan:Win32/JakyllHyde: FileHash-MD5: 0dd69941b0f01d1ee4d49c228f832bed - trojan", "xtab", "zalo.me | href | Binary File | ATT&CK ID T1566.002", "racoon.conf", "cosine.ldif", "Trojan:Win32/JakyllHyde: FileHash-SHA256 440165588e14516e1ef13b6240aad27a0e8c49744c8383590425b3cc9d7f23f1 - trojan", "httpd-autoindex.conf", "cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com", "README", "https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities Source", "YARA Signature Match - THOR APT Scanner: RULE_TYPE: Valhalla Rule Feed Only \u26a1", "httpd-mpm.conf", "paths", "man.conf", "audit_warn", "Alerts: origin_langid multiple_useragents process_interest recon_beacon injection_resumethread antivm_vmware_in_instruction dumped_buffer network_bind network_http allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "corba.ldif", "hosts", "misc.ldif", "sudoers", "proxy-html.conf", "battery.csv", "com.apple.cdscheduler" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "DragonForce Malaysia Hacker Group" ], "malware_families": [ "Trojan:msil/ranos.a", "Cobalt strike - s0154", "Allowoverride", "Skynet", "Alf:heraklezeval:backdoor:linux/tsunami", "Tinynote", "Webtoolbar", "Zfaoz", "Trojan:win32/tiggre", "Malaysia, truly asia", "Trojanspy:ios/xcodeghost", "Hacktool", "Alf:heraklezeval:backdoor:linux/mirai", "Pegasus for ios - s0289", "Trojan:win32/jakyllhyde", "Win.dropper.njrat-10015886-0", "Zerobot", "Wacatac", "Unruy", "Mediamagnet", "Trojan:win32/floxif.e", "W32/witch.3fa0!tr", "Backdoor:win32/espion", "Win.packed.generic-9795615-0", "Win.trojan.generic-9801687-0", "Tel:trojanspy:win32/kedirat", "Maltiverse", "9002 rat", "Lastname", "Alf:hstr:trojanspy:msil/keylogger", "Wisdomeyes.16070401.9500", "Comspec", "Pegasus - mob-s0005", "Other malware", "Ultra vnc", "Win.packed.generic-9795615-0\t.", "Backdoor:msil/bladabindi.aj", "Trojan:msil/clipbanker", "Win.packed.fecn-7077459-0", "Virus:dos/psmpc_386", "Securiteinfo.com.trojan.generickd.32885218.16582.30886.dll", "Ransomexx", "Directoryindex", "Trojanspy", "Alf:backdoor:msil/noancooe.ka", "Pegasus for android - s0316", "Qbot", "Firstname", "Win.virus.virlock-6804475-0", "Virus:dos/cyberwar_5300", "Win.packed.msilperseus-9956592-0", "Quackbot", "Win.trojan.generic-6417450-0", "Alf:heraklezeval:backdoorlinux/mirai", "Win.malware.bzub-6727003-0", "Nid", "Backdoor:msil/bladabindi.aj gc!", "Trojandownloader:win32/bridge", "Blacknet rat" ], "industries": [ "Media", "Semiconductor", "Human subjects", "Telecommunications", "Lgbtq+ activists", "Energy", "Technology", "Hospitality", "Ngo" ], "unique_indicators": 163604 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/jiexigu.com", "whois": "http://whois.domaintools.com/jiexigu.com", "domain": "jiexigu.com", "hostname": "qy.jiexigu.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 34, "pulses": [ { "id": "69a9cad6633206ba1204cf8f", "name": "clone school board ", "description": "", "modified": "2026-03-06T11:26:19.137000", "created": "2026-03-05T18:26:30.062000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6211397913dcdae410959042", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2975, "URL": 9041, "domain": 2214, "FileHash-SHA256": 3044, "FileHash-MD5": 280, "FileHash-SHA1": 327, "CIDR": 6, "email": 64, "CVE": 24, "SSLCertFingerprint": 6 }, "indicator_count": 17981, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a9cad78745fdea3001aec9", "name": "clone school board ", "description": "", "modified": "2026-03-06T05:11:24.929000", "created": "2026-03-05T18:26:31.303000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6211397913dcdae410959042", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2975, "URL": 9041, "domain": 2214, "FileHash-SHA256": 3044, "FileHash-MD5": 280, "FileHash-SHA1": 327, "CIDR": 6, "email": 64, "CVE": 24, "SSLCertFingerprint": 6 }, "indicator_count": 17981, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692d02f096f3ec8b5b507496", "name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace", "description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.", "modified": "2025-12-31T02:01:50.101000", "created": "2025-12-01T02:52:32.483000", "tags": [ "business", "enterprise", "drive", "english", "google drive", "try drive", "business small", "workspace", "sign", "strong", "find", "life", "tools", "protect", "cloud", "simple", "android", "indonesia", "video", "mb download", "shared may", "shared", "learn", "drive drive", "name date", "javascript", "dynamicloader", "medium", "minimal headers", "high", "observed get", "get http", "united", "yara rule", "http", "write", "guard", "malware", "read c", "ms windows", "intel", "png image", "rgba", "pe32", "get na", "explorer", "music", "virlock", "media", "ho chi", "minh city", "viet nam", "storage company", "limited", "google", "address as", "luutruso", "cloudflar", "domain", "asn15169", "asn56153", "asn13335", "cisco", "umbrella rank", "apex domain", "url https", "kb stylesheet", "kb font", "kb image", "image", "kb script", "november", "resource path", "size", "type mimetype", "primary request", "redirect chain", "kb document", "urls", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "t1590 gather", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "domain address", "rsdsq jfu", "ollydbg ollydbg", "wireshark", "external", "binary file", "mitre att", "ck matrix", "aaaa", "cong ty", "co phan", "code", "province hcm", "files", "ip address", "request", "flag", "country", "contacted hosts", "process details", "link initial", "t1480 execution", "domains", "moved", "gmt content", "all ipv4", "url analysis", "location viet", "title", "error", "problem", "url add", "related nids", "files location", "flag united", "development att", "name server", "markmonitor", "localappdata", "programfiles", "edge", "hyundai", "social engineering", ".mil", "hackers", "phishing eml", "summary", "cisco umbrella", "google safe", "browsing", "current dns", "a record", "ip information", "ipasns ip", "detail domain", "domain tree", "links apex", "transfer", "b script", "b stylesheet", "frame b830", "b document", "value", "december", "degurafregistry", "gat object", "jsl object", "gapijstiming", "iframe function", "domainpath name", "nid value", "source level", "files domain", "files related", "tags", "related tags", "virustotal", "foundry", "pulse otx", "dark", "vietnam", "present aug", "present nov", "present jul", "present sep", "unknown aaaa", "search", "name servers", "present oct", "trojan", "data upload", "extraction", "se https", "include review", "exclude sugges", "find s", "failed", "typ don", "faith", "study", "romeo\u2019s", "juliettes", "femme fatales", "strategy", "honey pot", "honey traps", "spy", "helix", "anons", "passive dns", "pulse pulses", "files ip", "address", "location united", "asn as400519", "whois registrar", "ms defender", "files matching", "number", "sample analysis", "hide samples", "date hash", "cameras", "cams", "spycam", "botnet", "vietnam", "company limited", "dnssec", "status", "india unknown", "present may", "espionage", "hostname add", "generic", "cnc activity", "backdoor", "ipv4", "anonsecbotnet", "iptv" ], "references": [ "drive.google.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "zalo.me | href | Binary File | ATT&CK ID T1566.002", "https://account.helix.com/activate/start", "anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022", "https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]", "Terse Unencrypted Request for Google - Likely Connectivity Check", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6", "cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com", "https://hyundaibariavungtau3s.com/vehicle/stargazer", "https://hyundaibariavungtau3s.com/vehicle/ioniq-5", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade", "https://hyundaibariavungtau3s.com/vehicle/hyundai-custin", "https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/", "https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com", "https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com", "http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/", "http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466", "https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam", "feedback-pa.clients6.google.com/v1/survey/trigger/", "https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg", "anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Virus.Virlock-6804475-0", "display_name": "Win.Virus.Virlock-6804475-0", "target": null }, { "id": "Win.Malware.Bzub-6727003-0", "display_name": "Win.Malware.Bzub-6727003-0", "target": null }, { "id": "Win.Trojan.Generic-9801687-0", "display_name": "Win.Trojan.Generic-9801687-0", "target": null }, { "id": "NID", "display_name": "NID", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Dropper.njRAT-10015886-0", "display_name": "Win.Dropper.njRAT-10015886-0", "target": null }, { "id": "Win.Packed.Generic-9795615-0", "display_name": "Win.Packed.Generic-9795615-0", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ GC!", "display_name": "Backdoor:MSIL/Bladabindi.AJ GC!", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!" }, { "id": "Win.Packed.Generic-9795615-0\t.", "display_name": "Win.Packed.Generic-9795615-0\t.", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ", "display_name": "Backdoor:MSIL/Bladabindi.AJ", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ" }, { "id": "Win.Packed.Fecn-7077459-0", "display_name": "Win.Packed.Fecn-7077459-0", "target": null }, { "id": "Trojan:MSIL/Ranos.A", "display_name": "Trojan:MSIL/Ranos.A", "target": "/malware/Trojan:MSIL/Ranos.A" }, { "id": "Win.Trojan.Generic-6417450-0", "display_name": "Win.Trojan.Generic-6417450-0", "target": null }, { "id": "ALF:Backdoor:MSIL/Noancooe.KA", "display_name": "ALF:Backdoor:MSIL/Noancooe.KA", "target": null }, { "id": "Win.Packed.Msilperseus-9956592-0", "display_name": "Win.Packed.Msilperseus-9956592-0", "target": null }, { "id": "Trojan:MSIL/ClipBanker", "display_name": "Trojan:MSIL/ClipBanker", "target": "/malware/Trojan:MSIL/ClipBanker" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1194", "name": "Spearphishing via Service", "display_name": "T1194 - Spearphishing via Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1911, "hostname": 714, "FileHash-SHA256": 1304, "FileHash-MD5": 159, "FileHash-SHA1": 71, "SSLCertFingerprint": 2, "domain": 421, "CVE": 1, "email": 4 }, "indicator_count": 4587, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67fe9f3c682800301b89c556", "name": "Sitemap This page shows the most recent scans (manual, API, automatic) to be picked up by spiders.", "description": "https://urlscan.io/sitemap/", "modified": "2025-09-01T08:05:18.611000", "created": "2025-04-15T18:02:36.693000", "tags": [ "new run", "key pointing", "run key", "roth", "nextron", "markus neis", "sander wiebing", "public", "imagestartswith", "delnoderundll32", "vhash", "imphash", "rich pe", "ssdeep", "data sheetfinal", "wbn1", "mobil ip", "hsotu tin", "firmar", "statement", "ebook", "uwaaj moesz" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 168, "FileHash-MD5": 106, "FileHash-SHA1": 101, "FileHash-SHA256": 415, "hostname": 63, "domain": 61, "CVE": 1 }, "indicator_count": 915, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68629f622fe936e3141a1ed0", "name": "APT33 (by ilyailya)", "description": "", "modified": "2025-06-30T14:29:54.892000", "created": "2025-06-30T14:29:54.892000", "tags": [ "apfs encryption", "adguard extra", "jumpcloud go", "chrome web", "store", "privacy badger", "safety checker", "stay", "mywot", "flowcrypt", "encrypt gmail", "simple", "facebook", "apollo", "future", "assistant", "excbreakpoint", "sigtrap", "excguard", "renderer", "vallumes", "excbadaccess", "sigsegv", "helper", "chrome helper", "exccrash", "rave scout", "cookies", "public folder", "browsersignin", "denyactivation", "disableoverride", "loginwindowtext", "jumpcloud", "disableairdrop", "enablefirewall", "macos14action", "macos13action", "showfullname", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "yubico", "daemon", "service", "server", "open directory", "account", "kerberos admin", "kerberos change", "io daemon", "device daemon", "network", "bridge", "desktop", "installer", "calendar", "screensaver", "agent", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "command line", "cloud", "remote assist", "aesxtsarm", "aesecbarm", "darwin kernel", "version", "fri apr", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "user", "coregraphics", "quartzcore", "dock", "corefoundation", "cgimage", "cgcolorspace", "load address", "identifier", "build info", "code type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6816697e166bba8972d8d4a3", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 125, "hostname": 402, "FileHash-SHA256": 38, "URL": 582, "CVE": 1 }, "indicator_count": 1148, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "292 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6816697e166bba8972d8d4a3", "name": "APT33", "description": "APT33", "modified": "2025-06-02T18:02:26.651000", "created": "2025-05-03T19:07:42.325000", "tags": [ "apfs encryption", "adguard extra", "jumpcloud go", "chrome web", "store", "privacy badger", "safety checker", "stay", "mywot", "flowcrypt", "encrypt gmail", "simple", "facebook", "apollo", "future", "assistant", "excbreakpoint", "sigtrap", "excguard", "renderer", "vallumes", "excbadaccess", "sigsegv", "helper", "chrome helper", "exccrash", "rave scout", "cookies", "public folder", "browsersignin", "denyactivation", "disableoverride", "loginwindowtext", "jumpcloud", "disableairdrop", "enablefirewall", "macos14action", "macos13action", "showfullname", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "yubico", "daemon", "service", "server", "open directory", "account", "kerberos admin", "kerberos change", "io daemon", "device daemon", "network", "bridge", "desktop", "installer", "calendar", "screensaver", "agent", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "command line", "cloud", "remote assist", "aesxtsarm", "aesecbarm", "darwin kernel", "version", "fri apr", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "user", "coregraphics", "quartzcore", "dock", "corefoundation", "cgimage", "cgcolorspace", "load address", "identifier", "build info", "code type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 125, "hostname": 402, "FileHash-SHA256": 38, "URL": 582, "CVE": 1 }, "indicator_count": 1148, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "320 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "342 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6783747341bbde9b111920d8", "name": "SP10 \u2013 Szko\u0142a Podstawowa nr 10 im. Marii Sk\u0142odowskiej-Curie w Jeleniej G\u00f3rze", "description": "CVE-2024-1975\nHere is a full list of annotations and links to the work of the University ofzechoslovakia's research team, which has been working on the topic for the past two years. \u00c2\u00a31.", "modified": "2025-02-11T07:03:07.817000", "created": "2025-01-12T07:51:13.989000", "tags": [ "user", "datamodule info", "sha256", "ssdeep", "hashes cape", "sandbox", "zenbox", "file system", "color space", "cache c", "shell" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "FileHash-MD5": 9, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 248, "hostname": 39, "CVE": 2 }, "indicator_count": 331, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "671fd3b07ffb71116f2db7fa", "name": "dragonforce.io", "description": "Throw your MacBook in the trash, where the hackers belong.", "modified": "2024-11-27T17:01:13.516000", "created": "2024-10-28T18:10:56.355000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "column", "tiff", "linus walleij", "triad", "greg roelofs", "html", "daniel quinlan", "aiff", "music", "wave", "formats", "magic", "form", "crunch", "freeze", "maker", "format", "postscript", "this", "ifmodule", "include", "virtualhost", "directory", "require", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "apache", "win32", "example", "main", "webdav", "internet", "mime type", "xlm xla", "xlc xlt", "xlam", "xlsb", "xlsm", "xltm", "z7 z8", "xhtml xht", "addiconbytype", "adddescription", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "full", "minrate500", "keepalive", "prod", "email", "apache http", "server", "timeout", "number", "minimal", "major", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "browsermatch", "davlockdb", "requireany", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "pidfile", "mpms", "threadstacksize", "extendedstatus", "change", "sethandler", "require host", "get information", "allow server", "allow", "userdir sites", "control access", "userdir", "sslsessioncache", "configure", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "first", "refer", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "loadfile c", "proxyhtmllinks", "ascii", "unicode", "windows", "must", "location", "w3c html", "directoryindex", "allowoverride", "manual", "provide access", "options indexes", "files", "removetype tr", "traditionally", "addlanguage da", "addtype", "a facility", "claim", "file", "level error", "sender", "store", "level", "facility", "category", "time", "host", "threadid", "function", "line", "message", "guest", "access", "kernel", "usereventagent", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "use directory", "home autohome", "automounter map", "get home", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "level info", "broadcast", "ignore", "rules", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "limit", "order deny", "authtype", "default require", "require user", "owner", "authkey", "lpadmin", "order", "system", "local", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "group value", "restrict access", "cups", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "host database", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "readline", "error", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "flags", "bcgjnuwz", "d0 j", "ldap defaults", "base dcexample", "uri ldap", "sizelimit", "timelimit", "deref", "syntax", "kerberos", "name", "corba object", "desc", "schema", "openldap", "redistribution", "public license", "license", "collective", "shall not", "ldap", "co llective", "equality", "sup name", "structural must", "singlevalue", "auxiliary must", "auxiliary may", "guid", "desc account", "desc mount", "desc password", "service", "info", "tiger", "multi", "d esc", "rfc1274", "structural may", "quality", "substr caseigno", "corba", "ldap directory", "reserved", "ldap server", "dynamic group", "netscape", "not recommended", "for production", "attribute", "name managedby", "name leaf", "duas", "internetdrafts", "coast", "project", "java object", "java class", "de sc", "pkcs", "inetorgperson", "rfc2798", "signeddata", "smime", "openldap note", "hold", "code", "java", "jndi reference", "jndi", "with syntax", "definitions", "kerberos v", "kdc schema", "oid base", "size", "subclass of", "may contain", "objectclass", "must contain", "matches for", "obsolete", "des c", "abstract must", "sup person", "microsoft", "advanced server", "schema mapping", "netinfo", "config", "groups", "netinfo preset", "crypt", "netinfo rpcs", "rpcs number", "oncrpcnumber", "ipnetmasknumber", "assistant", "may description", "rfc2307", "rfc2252", "match syntax", "openldaproot", "openldaporg", "openldapou", "equal ity", "kind", "rule", "attcertpath", "rolesyntax", "ldif", "blank", "ldap entry", "spaces", "cosine pilot", "directory forum", "password policy", "false", "april", "auxiliary", "passwd", "account", "desc pool", "unix", "structural", "sup rpcentry", "sup container", "abstract may", "sup ipsecbase", "Chelsea Manning Help Me", "Aishah Siti Lazim", "Aishah Lazim", "194 Green Street", "Human Subjects", "cybernetic", "RNA molecule", "matches", "postfix smtp", "domain", "ipv6 host", "reject", "reply", "prior", "bugs", "reject empty", "canonical", "tables", "post", "replace user", "address", "generic", "smtp", "isp mail", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "only", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "path", "beware", "class", "uucp", "shell", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "update", "usrsbin", "file format", "no group", "daemondirectory", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "bashno", "r etcbashrc", "protocol", "ipv6", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "kame", "id key", "specification", "auto exit", "vpn socket", "networkup", "term", "devnull", "common setup", "set command", "sunnet manager", "rpcsrc", "netlicense", "apple", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "auditing", "solaris", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "integer", "array", "data", "state", "opendirectoryd", "ipv4", "plist", "dict", "session", "commcenter", "airport", "cfbasichash", "thread", "cfrunloop", "cfrunloopmode", "usrbinsudo", "usrsbinnetbiosd", "removed" ], "references": [ "afpovertcp.cfg", "aliases", "magic", "httpd.conf", "mime.types", "httpd-autoindex.conf", "httpd-default.conf", "httpd-languages.conf", "httpd-dav.conf", "httpd-multilang-errordoc.conf", "httpd-mpm.conf", "httpd-info.conf", "httpd-userdir.conf", "httpd-ssl.conf", "httpd-vhosts.conf", "proxy-html.conf", "httpd-manual.conf", "php7.conf", "mpm.conf", "com.apple.eventmonitor", "com.apple.authd", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.install", "com.apple.coreduetd", "com.apple.login.guest", "com.apple.mkb", "com.apple.mail", "com.apple.MessageTracer", "com.apple.mkb.internal", "com.apple.iokit.power", "com.apple.performance", "com.apple.networking.boringssl", "auto_master", "auto_home", "bashrc", "asl.conf", "autofs.conf", "bashrc_Apple_Terminal", "csh.cshrc", "csh.logout", "com.apple.screensharing.agent.launchd", "csh.login", "cupsd.conf", "cups-files.conf.default", "cupsd.conf.O", "cupsd.conf.default", "cups-files.conf", "snmp.conf", "snmp.conf.default", "dragonforce.io", "find.codes", "ftpusers", "hosts.equiv", "gettytab", "hosts", "kern_loader.conf", "irbrc", "locate.rc", "mail.rc", "group", "man.conf", "networks", "manpaths", "newsyslog.conf", "com.apple.slapconfig.conf", "files.conf", "com.apple.xscertd.conf", "wifi.conf", "com.apple.slapd.conf", "nfs.conf", "ntp.conf", "notify.conf", "ntp_opendirectory.conf", "AppleOpenLDAP.plist", "ldap.conf", "ldap.conf.default", "apple_auxillary.schema", "corba.ldif", "collective.schema", "collective.ldif", "core.ldif", "apple.schema", "cosine.ldif", "core.schema", "corba.schema", "duaconf.ldif", "dyngroup.ldif", "fmserver.schema", "duaconf.schema", "java.ldif", "inetorgperson.schema", "inetorgperson.ldif", "java.schema", "krb5-kdc.schema", "cosine.schema", "misc.ldif", "microsoft.std.schema", "misc.schema", "netinfo.schema", "nis.schema", "nis.ldif", "openldap.schema", "dyngroup.schema", "pmi.ldif", "ppolicy.ldif", "pmi.schema", "openldap.ldif", "README", "ppolicy.schema", "samba.schema", "microsoft.schema", "access", "custom_header_checks", "canonical", "generic", "bounce.cf.default", "header_checks", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "master.cf", "main.cf.proto", "master.cf.proto", "postfix-files", "relocated", "TLS_LICENSE", "virtual", "main.cf.default", "transport", "profile", "protocols", "racoon.conf", "rmtab", "rc.common", "rpc", "rtadvd.conf", "rc.netboot", "audit_class", "audit_warn", "audit_event", "audit_control" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bahrain", "Israel", "India" ], "malware_families": [ { "id": "DirectoryIndex", "display_name": "DirectoryIndex", "target": null }, { "id": "AllowOverride", "display_name": "AllowOverride", "target": null }, { "id": "Malaysia, Truly Asia", "display_name": "Malaysia, Truly Asia", "target": null }, { "id": "9002 RAT", "display_name": "9002 RAT", "target": null }, { "id": "Virus:DOS/PSMPC_386", "display_name": "Virus:DOS/PSMPC_386", "target": "/malware/Virus:DOS/PSMPC_386" }, { "id": "TEL:TrojanSpy:Win32/KediRat", "display_name": "TEL:TrojanSpy:Win32/KediRat", "target": null }, { "id": "TrojanSpy:iOS/XcodeGhost", "display_name": "TrojanSpy:iOS/XcodeGhost", "target": "/malware/TrojanSpy:iOS/XcodeGhost" }, { "id": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "display_name": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "target": null }, { "id": "Ultra VNC", "display_name": "Ultra VNC", "target": null }, { "id": "TrojanDownloader:Win32/Bridge", "display_name": "TrojanDownloader:Win32/Bridge", "target": "/malware/TrojanDownloader:Win32/Bridge" }, { "id": "Virus:DOS/Cyberwar_5300", "display_name": "Virus:DOS/Cyberwar_5300", "target": "/malware/Virus:DOS/Cyberwar_5300" }, { "id": "Backdoor:Win32/Espion", "display_name": "Backdoor:Win32/Espion", "target": "/malware/Backdoor:Win32/Espion" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:BackdoorLinux/Mirai", "display_name": "ALF:HeraklezEval:BackdoorLinux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1026", "name": "Multiband Communication", "display_name": "T1026 - Multiband Communication" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Media", "LGBTQ+ Activists", "Technology", "Telecommunications", "Hospitality", "Energy", "NGO", "Semiconductor", "Human Subjects" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 669, "URL": 1976, "email": 21, "hostname": 1198, "FileHash-SHA256": 277, "CVE": 2, "CIDR": 3 }, "indicator_count": 4146, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "507 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "671fd3afa974b93284d6bac1", "name": "dragonforce.io", "description": "Throw your MacBook in the trash, where the hackers belong.", "modified": "2024-11-27T17:01:13.516000", "created": "2024-10-28T18:10:55.712000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "column", "tiff", "linus walleij", "triad", "greg roelofs", "html", "daniel quinlan", "aiff", "music", "wave", "formats", "magic", "form", "crunch", "freeze", "maker", "format", "postscript", "this", "ifmodule", "include", "virtualhost", "directory", "require", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "apache", "win32", "example", "main", "webdav", "internet", "mime type", "xlm xla", "xlc xlt", "xlam", "xlsb", "xlsm", "xltm", "z7 z8", "xhtml xht", "addiconbytype", "adddescription", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "full", "minrate500", "keepalive", "prod", "email", "apache http", "server", "timeout", "number", "minimal", "major", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "browsermatch", "davlockdb", "requireany", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "pidfile", "mpms", "threadstacksize", "extendedstatus", "change", "sethandler", "require host", "get information", "allow server", "allow", "userdir sites", "control access", "userdir", "sslsessioncache", "configure", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "first", "refer", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "loadfile c", "proxyhtmllinks", "ascii", "unicode", "windows", "must", "location", "w3c html", "directoryindex", "allowoverride", "manual", "provide access", "options indexes", "files", "removetype tr", "traditionally", "addlanguage da", "addtype", "a facility", "claim", "file", "level error", "sender", "store", "level", "facility", "category", "time", "host", "threadid", "function", "line", "message", "guest", "access", "kernel", "usereventagent", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "use directory", "home autohome", "automounter map", "get home", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "level info", "broadcast", "ignore", "rules", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "limit", "order deny", "authtype", "default require", "require user", "owner", "authkey", "lpadmin", "order", "system", "local", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "group value", "restrict access", "cups", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "host database", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "readline", "error", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "flags", "bcgjnuwz", "d0 j", "ldap defaults", "base dcexample", "uri ldap", "sizelimit", "timelimit", "deref", "syntax", "kerberos", "name", "corba object", "desc", "schema", "openldap", "redistribution", "public license", "license", "collective", "shall not", "ldap", "co llective", "equality", "sup name", "structural must", "singlevalue", "auxiliary must", "auxiliary may", "guid", "desc account", "desc mount", "desc password", "service", "info", "tiger", "multi", "d esc", "rfc1274", "structural may", "quality", "substr caseigno", "corba", "ldap directory", "reserved", "ldap server", "dynamic group", "netscape", "not recommended", "for production", "attribute", "name managedby", "name leaf", "duas", "internetdrafts", "coast", "project", "java object", "java class", "de sc", "pkcs", "inetorgperson", "rfc2798", "signeddata", "smime", "openldap note", "hold", "code", "java", "jndi reference", "jndi", "with syntax", "definitions", "kerberos v", "kdc schema", "oid base", "size", "subclass of", "may contain", "objectclass", "must contain", "matches for", "obsolete", "des c", "abstract must", "sup person", "microsoft", "advanced server", "schema mapping", "netinfo", "config", "groups", "netinfo preset", "crypt", "netinfo rpcs", "rpcs number", "oncrpcnumber", "ipnetmasknumber", "assistant", "may description", "rfc2307", "rfc2252", "match syntax", "openldaproot", "openldaporg", "openldapou", "equal ity", "kind", "rule", "attcertpath", "rolesyntax", "ldif", "blank", "ldap entry", "spaces", "cosine pilot", "directory forum", "password policy", "false", "april", "auxiliary", "passwd", "account", "desc pool", "unix", "structural", "sup rpcentry", "sup container", "abstract may", "sup ipsecbase", "Chelsea Manning Help Me", "Aishah Siti Lazim", "Aishah Lazim", "194 Green Street", "Human Subjects", "cybernetic", "RNA molecule", "matches", "postfix smtp", "domain", "ipv6 host", "reject", "reply", "prior", "bugs", "reject empty", "canonical", "tables", "post", "replace user", "address", "generic", "smtp", "isp mail", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "only", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "path", "beware", "class", "uucp", "shell", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "update", "usrsbin", "file format", "no group", "daemondirectory", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "bashno", "r etcbashrc", "protocol", "ipv6", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "kame", "id key", "specification", "auto exit", "vpn socket", "networkup", "term", "devnull", "common setup", "set command", "sunnet manager", "rpcsrc", "netlicense", "apple", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "auditing", "solaris", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "integer", "array", "data", "state", "opendirectoryd", "ipv4", "plist", "dict", "session", "commcenter", "airport", "cfbasichash", "thread", "cfrunloop", "cfrunloopmode", "usrbinsudo", "usrsbinnetbiosd", "removed" ], "references": [ "afpovertcp.cfg", "aliases", "magic", "httpd.conf", "mime.types", "httpd-autoindex.conf", "httpd-default.conf", "httpd-languages.conf", "httpd-dav.conf", "httpd-multilang-errordoc.conf", "httpd-mpm.conf", "httpd-info.conf", "httpd-userdir.conf", "httpd-ssl.conf", "httpd-vhosts.conf", "proxy-html.conf", "httpd-manual.conf", "php7.conf", "mpm.conf", "com.apple.eventmonitor", "com.apple.authd", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.install", "com.apple.coreduetd", "com.apple.login.guest", "com.apple.mkb", "com.apple.mail", "com.apple.MessageTracer", "com.apple.mkb.internal", "com.apple.iokit.power", "com.apple.performance", "com.apple.networking.boringssl", "auto_master", "auto_home", "bashrc", "asl.conf", "autofs.conf", "bashrc_Apple_Terminal", "csh.cshrc", "csh.logout", "com.apple.screensharing.agent.launchd", "csh.login", "cupsd.conf", "cups-files.conf.default", "cupsd.conf.O", "cupsd.conf.default", "cups-files.conf", "snmp.conf", "snmp.conf.default", "dragonforce.io", "find.codes", "ftpusers", "hosts.equiv", "gettytab", "hosts", "kern_loader.conf", "irbrc", "locate.rc", "mail.rc", "group", "man.conf", "networks", "manpaths", "newsyslog.conf", "com.apple.slapconfig.conf", "files.conf", "com.apple.xscertd.conf", "wifi.conf", "com.apple.slapd.conf", "nfs.conf", "ntp.conf", "notify.conf", "ntp_opendirectory.conf", "AppleOpenLDAP.plist", "ldap.conf", "ldap.conf.default", "apple_auxillary.schema", "corba.ldif", "collective.schema", "collective.ldif", "core.ldif", "apple.schema", "cosine.ldif", "core.schema", "corba.schema", "duaconf.ldif", "dyngroup.ldif", "fmserver.schema", "duaconf.schema", "java.ldif", "inetorgperson.schema", "inetorgperson.ldif", "java.schema", "krb5-kdc.schema", "cosine.schema", "misc.ldif", "microsoft.std.schema", "misc.schema", "netinfo.schema", "nis.schema", "nis.ldif", "openldap.schema", "dyngroup.schema", "pmi.ldif", "ppolicy.ldif", "pmi.schema", "openldap.ldif", "README", "ppolicy.schema", "samba.schema", "microsoft.schema", "access", "custom_header_checks", "canonical", "generic", "bounce.cf.default", "header_checks", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "master.cf", "main.cf.proto", "master.cf.proto", "postfix-files", "relocated", "TLS_LICENSE", "virtual", "main.cf.default", "transport", "profile", "protocols", "racoon.conf", "rmtab", "rc.common", "rpc", "rtadvd.conf", "rc.netboot", "audit_class", "audit_warn", "audit_event", "audit_control" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bahrain", "Israel", "India" ], "malware_families": [ { "id": "DirectoryIndex", "display_name": "DirectoryIndex", "target": null }, { "id": "AllowOverride", "display_name": "AllowOverride", "target": null }, { "id": "Malaysia, Truly Asia", "display_name": "Malaysia, Truly Asia", "target": null }, { "id": "9002 RAT", "display_name": "9002 RAT", "target": null }, { "id": "Virus:DOS/PSMPC_386", "display_name": "Virus:DOS/PSMPC_386", "target": "/malware/Virus:DOS/PSMPC_386" }, { "id": "TEL:TrojanSpy:Win32/KediRat", "display_name": "TEL:TrojanSpy:Win32/KediRat", "target": null }, { "id": "TrojanSpy:iOS/XcodeGhost", "display_name": "TrojanSpy:iOS/XcodeGhost", "target": "/malware/TrojanSpy:iOS/XcodeGhost" }, { "id": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "display_name": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "target": null }, { "id": "Ultra VNC", "display_name": "Ultra VNC", "target": null }, { "id": "TrojanDownloader:Win32/Bridge", "display_name": "TrojanDownloader:Win32/Bridge", "target": "/malware/TrojanDownloader:Win32/Bridge" }, { "id": "Virus:DOS/Cyberwar_5300", "display_name": "Virus:DOS/Cyberwar_5300", "target": "/malware/Virus:DOS/Cyberwar_5300" }, { "id": "Backdoor:Win32/Espion", "display_name": "Backdoor:Win32/Espion", "target": "/malware/Backdoor:Win32/Espion" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:BackdoorLinux/Mirai", "display_name": "ALF:HeraklezEval:BackdoorLinux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1026", "name": "Multiband Communication", "display_name": "T1026 - Multiband Communication" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Media", "LGBTQ+ Activists", "Technology", "Telecommunications", "Hospitality", "Energy", "NGO", "Semiconductor", "Human Subjects" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 669, "URL": 1976, "email": 21, "hostname": 1198, "FileHash-SHA256": 277, "CVE": 2, "CIDR": 3 }, "indicator_count": 4146, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "507 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://qy.jiexigu.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://qy.jiexigu.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776598640.1320121 }