{ "type": "URL", "indicator": "https://rdap.db.ripe.net/entity/MICROSOFT-MAINT", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://rdap.db.ripe.net/entity/MICROSOFT-MAINT", "type": "url", "type_title": "URL", "validation": [ { "source": "whitelist", "message": "Whitelisted domain ripe.net", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain ripe.net", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4227744662, "indicator": "https://rdap.db.ripe.net/entity/MICROSOFT-MAINT", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "10 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0f9a099247c8bf12f41f37", "name": "Dr Watson User Agent - the wizard8 peering #stalkerware", "description": "Microsoft has created its own \"cloud\" for the internet, which can be accessed from the firm's servers in Redmond, Washington, and is being used to connect to the rest of the world", "modified": "2026-05-22T00:22:04.450000", "created": "2026-05-21T23:49:29.146000", "tags": [ "assigned pa", "date", "peering", "dns address", "microsoft way", "redmond", "divya quamara", "algorithm", "ocsp", "key identifier", "x509v3 subject", "v3 serial", "number", "cus omicrosoft", "tls g2", "rsa ca", "validity", "handle", "address range", "cidr", "network name", "allocation type", "status", "whois server", "ripe", "filtered person" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "URL": 283, "FileHash-SHA1": 16, "FileHash-SHA256": 34, "IPv4": 171, "hostname": 171, "email": 4, "domain": 134, "URI": 2, "IPv6": 21, "Mutex": 2, "FileHash-MD5": 17 }, "indicator_count": 856, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0f9a094c57bbbdd617d532", "name": "Dr Watson User Agent - the wizard8 peering #stalkerware", "description": "Microsoft has created its own \"cloud\" for the internet, which can be accessed from the firm's servers in Redmond, Washington, and is being used to connect to the rest of the world", "modified": "2026-05-21T23:49:29.506000", "created": "2026-05-21T23:49:29.506000", "tags": [ "assigned pa", "date", "peering", "dns address", "microsoft way", "redmond", "divya quamara", "algorithm", "ocsp", "key identifier", "x509v3 subject", "v3 serial", "number", "cus omicrosoft", "tls g2", "rsa ca", "validity", "handle", "address range", "cidr", "network name", "allocation type", "status", "whois server", "ripe", "filtered person" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "URL": 18, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "IPv4": 5, "hostname": 9 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e936ce3f3ebd4b76fee29", "name": "MAV-en * VirusTotal report for setup-maven-master.zip", "description": "[The full text of the statement on the subject of human rights, as compiled by BBC Radio 4's Panorama, will be published on Wednesday, 27 March.. and will appear on BBC iPlayer]usernotificationsd, \"freeze_skip_reason:\" : \"none\",\n \"pid\" : 851,\n \"cpuTime\" : 0.52999799999999997,\n \"name\" : \"HeuristicInterpreter\",\n country_code\":\"US\",\"agent\":\"parsecd\\/1 (iPhone17,4; iPhone OS 26.3.1 23D8133) parsecd\\/", "modified": "2026-05-21T23:45:08.365000", "created": "2026-05-21T05:09:00.942000", "tags": [ "file type", "ascii", "ascii text", "java source", "json", "unicode text", "utf8 text", "c source", "sgml document", "creates", "persistence", "malicious", "next", "windows sandbox", "calls clear", "png image", "svg scalable", "vector graphics", "rgba", "crlf line", "ms windows", "title", "installer", "template", "pcx ver", "code helper", "helper", "plugin", "renderer", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "mitre attack", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "zip archive" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339747&Signature=R%2FOTx2wxfF3MkMsUAEbX76dOSFXtiY%2BBtXR6Kl7PxVGTXaylNjmhXaxofJAQ0RP2z7ICeXit4nmXky1HIQZnPX74ZyD16ICTt3%2BAXA6yZSU%2Fw%2Fks9M2Ju1xi3m8IMloiUH7Z9Le5L5Mlfrw5QO4ZO%2FgDHG3ATHUk0qk%2BFUT2gsjT8jS6aztZHjZo4xVQLlmmwWY2%2F8%2FKZejJlFptwLfMZEA%2BDW1ZbssKpkNsXZGu69SkdNPO9c", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339770&Signature=tPgwja3MWoODqbVlxhsock2mBa1WfALhB00A%2FSu4klEizmiV6VxM5y6vH%2FGm%2FFf67mLtz5mR6Mt17RKGQUPK11iYmQax86WhcCuxTpR0mDpo12tG4HAI5ht8qM4xgOQcjspEhBgsXPDvw2Np7e9trD0l8MytxvCqOuA7DVNdiUL2xvLNXAG1yCptFpvqyZo7kokLxp4RwsvDJuOrH8%2FGrNAOjdaHFQ8FWGhgkhyO6Q767Szi", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339792&Signature=O6r4LzVdjNFj7wZVT%2B0a4%2BGemB4yEqip9waMS7NlonESXy80tfqV33UBqEEp8i%2B2qOg6S%2Ba4cSwzi3nXOtjSaUaFAI43DmvSsxq5Y5WsA8cMb4Ul6FhGON6Cr0JT1xoEMtACmSdxG8Vo%2Be4PVcu93v6CBeWMZnFb8exU8ku4GUDY8ZEFW%2FJqeu266wn59KD9gFKRwlqx3NuRzMLdwqMA7f9o6QLPcM8WWnB%2BkvJVFk3BnxJAfBn7T2JO", "https://vtbehaviour.commondatastorage.googleapis.com/f839e941d0d2b6d9c5d6fd9b8b9ea9d34629182973bb9cc8af28e1e3ccdbbdd4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339838&Signature=GgSFM3a3czj9g63hY67%2B%2FAyC%2FcGgMmTIqhErAonJ7vV9C8snHKwK0GtHZ6drm%2Fd%2BKaMonYJwSmh1LrRzYF9toBJc5rBwpR%2BPlsrS9EArViMI%2Bd%2Fb8ZZBHgqFsmCiiSWfzz4kIQRPM0RB4osCHqQxKmGW2i1uyWrytYjA4V%2FZREm1%2Bm2EEWx38PebvBFrM9pMznjF6rghFHp8ls6tzuolbXD4WUfR0OSoXjcAaAgihobJ%2FmOd", "https://vtbehaviour.commondatastorage.googleapis.com/e2f820daf9f578d5f3219ae8b3c6391017badf913a68c4aaac4e52c5155c566f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339867&Signature=l%2F%2BDGW7ZLqIfVvi1NOyg4%2FCgXPJBdSweWglJKW7iMb5GfnK0pX4yYYVL3OKkqrzAbMUcR2fqLUXHJfnMwSKBhQxjGR8LGF1nh7TeXxVGIQVh8kAyEZBCuXNHsZfzxR0zVbZfKAIEvC9D8S2%2FwBmpI6xztHiC7vmaJ5OhJD%2BoPDojRqXH2bmBpCz1XTZd7JphPNXRIbefZL4mR%2FrRe7o8WO2JHylOy9rIodNKKPEv5W9Q54%2BaA%2FG926", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339948&Signature=JA8BamPMfn7P8xM9CTv8ndNuaNtng0n%2Btofwj05768pJwsCB6Mgd6GU18%2BpNjCvwwZg%2F%2Bw0a2xOYIsvuqdDQAFzoO3jl3EUYKu7dPoOelD2NPrIcyCAHc8qKhqpPdjZKpo%2B8AJCxvO13OXHoSh94%2B%2Bht9h6mIJs8y7YO2CUo%2FqlV8M0fa5Px90aErgl%2BarD7%2ByQWlt0QD2caFKl%2BHViTViTx", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779340034&Signature=tbq82yoC%2BAKXaH%2F2XjmRWiAbt911K91ltP8zHTYrstzi0i1UKrzJxM48ky9ypV%2B%2FvrYdgBnaOfI9MzgZH0C%2FOFJUaVJ3WB87ULkjglD%2F6GeEDDcPtDX%2BY6aw2%2Bb8WaJU2xLc%2F9JbwoTbPP0n83pJv1qe0KLqckLIjEN4iREH1zU%2FldO5TBRicvB%2BxjeAxpPFZnjNZmyFl%2FNHbavuuvRc%2FMNR0DbjnriB2Mub" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 90, "FileHash-SHA256": 1997, "IPv4": 49, "domain": 34, "hostname": 124, "URL": 429, "URI": 1, "CIDR": 16 }, "indicator_count": 2944, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a185462e3c17c346bcdf79", "name": "The Trans-Pacific Mesh & Starfield Pipeline Subversion", "description": "The September 26, 2025, shadow renewal and the May 2, 2025, certificate issuance (925a10) confirm an advanced architectural alignment targeting the Hillsboro \"Silicon Forest\" ring and the TallComponents (.NET) document pipeline. By nesting an unauthorized clientAuth extension within a legitimate Starfield (Mesh Digital) signature, the operative successfully bridged the gap between web traffic and hardware-level telematics.\nThis campaign weaponized the 159,942 Majestic Trust Flow to validate a Serial 1 SOA shadow zone, neutralizing filters while executing ASP.NET Core (Kestrel) request smuggling via the 13.32.205.51 node. This subversion is evidenced by the 60-second TTL oscillation of 3.169.202.x clusters, creating a detectable \"fast-flux\" latency at the HIO52 (Hillsboro) edge. Finally, the Mesh Digital registrant pivot to hex-encoded 34326... and 1f8f41... identifiers secures the Tallfield Pipeline\u2014a hijacked Azure-hosted backend for identity packaging of Amex and UGA credentials.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T11:51:34.696000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 710, "URL": 355, "hostname": 252, "CVE": 4, "CIDR": 6, "FileHash-MD5": 615, "FileHash-SHA1": 585, "email": 21, "FileHash-SHA256": 4316, "SSLCertFingerprint": 2 }, "indicator_count": 6866, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f839e941d0d2b6d9c5d6fd9b8b9ea9d34629182973bb9cc8af28e1e3ccdbbdd4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339838&Signature=GgSFM3a3czj9g63hY67%2B%2FAyC%2FcGgMmTIqhErAonJ7vV9C8snHKwK0GtHZ6drm%2Fd%2BKaMonYJwSmh1LrRzYF9toBJc5rBwpR%2BPlsrS9EArViMI%2Bd%2Fb8ZZBHgqFsmCiiSWfzz4kIQRPM0RB4osCHqQxKmGW2i1uyWrytYjA4V%2FZREm1%2Bm2EEWx38PebvBFrM9pMznjF6rghFHp8ls6tzuolbXD4WUfR0OSoXjcAaAgihobJ%2FmOd", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339770&Signature=tPgwja3MWoODqbVlxhsock2mBa1WfALhB00A%2FSu4klEizmiV6VxM5y6vH%2FGm%2FFf67mLtz5mR6Mt17RKGQUPK11iYmQax86WhcCuxTpR0mDpo12tG4HAI5ht8qM4xgOQcjspEhBgsXPDvw2Np7e9trD0l8MytxvCqOuA7DVNdiUL2xvLNXAG1yCptFpvqyZo7kokLxp4RwsvDJuOrH8%2FGrNAOjdaHFQ8FWGhgkhyO6Q767Szi", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339747&Signature=R%2FOTx2wxfF3MkMsUAEbX76dOSFXtiY%2BBtXR6Kl7PxVGTXaylNjmhXaxofJAQ0RP2z7ICeXit4nmXky1HIQZnPX74ZyD16ICTt3%2BAXA6yZSU%2Fw%2Fks9M2Ju1xi3m8IMloiUH7Z9Le5L5Mlfrw5QO4ZO%2FgDHG3ATHUk0qk%2BFUT2gsjT8jS6aztZHjZo4xVQLlmmwWY2%2F8%2FKZejJlFptwLfMZEA%2BDW1ZbssKpkNsXZGu69SkdNPO9c", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339792&Signature=O6r4LzVdjNFj7wZVT%2B0a4%2BGemB4yEqip9waMS7NlonESXy80tfqV33UBqEEp8i%2B2qOg6S%2Ba4cSwzi3nXOtjSaUaFAI43DmvSsxq5Y5WsA8cMb4Ul6FhGON6Cr0JT1xoEMtACmSdxG8Vo%2Be4PVcu93v6CBeWMZnFb8exU8ku4GUDY8ZEFW%2FJqeu266wn59KD9gFKRwlqx3NuRzMLdwqMA7f9o6QLPcM8WWnB%2BkvJVFk3BnxJAfBn7T2JO", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779340034&Signature=tbq82yoC%2BAKXaH%2F2XjmRWiAbt911K91ltP8zHTYrstzi0i1UKrzJxM48ky9ypV%2B%2FvrYdgBnaOfI9MzgZH0C%2FOFJUaVJ3WB87ULkjglD%2F6GeEDDcPtDX%2BY6aw2%2Bb8WaJU2xLc%2F9JbwoTbPP0n83pJv1qe0KLqckLIjEN4iREH1zU%2FldO5TBRicvB%2BxjeAxpPFZnjNZmyFl%2FNHbavuuvRc%2FMNR0DbjnriB2Mub", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339948&Signature=JA8BamPMfn7P8xM9CTv8ndNuaNtng0n%2Btofwj05768pJwsCB6Mgd6GU18%2BpNjCvwwZg%2F%2Bw0a2xOYIsvuqdDQAFzoO3jl3EUYKu7dPoOelD2NPrIcyCAHc8qKhqpPdjZKpo%2B8AJCxvO13OXHoSh94%2B%2Bht9h6mIJs8y7YO2CUo%2FqlV8M0fa5Px90aErgl%2BarD7%2ByQWlt0QD2caFKl%2BHViTViTx", "https://vtbehaviour.commondatastorage.googleapis.com/e2f820daf9f578d5f3219ae8b3c6391017badf913a68c4aaac4e52c5155c566f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339867&Signature=l%2F%2BDGW7ZLqIfVvi1NOyg4%2FCgXPJBdSweWglJKW7iMb5GfnK0pX4yYYVL3OKkqrzAbMUcR2fqLUXHJfnMwSKBhQxjGR8LGF1nh7TeXxVGIQVh8kAyEZBCuXNHsZfzxR0zVbZfKAIEvC9D8S2%2FwBmpI6xztHiC7vmaJ5OhJD%2BoPDojRqXH2bmBpCz1XTZd7JphPNXRIbefZL4mR%2FrRe7o8WO2JHylOy9rIodNKKPEv5W9Q54%2BaA%2FG926" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 19792 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/ripe.net", "whois": "http://whois.domaintools.com/ripe.net", "domain": "ripe.net", "hostname": "rdap.db.ripe.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "10 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0f9a099247c8bf12f41f37", "name": "Dr Watson User Agent - the wizard8 peering #stalkerware", "description": "Microsoft has created its own \"cloud\" for the internet, which can be accessed from the firm's servers in Redmond, Washington, and is being used to connect to the rest of the world", "modified": "2026-05-22T00:22:04.450000", "created": "2026-05-21T23:49:29.146000", "tags": [ "assigned pa", "date", "peering", "dns address", "microsoft way", "redmond", "divya quamara", "algorithm", "ocsp", "key identifier", "x509v3 subject", "v3 serial", "number", "cus omicrosoft", "tls g2", "rsa ca", "validity", "handle", "address range", "cidr", "network name", "allocation type", "status", "whois server", "ripe", "filtered person" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "URL": 283, "FileHash-SHA1": 16, "FileHash-SHA256": 34, "IPv4": 171, "hostname": 171, "email": 4, "domain": 134, "URI": 2, "IPv6": 21, "Mutex": 2, "FileHash-MD5": 17 }, "indicator_count": 856, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0f9a094c57bbbdd617d532", "name": "Dr Watson User Agent - the wizard8 peering #stalkerware", "description": "Microsoft has created its own \"cloud\" for the internet, which can be accessed from the firm's servers in Redmond, Washington, and is being used to connect to the rest of the world", "modified": "2026-05-21T23:49:29.506000", "created": "2026-05-21T23:49:29.506000", "tags": [ "assigned pa", "date", "peering", "dns address", "microsoft way", "redmond", "divya quamara", "algorithm", "ocsp", "key identifier", "x509v3 subject", "v3 serial", "number", "cus omicrosoft", "tls g2", "rsa ca", "validity", "handle", "address range", "cidr", "network name", "allocation type", "status", "whois server", "ripe", "filtered person" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "URL": 18, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "IPv4": 5, "hostname": 9 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e936ce3f3ebd4b76fee29", "name": "MAV-en * VirusTotal report for setup-maven-master.zip", "description": "[The full text of the statement on the subject of human rights, as compiled by BBC Radio 4's Panorama, will be published on Wednesday, 27 March.. and will appear on BBC iPlayer]usernotificationsd, \"freeze_skip_reason:\" : \"none\",\n \"pid\" : 851,\n \"cpuTime\" : 0.52999799999999997,\n \"name\" : \"HeuristicInterpreter\",\n country_code\":\"US\",\"agent\":\"parsecd\\/1 (iPhone17,4; iPhone OS 26.3.1 23D8133) parsecd\\/", "modified": "2026-05-21T23:45:08.365000", "created": "2026-05-21T05:09:00.942000", "tags": [ "file type", "ascii", "ascii text", "java source", "json", "unicode text", "utf8 text", "c source", "sgml document", "creates", "persistence", "malicious", "next", "windows sandbox", "calls clear", "png image", "svg scalable", "vector graphics", "rgba", "crlf line", "ms windows", "title", "installer", "template", "pcx ver", "code helper", "helper", "plugin", "renderer", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "mitre attack", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "zip archive" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339747&Signature=R%2FOTx2wxfF3MkMsUAEbX76dOSFXtiY%2BBtXR6Kl7PxVGTXaylNjmhXaxofJAQ0RP2z7ICeXit4nmXky1HIQZnPX74ZyD16ICTt3%2BAXA6yZSU%2Fw%2Fks9M2Ju1xi3m8IMloiUH7Z9Le5L5Mlfrw5QO4ZO%2FgDHG3ATHUk0qk%2BFUT2gsjT8jS6aztZHjZo4xVQLlmmwWY2%2F8%2FKZejJlFptwLfMZEA%2BDW1ZbssKpkNsXZGu69SkdNPO9c", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339770&Signature=tPgwja3MWoODqbVlxhsock2mBa1WfALhB00A%2FSu4klEizmiV6VxM5y6vH%2FGm%2FFf67mLtz5mR6Mt17RKGQUPK11iYmQax86WhcCuxTpR0mDpo12tG4HAI5ht8qM4xgOQcjspEhBgsXPDvw2Np7e9trD0l8MytxvCqOuA7DVNdiUL2xvLNXAG1yCptFpvqyZo7kokLxp4RwsvDJuOrH8%2FGrNAOjdaHFQ8FWGhgkhyO6Q767Szi", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339792&Signature=O6r4LzVdjNFj7wZVT%2B0a4%2BGemB4yEqip9waMS7NlonESXy80tfqV33UBqEEp8i%2B2qOg6S%2Ba4cSwzi3nXOtjSaUaFAI43DmvSsxq5Y5WsA8cMb4Ul6FhGON6Cr0JT1xoEMtACmSdxG8Vo%2Be4PVcu93v6CBeWMZnFb8exU8ku4GUDY8ZEFW%2FJqeu266wn59KD9gFKRwlqx3NuRzMLdwqMA7f9o6QLPcM8WWnB%2BkvJVFk3BnxJAfBn7T2JO", "https://vtbehaviour.commondatastorage.googleapis.com/f839e941d0d2b6d9c5d6fd9b8b9ea9d34629182973bb9cc8af28e1e3ccdbbdd4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339838&Signature=GgSFM3a3czj9g63hY67%2B%2FAyC%2FcGgMmTIqhErAonJ7vV9C8snHKwK0GtHZ6drm%2Fd%2BKaMonYJwSmh1LrRzYF9toBJc5rBwpR%2BPlsrS9EArViMI%2Bd%2Fb8ZZBHgqFsmCiiSWfzz4kIQRPM0RB4osCHqQxKmGW2i1uyWrytYjA4V%2FZREm1%2Bm2EEWx38PebvBFrM9pMznjF6rghFHp8ls6tzuolbXD4WUfR0OSoXjcAaAgihobJ%2FmOd", "https://vtbehaviour.commondatastorage.googleapis.com/e2f820daf9f578d5f3219ae8b3c6391017badf913a68c4aaac4e52c5155c566f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339867&Signature=l%2F%2BDGW7ZLqIfVvi1NOyg4%2FCgXPJBdSweWglJKW7iMb5GfnK0pX4yYYVL3OKkqrzAbMUcR2fqLUXHJfnMwSKBhQxjGR8LGF1nh7TeXxVGIQVh8kAyEZBCuXNHsZfzxR0zVbZfKAIEvC9D8S2%2FwBmpI6xztHiC7vmaJ5OhJD%2BoPDojRqXH2bmBpCz1XTZd7JphPNXRIbefZL4mR%2FrRe7o8WO2JHylOy9rIodNKKPEv5W9Q54%2BaA%2FG926", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339948&Signature=JA8BamPMfn7P8xM9CTv8ndNuaNtng0n%2Btofwj05768pJwsCB6Mgd6GU18%2BpNjCvwwZg%2F%2Bw0a2xOYIsvuqdDQAFzoO3jl3EUYKu7dPoOelD2NPrIcyCAHc8qKhqpPdjZKpo%2B8AJCxvO13OXHoSh94%2B%2Bht9h6mIJs8y7YO2CUo%2FqlV8M0fa5Px90aErgl%2BarD7%2ByQWlt0QD2caFKl%2BHViTViTx", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779340034&Signature=tbq82yoC%2BAKXaH%2F2XjmRWiAbt911K91ltP8zHTYrstzi0i1UKrzJxM48ky9ypV%2B%2FvrYdgBnaOfI9MzgZH0C%2FOFJUaVJ3WB87ULkjglD%2F6GeEDDcPtDX%2BY6aw2%2Bb8WaJU2xLc%2F9JbwoTbPP0n83pJv1qe0KLqckLIjEN4iREH1zU%2FldO5TBRicvB%2BxjeAxpPFZnjNZmyFl%2FNHbavuuvRc%2FMNR0DbjnriB2Mub" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 90, "FileHash-SHA256": 1997, "IPv4": 49, "domain": 34, "hostname": 124, "URL": 429, "URI": 1, "CIDR": 16 }, "indicator_count": 2944, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a185462e3c17c346bcdf79", "name": "The Trans-Pacific Mesh & Starfield Pipeline Subversion", "description": "The September 26, 2025, shadow renewal and the May 2, 2025, certificate issuance (925a10) confirm an advanced architectural alignment targeting the Hillsboro \"Silicon Forest\" ring and the TallComponents (.NET) document pipeline. By nesting an unauthorized clientAuth extension within a legitimate Starfield (Mesh Digital) signature, the operative successfully bridged the gap between web traffic and hardware-level telematics.\nThis campaign weaponized the 159,942 Majestic Trust Flow to validate a Serial 1 SOA shadow zone, neutralizing filters while executing ASP.NET Core (Kestrel) request smuggling via the 13.32.205.51 node. This subversion is evidenced by the 60-second TTL oscillation of 3.169.202.x clusters, creating a detectable \"fast-flux\" latency at the HIO52 (Hillsboro) edge. Finally, the Mesh Digital registrant pivot to hex-encoded 34326... and 1f8f41... identifiers secures the Tallfield Pipeline\u2014a hijacked Azure-hosted backend for identity packaging of Amex and UGA credentials.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T11:51:34.696000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 710, "URL": 355, "hostname": 252, "CVE": 4, "CIDR": 6, "FileHash-MD5": 615, "FileHash-SHA1": 585, "email": 21, "FileHash-SHA256": 4316, "SSLCertFingerprint": 2 }, "indicator_count": 6866, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://rdap.db.ripe.net/entity/MICROSOFT-MAINT", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://rdap.db.ripe.net/entity/MICROSOFT-MAINT", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780226769.1724784 }