{ "type": "URL", "indicator": "https://rampf-group.com.vm03.iveins.de/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://rampf-group.com.vm03.iveins.de/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4152438527, "indicator": "https://rampf-group.com.vm03.iveins.de/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6935c92c5fc93fd873c6aa6d", "name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)", "description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727", "modified": "2026-01-06T18:04:02.620000", "created": "2025-12-07T18:36:28.055000", "tags": [ "memcommit", "read c", "t1082", "cryptexportkey", "invalid pointer", "write", "msil", "malware", "media", "autorun", "countries", "united", "america", "high defense", "evasion", "t1055", "ck technique", "technique id", "allocates", "potential code", "attempts", "threatintel", "dark web", "coinbasecartel", "ransomware", "osint", "tor", "data breach", "cinvestav", "ai generated", "ransomware leak", "page", "november", "investigacin y", "nacional", "mexican", "mexico", "present nov", "verdana", "td tr", "passive dns", "ip address", "urls", "aaaa", "present may", "present oct", "present jul", "virtool", "present sep", "present jun", "win32", "default", "unicode", "png image", "rgba", "high", "dock", "execution", "xport", "unknown", "data upload", "extraction", "will", "data", "name cloudflare", "hostmaster name", "org cloudflare", "townsend st", "city san", "us creation", "kelihos", "ipv4", "present dec", "files", "domain", "search", "hostname", "verdict", "location united", "asn as16625", "akamai", "urls show", "date checked", "url hostname", "server response", "google safe", "results nov", "present aug", "backdoor", "msie", "chrome", "trojan", "mtb aug", "worm", "cryp", "junkpoly", "twitter", "trojandropper", "title", "germany unknown", "ipv4 add", "pulse pulses", "hosting", "reverse dns", "cologne", "search engine", "gse compromised", "redacted for", "privacy admin", "privacy tech", "server", "organization", "street", "city", "stateprovince", "postal code", "country", "resolver domain", "cape sa", "virustot", "type pdf", "name", "lookups", "email abuse", "historical ssl", "certificates", "first", "graph summary", "cname", "address", "ip2location", "bogon ip", "admin", "network", "wifi password", "ssid", "demo", "details", "failed", "include review", "exclude sugges", "onlv", "x try", "find s", "typ url", "url data", "severity att", "module load", "icmp traffic", "dns query", "t1055 jseval", "windows nt", "port", "entries", "destination", "medium", "show", "pecompact", "june", "service", "next", "xserver", "encrypt", "t1129", "windows module", "dlls", "convention", "windows native" ], "references": [ "Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS", "Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "hallplan.vm05.iveins.de", "https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c", "Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx", "Name : iveins.de Service : connect", "https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com", "phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com", "https://otx.alienvault.com/indicator/cve/CVE-2025-11727" ], "public": 1, "adversary": "COINBASECARTEL", "targeted_countries": [ "United States of America", "Sweden", "Bangladesh", "Japan" ], "malware_families": [ { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "MSIL:Agent-DQ\\ [Trj]", "display_name": "MSIL:Agent-DQ\\ [Trj]", "target": null }, { "id": "VirTool:MSIL/Covent.A", "display_name": "VirTool:MSIL/Covent.A", "target": "/malware/VirTool:MSIL/Covent.A" }, { "id": "Trojan:Win32/Pynamer!rfn", "display_name": "Trojan:Win32/Pynamer!rfn", "target": "/malware/Trojan:Win32/Pynamer!rfn" }, { "id": "Win64:TrojanX", "display_name": "Win64:TrojanX", "target": null }, { "id": "VirTool:MSIL/Covent", "display_name": "VirTool:MSIL/Covent", "target": "/malware/VirTool:MSIL/Covent" }, { "id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "CVE-2025-11727", "display_name": "CVE-2025-11727", "target": null }, { "id": "Exploit:JS/CVE-2014-0322", "display_name": "Exploit:JS/CVE-2014-0322", "target": "/malware/Exploit:JS/CVE-2014-0322" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 117, "FileHash-SHA256": 1746, "URL": 5018, "hostname": 1827, "domain": 1072, "CVE": 3, "email": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9938, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692cb6dc24da17618e3d9da6", "name": "Mirai Botnet | HackTool Powershell targets LinkedIn User | 192.168.1.1 \u2022 Remote Inbound Outbound Connection", "description": "Linux Malware - LinkedIn- True Mirai Botnet (192.168.1.1) (Never Connect) Incredibly powerful attack targeting LinkedIn users. In this instance the target is an ex husband of a target. |\nNDO Group relationships seen. This is a Botnet. \n\nMay be \u2018framing\u2019 attack that was launched in 2014. Attackers sent a clear message to target that she + husband would be arrested and charged with possession of 1000\u2019s of \u2018child pornography\u2019 pictures. \n\nAttack 10/10 malicious. Worked from separate system in separate location. Hackers unlocked a device, zero clicks, removed PSW. Tulach malware seen a profile \u2018Michael Robert\u2019s of Rexxfield\u2019 may be entity (NSA) with a face like Tulach. Uses the most WILD compromises. Government contractors? \n\nSame attackers brought down Prudentials \u2018Assurance\u2019 Medicare system forever.\n ESET hackers only allowing \u2018bad traffic\u2019 .", "modified": "2025-12-30T19:04:40.430000", "created": "2025-11-30T21:27:56.239000", "tags": [ "enter", "extract", "enter source", "urls", "address", "remote connect", "private ip", "sql", "inject", "montserrat", "script urls", "germany unknown", "xml title", "wiesinger", "style", "ip address", "script domains", "body doctype", "encrypt", "botnet", "dropper", "unix", "resolverror", "et exploit", "outbound", "mirai variant", "useragent", "inbound", "et trojan", "et webserver", "scan mirai", "hello", "execution", "mirai", "malware", "shell", "nids", "ids detections", "wget command", "http headers", "dlink devices", "home network", "mvpower dvr", "shell uce", "mirai elf", "linux malware", "is__elf", "cnc", "meta http", "content", "gmt server", "files", "reverse dns", "germany", "ismaning", "germany asn", "as5539 spacenet", "germany https", "auto generated security (?)", "redacted for", "name servers", "aaaa", "search", "for privacy", "title", "intel", "ms windows", "pe32", "process32nextw", "write c", "mssql port", "hash", "beapy", "bit32bit", "agent", "write", "hacktool", "win32", "next", "suspicious user", "pybeapy cnc", "checkin", "w32beapy cnc", "beacon", "module load", "external ip", "lookup", "home assistant", "intptr", "uint32", "type", "parameter", "oldprotectflag", "mandatory", "throw", "position", "lkshkdandl", "success", "info", "powershell", "null", "error", "date hash", "next yara", "detections name", "medium", "graph tree", "sample", "sample hash", "exec bypass", "c ipconfig", "world", "jaws webserver", "chmod usage", "strings", "extraction", "data upload", "extre", "include data", "hos hos", "y se", "sugges", "find s", "typ hos", "hos data", "hos hostname", "hos host", "extr data", "tethering", "tulach", "114.114.114.114", "passive dns", "pulse pulses", "http", "related nids", "files location", "united", "flag united", "files domain", "next associated", "ipv4 add", "delphi", "read c", "packing t1045", "t1045", "worm", "code", "june", "irc nick command", "irc", "meta", "status", "record value", "unknown aaaa", "expiration", "url http", "indicator role", "pulses url", "no expiration", "url https", "url url", "o url", "request review", "hosting", "unknown", "medium security", "extra data", "failed", "linkedin", "url add", "ireland flag", "ireland", "dublin", "ireland asn", "as16509", "spyware", "nso", "nso group", "pegasus related", "nso related", "framing", "porn", "python", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "apple", "192.168.1.1", "law", "attorney" ], "references": [ "192.168.1.1 - WOW! Use your old equipment in a non - residential environment", "http://xn.com/ \u2022 www.xn--linkedinxn-6u6e.com \u2022 http://www.linkedin-xn.com/ \u2022 www.linkedin-xn.com", "Powerful Exploit: https://otx.alienvault.com/indicator/file/ba32802bdd1f0b91cf8c667b94426d73ee654ba0", "Mirai Botnet - *Inbound & Outbound connection", "IDS Detections: *WGET Command Specifying Output in HTTP Headers", "IDS Detections: *D-Link Devices Home Network Administration Protocol Command Execution", "IDS Detections: *JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: *MVPower DVR Shell UCE *Mirai Variant User-Agent (Outbound)", "Yara : Yara Detections : SUSP_XORed_Mozilla , Linux_MiningSoftware , is__elf", "Alerts : dead_host nids_exploit_alert nids_malware_alert persistency_initd network_icmp", "Alerts : tcp_syn_scan nolookup_communication network_cnc_http network_http", "Alerts : network_http_post nids_alert chmod_syscall writes_to_stdout", "Other Mitre ATT&CK T1480 T1553.00 T1027.013 T1057 T1069.002 T1071\tT1071.004", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/video/search?search=tsara+brashears", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "pornokind.vgt.pl \u2022 https://pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl/", "pornlynx.com \u2022 www.pornhub.com \u2022 www.anyxxxtube.com", "https://frostty12ice.info/ \u2022 https://lawhubh.info", "Needs researching: http://lib.jerusalem.muni.il.il \u2022 https://lib.jerusalem.muni.il.il" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Botnet-6566040-0", "display_name": "Unix.Dropper.Botnet-6566040-0", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Montserrat", "display_name": "Montserrat", "target": null }, { "id": "Beapy", "display_name": "Beapy", "target": null }, { "id": "HackTool:Win32/PowerSploit!rfn", "display_name": "HackTool:Win32/PowerSploit!rfn", "target": "/malware/HackTool:Win32/PowerSploit!rfn" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Worm:Win32/Mydoom.PB!MTB", "display_name": "Worm:Win32/Mydoom.PB!MTB", "target": "/malware/Worm:Win32/Mydoom.PB!MTB" } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0036", "name": "Exfiltration", "display_name": "TA0036 - Exfiltration" }, { "id": "TA0039", "name": "Remote Service Effects", "display_name": "TA0039 - Remote Service Effects" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" } ], "industries": [ "Government", "Legal", "Healthcare", "Insurance", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4147, "domain": 871, "hostname": 2194, "FileHash-MD5": 279, "FileHash-SHA1": 257, "FileHash-SHA256": 2183, "CVE": 6, "email": 3, "SSLCertFingerprint": 1 }, "indicator_count": 9941, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "110 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6920c43c3772bb24f26f70cc", "name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun", "description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.", "modified": "2025-12-21T18:01:07.268000", "created": "2025-11-21T19:57:48.145000", "tags": [ "dynamicloader", "write c", "write", "high", "yara rule", "myapp", "delphi", "worm", "win32", "error", "code", "malware", "defender", "medium", "binary file", "heavensgate", "bochs", "dynamic", "td td", "td tr", "united", "a td", "a domains", "dynamic dns", "static dns", "dd wrt", "twitter", "trojan", "trojandropper", "null", "enough", "simple", "click", "easy", "premium", "associated urls", "server response", "google safe", "results nov", "avast avg", "11.21.2025", "11.20.2025", "borland delphi", "pe32", "intel", "ms windows", "inno setup", "win32 exe", "pecompact", "delphi generic", "pe32 compiler", "dark comet", "dark gate", "glassworm", "md5 code", "data", "porkbun llc", "windows match", "getprocaddress", "peb idrdata", "match peb", "t1547", "t1059 t1112", "shared modules", "t1129", "boot", "logon autostart", "execu", "t1134 boot", "encoding", "capture e1113", "file attributes", "analysis ob0001", "b0001 software", "virtual machine", "detection b0009", "analysis ob0002", "ob0003 screen", "windows get", "check", "encode", "check internet", "wininet set", "clear file", "enumerate gui", "get hostname", "get keyboard", "set registry", "find", "capture", "url http", "consolefoundry", "console foundry", "foundry", "malware catalog tree", "autorun keys", "modification", "alexander karp", "peter theil", "christoper ahmann", "christopher pool", "mercedes", "apple", "palantir", "adversarial", "adversaries", "hostile", "quasi", "empty hash", "denver", "mal_xred_backdoor", "backdoor", "xred", "brian sabey", "first-send-petikvx", "stop", "glassworm", "elex", "darkgate", "dark-comet", "search", "entries", "show", "yara detections", "icmp traffic", "rtf file", "top source", "top destination", "format", "host", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "access att", "font", "copy md5", "copy sha1", "copy sha256", "sha1", "ascii text", "pattern match", "sha256", "mitre att", "title", "meta", "hybrid", "local", "path", "strings", "body", "contact", "trace", "form", "bitcoin", "core", "jeffrey reimer", "exe infection", "cve", "porn" ], "references": [ "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Alerts: packer_unknown", "Malicious IP Contacted: 69.42.215.252", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "http://freedns.afraid.org/images/apple.gif", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.mumuplayer.com/redirect/customerservice/_wig", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://consolefoundry.date/one/gate.php", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453", "display_name": "Win.Trojan.Emotet-9850453", "target": null }, { "id": "Win.Trojan.BlackNetRAT-7838854-0", "display_name": "Win.Trojan.BlackNetRAT-7838854-0", "target": null }, { "id": "Win.Dropper.Nanocore-10021490-0", "display_name": "Win.Dropper.Nanocore-10021490-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Packed.Remcos-10024510-0", "display_name": "Win.Packed.Remcos-10024510-0", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "PSW:Win32/VB.CU", "display_name": "PSW:Win32/VB.CU", "target": "/malware/PSW:Win32/VB.CU" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1541", "name": "Foreground Persistence", "display_name": "T1541 - Foreground Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 460, "FileHash-SHA1": 437, "FileHash-SHA256": 4483, "SSLCertFingerprint": 2, "URL": 6487, "hostname": 1772, "domain": 652, "CVE": 3, "email": 5 }, "indicator_count": 14301, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "119 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "Malicious IP Contacted: 69.42.215.252", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS", "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "192.168.1.1 - WOW! Use your old equipment in a non - residential environment", "Alerts: packer_unknown", "IDS Detections: *D-Link Devices Home Network Administration Protocol Command Execution", "https://otx.alienvault.com/indicator/cve/CVE-2025-11727", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "https://www.pornhub.com/video/search?search=tsara+brashears", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.mumuplayer.com/redirect/customerservice/_wig", "Other Mitre ATT&CK T1480 T1553.00 T1027.013 T1057 T1069.002 T1071\tT1071.004", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Needs researching: http://lib.jerusalem.muni.il.il \u2022 https://lib.jerusalem.muni.il.il", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c", "Alerts : dead_host nids_exploit_alert nids_malware_alert persistency_initd network_icmp", "pornlynx.com \u2022 www.pornhub.com \u2022 www.anyxxxtube.com", "Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx", "pornokind.vgt.pl \u2022 https://pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl/", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "hallplan.vm05.iveins.de", "IDS Detections: *MVPower DVR Shell UCE *Mirai Variant User-Agent (Outbound)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://consolefoundry.date/one/gate.php", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Powerful Exploit: https://otx.alienvault.com/indicator/file/ba32802bdd1f0b91cf8c667b94426d73ee654ba0", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Name : iveins.de Service : connect", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "https://frostty12ice.info/ \u2022 https://lawhubh.info", "http://xn.com/ \u2022 www.xn--linkedinxn-6u6e.com \u2022 http://www.linkedin-xn.com/ \u2022 www.linkedin-xn.com", "Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "IDS Detections: *WGET Command Specifying Output in HTTP Headers", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "Yara : Yara Detections : SUSP_XORed_Mozilla , Linux_MiningSoftware , is__elf", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354", "http://freedns.afraid.org/images/apple.gif", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "IDS Detections: *JAWS Webserver Unauthenticated Shell Command Execution", "Alerts : network_http_post nids_alert chmod_syscall writes_to_stdout", "Mirai Botnet - *Inbound & Outbound connection", "Alerts : tcp_syn_scan nolookup_communication network_cnc_http network_http" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "COINBASECARTEL" ], "malware_families": [ "Tofsee", "#lowfi:hstr:msil/obfuscator.deepsea", "Psw:win32/vb.cu", "Exploit:js/cve-2014-0322", "Virtool:msil/covent.a", "Win.trojan.emotet-9850453", "Worm:win32/autorun!atmn", "Kelihos", "Win.dropper.nanocore-10021490-0", "Win.trojan.blacknetrat-7838854-0", "Hacktool:win32/powersploit!rfn", "Msil:agent-dq\\ [trj]", "Unix.dropper.botnet-6566040-0", "Tulach", "Trojan:win32/pynamer!rfn", "Trojan:win32/tiggre!rfn", "Other malware", "Code overlap", "Beapy", "Virtool:msil/covent", "Win64:trojanx", "Worm:win32/mydoom.pb!mtb", "Cve-2025-11727", "Win32:malware", "Nids", "Montserrat", "Win.packed.remcos-10024510-0", "Mirai" ], "industries": [ "Education", "Government", "Healthcare", "Insurance", "Legal", "Civil society" ], "unique_indicators": 33911 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/iveins.de", "whois": "http://whois.domaintools.com/iveins.de", "domain": "iveins.de", "hostname": "rampf-group.com.vm03.iveins.de" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6935c92c5fc93fd873c6aa6d", "name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)", "description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727", "modified": "2026-01-06T18:04:02.620000", "created": "2025-12-07T18:36:28.055000", "tags": [ "memcommit", "read c", "t1082", "cryptexportkey", "invalid pointer", "write", "msil", "malware", "media", "autorun", "countries", "united", "america", "high defense", "evasion", "t1055", "ck technique", "technique id", "allocates", "potential code", "attempts", "threatintel", "dark web", "coinbasecartel", "ransomware", "osint", "tor", "data breach", "cinvestav", "ai generated", "ransomware leak", "page", "november", "investigacin y", "nacional", "mexican", "mexico", "present nov", "verdana", "td tr", "passive dns", "ip address", "urls", "aaaa", "present may", "present oct", "present jul", "virtool", "present sep", "present jun", "win32", "default", "unicode", "png image", "rgba", "high", "dock", "execution", "xport", "unknown", "data upload", "extraction", "will", "data", "name cloudflare", "hostmaster name", "org cloudflare", "townsend st", "city san", "us creation", "kelihos", "ipv4", "present dec", "files", "domain", "search", "hostname", "verdict", "location united", "asn as16625", "akamai", "urls show", "date checked", "url hostname", "server response", "google safe", "results nov", "present aug", "backdoor", "msie", "chrome", "trojan", "mtb aug", "worm", "cryp", "junkpoly", "twitter", "trojandropper", "title", "germany unknown", "ipv4 add", "pulse pulses", "hosting", "reverse dns", "cologne", "search engine", "gse compromised", "redacted for", "privacy admin", "privacy tech", "server", "organization", "street", "city", "stateprovince", "postal code", "country", "resolver domain", "cape sa", "virustot", "type pdf", "name", "lookups", "email abuse", "historical ssl", "certificates", "first", "graph summary", "cname", "address", "ip2location", "bogon ip", "admin", "network", "wifi password", "ssid", "demo", "details", "failed", "include review", "exclude sugges", "onlv", "x try", "find s", "typ url", "url data", "severity att", "module load", "icmp traffic", "dns query", "t1055 jseval", "windows nt", "port", "entries", "destination", "medium", "show", "pecompact", "june", "service", "next", "xserver", "encrypt", "t1129", "windows module", "dlls", "convention", "windows native" ], "references": [ "Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS", "Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "hallplan.vm05.iveins.de", "https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c", "Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx", "Name : iveins.de Service : connect", "https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com", "phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com", "https://otx.alienvault.com/indicator/cve/CVE-2025-11727" ], "public": 1, "adversary": "COINBASECARTEL", "targeted_countries": [ "United States of America", "Sweden", "Bangladesh", "Japan" ], "malware_families": [ { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "MSIL:Agent-DQ\\ [Trj]", "display_name": "MSIL:Agent-DQ\\ [Trj]", "target": null }, { "id": "VirTool:MSIL/Covent.A", "display_name": "VirTool:MSIL/Covent.A", "target": "/malware/VirTool:MSIL/Covent.A" }, { "id": "Trojan:Win32/Pynamer!rfn", "display_name": "Trojan:Win32/Pynamer!rfn", "target": "/malware/Trojan:Win32/Pynamer!rfn" }, { "id": "Win64:TrojanX", "display_name": "Win64:TrojanX", "target": null }, { "id": "VirTool:MSIL/Covent", "display_name": "VirTool:MSIL/Covent", "target": "/malware/VirTool:MSIL/Covent" }, { "id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "CVE-2025-11727", "display_name": "CVE-2025-11727", "target": null }, { "id": "Exploit:JS/CVE-2014-0322", "display_name": "Exploit:JS/CVE-2014-0322", "target": "/malware/Exploit:JS/CVE-2014-0322" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 117, "FileHash-SHA256": 1746, "URL": 5018, "hostname": 1827, "domain": 1072, "CVE": 3, "email": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9938, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692cb6dc24da17618e3d9da6", "name": "Mirai Botnet | HackTool Powershell targets LinkedIn User | 192.168.1.1 \u2022 Remote Inbound Outbound Connection", "description": "Linux Malware - LinkedIn- True Mirai Botnet (192.168.1.1) (Never Connect) Incredibly powerful attack targeting LinkedIn users. In this instance the target is an ex husband of a target. |\nNDO Group relationships seen. This is a Botnet. \n\nMay be \u2018framing\u2019 attack that was launched in 2014. Attackers sent a clear message to target that she + husband would be arrested and charged with possession of 1000\u2019s of \u2018child pornography\u2019 pictures. \n\nAttack 10/10 malicious. Worked from separate system in separate location. Hackers unlocked a device, zero clicks, removed PSW. Tulach malware seen a profile \u2018Michael Robert\u2019s of Rexxfield\u2019 may be entity (NSA) with a face like Tulach. Uses the most WILD compromises. Government contractors? \n\nSame attackers brought down Prudentials \u2018Assurance\u2019 Medicare system forever.\n ESET hackers only allowing \u2018bad traffic\u2019 .", "modified": "2025-12-30T19:04:40.430000", "created": "2025-11-30T21:27:56.239000", "tags": [ "enter", "extract", "enter source", "urls", "address", "remote connect", "private ip", "sql", "inject", "montserrat", "script urls", "germany unknown", "xml title", "wiesinger", "style", "ip address", "script domains", "body doctype", "encrypt", "botnet", "dropper", "unix", "resolverror", "et exploit", "outbound", "mirai variant", "useragent", "inbound", "et trojan", "et webserver", "scan mirai", "hello", "execution", "mirai", "malware", "shell", "nids", "ids detections", "wget command", "http headers", "dlink devices", "home network", "mvpower dvr", "shell uce", "mirai elf", "linux malware", "is__elf", "cnc", "meta http", "content", "gmt server", "files", "reverse dns", "germany", "ismaning", "germany asn", "as5539 spacenet", "germany https", "auto generated security (?)", "redacted for", "name servers", "aaaa", "search", "for privacy", "title", "intel", "ms windows", "pe32", "process32nextw", "write c", "mssql port", "hash", "beapy", "bit32bit", "agent", "write", "hacktool", "win32", "next", "suspicious user", "pybeapy cnc", "checkin", "w32beapy cnc", "beacon", "module load", "external ip", "lookup", "home assistant", "intptr", "uint32", "type", "parameter", "oldprotectflag", "mandatory", "throw", "position", "lkshkdandl", "success", "info", "powershell", "null", "error", "date hash", "next yara", "detections name", "medium", "graph tree", "sample", "sample hash", "exec bypass", "c ipconfig", "world", "jaws webserver", "chmod usage", "strings", "extraction", "data upload", "extre", "include data", "hos hos", "y se", "sugges", "find s", "typ hos", "hos data", "hos hostname", "hos host", "extr data", "tethering", "tulach", "114.114.114.114", "passive dns", "pulse pulses", "http", "related nids", "files location", "united", "flag united", "files domain", "next associated", "ipv4 add", "delphi", "read c", "packing t1045", "t1045", "worm", "code", "june", "irc nick command", "irc", "meta", "status", "record value", "unknown aaaa", "expiration", "url http", "indicator role", "pulses url", "no expiration", "url https", "url url", "o url", "request review", "hosting", "unknown", "medium security", "extra data", "failed", "linkedin", "url add", "ireland flag", "ireland", "dublin", "ireland asn", "as16509", "spyware", "nso", "nso group", "pegasus related", "nso related", "framing", "porn", "python", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "apple", "192.168.1.1", "law", "attorney" ], "references": [ "192.168.1.1 - WOW! Use your old equipment in a non - residential environment", "http://xn.com/ \u2022 www.xn--linkedinxn-6u6e.com \u2022 http://www.linkedin-xn.com/ \u2022 www.linkedin-xn.com", "Powerful Exploit: https://otx.alienvault.com/indicator/file/ba32802bdd1f0b91cf8c667b94426d73ee654ba0", "Mirai Botnet - *Inbound & Outbound connection", "IDS Detections: *WGET Command Specifying Output in HTTP Headers", "IDS Detections: *D-Link Devices Home Network Administration Protocol Command Execution", "IDS Detections: *JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: *MVPower DVR Shell UCE *Mirai Variant User-Agent (Outbound)", "Yara : Yara Detections : SUSP_XORed_Mozilla , Linux_MiningSoftware , is__elf", "Alerts : dead_host nids_exploit_alert nids_malware_alert persistency_initd network_icmp", "Alerts : tcp_syn_scan nolookup_communication network_cnc_http network_http", "Alerts : network_http_post nids_alert chmod_syscall writes_to_stdout", "Other Mitre ATT&CK T1480 T1553.00 T1027.013 T1057 T1069.002 T1071\tT1071.004", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/video/search?search=tsara+brashears", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "pornokind.vgt.pl \u2022 https://pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl/", "pornlynx.com \u2022 www.pornhub.com \u2022 www.anyxxxtube.com", "https://frostty12ice.info/ \u2022 https://lawhubh.info", "Needs researching: http://lib.jerusalem.muni.il.il \u2022 https://lib.jerusalem.muni.il.il" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Botnet-6566040-0", "display_name": "Unix.Dropper.Botnet-6566040-0", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Montserrat", "display_name": "Montserrat", "target": null }, { "id": "Beapy", "display_name": "Beapy", "target": null }, { "id": "HackTool:Win32/PowerSploit!rfn", "display_name": "HackTool:Win32/PowerSploit!rfn", "target": "/malware/HackTool:Win32/PowerSploit!rfn" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Worm:Win32/Mydoom.PB!MTB", "display_name": "Worm:Win32/Mydoom.PB!MTB", "target": "/malware/Worm:Win32/Mydoom.PB!MTB" } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0036", "name": "Exfiltration", "display_name": "TA0036 - Exfiltration" }, { "id": "TA0039", "name": "Remote Service Effects", "display_name": "TA0039 - Remote Service Effects" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" } ], "industries": [ "Government", "Legal", "Healthcare", "Insurance", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4147, "domain": 871, "hostname": 2194, "FileHash-MD5": 279, "FileHash-SHA1": 257, "FileHash-SHA256": 2183, "CVE": 6, "email": 3, "SSLCertFingerprint": 1 }, "indicator_count": 9941, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "110 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6920c43c3772bb24f26f70cc", "name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun", "description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.", "modified": "2025-12-21T18:01:07.268000", "created": "2025-11-21T19:57:48.145000", "tags": [ "dynamicloader", "write c", "write", "high", "yara rule", "myapp", "delphi", "worm", "win32", "error", "code", "malware", "defender", "medium", "binary file", "heavensgate", "bochs", "dynamic", "td td", "td tr", "united", "a td", "a domains", "dynamic dns", "static dns", "dd wrt", "twitter", "trojan", "trojandropper", "null", "enough", "simple", "click", "easy", "premium", "associated urls", "server response", "google safe", "results nov", "avast avg", "11.21.2025", "11.20.2025", "borland delphi", "pe32", "intel", "ms windows", "inno setup", "win32 exe", "pecompact", "delphi generic", "pe32 compiler", "dark comet", "dark gate", "glassworm", "md5 code", "data", "porkbun llc", "windows match", "getprocaddress", "peb idrdata", "match peb", "t1547", "t1059 t1112", "shared modules", "t1129", "boot", "logon autostart", "execu", "t1134 boot", "encoding", "capture e1113", "file attributes", "analysis ob0001", "b0001 software", "virtual machine", "detection b0009", "analysis ob0002", "ob0003 screen", "windows get", "check", "encode", "check internet", "wininet set", "clear file", "enumerate gui", "get hostname", "get keyboard", "set registry", "find", "capture", "url http", "consolefoundry", "console foundry", "foundry", "malware catalog tree", "autorun keys", "modification", "alexander karp", "peter theil", "christoper ahmann", "christopher pool", "mercedes", "apple", "palantir", "adversarial", "adversaries", "hostile", "quasi", "empty hash", "denver", "mal_xred_backdoor", "backdoor", "xred", "brian sabey", "first-send-petikvx", "stop", "glassworm", "elex", "darkgate", "dark-comet", "search", "entries", "show", "yara detections", "icmp traffic", "rtf file", "top source", "top destination", "format", "host", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "access att", "font", "copy md5", "copy sha1", "copy sha256", "sha1", "ascii text", "pattern match", "sha256", "mitre att", "title", "meta", "hybrid", "local", "path", "strings", "body", "contact", "trace", "form", "bitcoin", "core", "jeffrey reimer", "exe infection", "cve", "porn" ], "references": [ "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Alerts: packer_unknown", "Malicious IP Contacted: 69.42.215.252", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "http://freedns.afraid.org/images/apple.gif", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.mumuplayer.com/redirect/customerservice/_wig", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://consolefoundry.date/one/gate.php", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453", "display_name": "Win.Trojan.Emotet-9850453", "target": null }, { "id": "Win.Trojan.BlackNetRAT-7838854-0", "display_name": "Win.Trojan.BlackNetRAT-7838854-0", "target": null }, { "id": "Win.Dropper.Nanocore-10021490-0", "display_name": "Win.Dropper.Nanocore-10021490-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Packed.Remcos-10024510-0", "display_name": "Win.Packed.Remcos-10024510-0", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "PSW:Win32/VB.CU", "display_name": "PSW:Win32/VB.CU", "target": "/malware/PSW:Win32/VB.CU" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1541", "name": "Foreground Persistence", "display_name": "T1541 - Foreground Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 460, "FileHash-SHA1": 437, "FileHash-SHA256": 4483, "SSLCertFingerprint": 2, "URL": 6487, "hostname": 1772, "domain": 652, "CVE": 3, "email": 5 }, "indicator_count": 14301, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "119 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://rampf-group.com.vm03.iveins.de/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://rampf-group.com.vm03.iveins.de/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776636765.47772 }