{ "type": "URL", "indicator": "https://rdap.db.ripe.net/entity/MNT-NETERRA", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://rdap.db.ripe.net/entity/MNT-NETERRA", "type": "url", "type_title": "URL", "validation": [ { "source": "whitelist", "message": "Whitelisted domain ripe.net", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain ripe.net", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4299360307, "indicator": "https://rdap.db.ripe.net/entity/MNT-NETERRA", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69d5859750dfad7fe7989ef4", "name": "Apple / Cloud/ Data Network within Zergeca / Zerg Botnet \u2022 MacSync_AppleScript_Stealer", "description": "", "modified": "2026-05-07T21:06:09.549000", "created": "2026-04-07T22:30:47.312000", "tags": [ "added active", "related pulses", "found", "zergeca botnet", "zergeca", "upx packer", "khtml", "gecko", "united", "ids detections", "yara detections", "https domain", "tls sni", "ip lookup", "external ip", "malware", "encrypt", "techniques", "modify system", "process", "https", "performs dns", "tls version", "reads cpu", "proc indicative", "urls", "downloads", "persistence", "data upload", "extraction", "find s", "failed", "typ don", "ipv4 url", "canreb", "type ipv4", "url domail", "domail showing", "elf conta", "typ url", "zercega", "enter sc", "type", "include", "review", "n1 exclude", "suggestedincc", "a50 typ", "ipv4", "matches yara", "dete data", "yara detectea", "cro intormation", "exclude sugges", "sc car", "extra lte", "referen", "l extraction", "droo anv", "extr referen", "lte all", "je matches", "yara detel", "yara dete", "include review", "exchange lte", "je elf", "passive dns", "certificate", "files", "trojan", "related tags", "worm", "medium", "write c", "write", "high", "binary", "yara rule", "default", "moved", "schaan", "as834 ipxo", "dynamicloader", "program", "ee fc", "users", "ff d5", "python", "windows", "autoit", "confuserex", "stream", "guard", "launcher", "updater", "global", "america flag", "ashburn", "america related", "tags", "indicator facts", "historical otx", "controller fake", "akamai rank", "russia", "present nov", "aaaa", "link", "a domains", "ip address", "meta", "cve -2014-2321", "handle", "address range", "cidr", "network name", "allocation type", "pa status", "whois server", "included iocs", "manually add", "iocs o", "iocs", "sugges", "stop show", "types", "external", "ripe", "pa abusec", "neterra", "sofia", "bulgaria phone", "filtered person", "neven dilkov", "bg phone", "filtered route", "a5ip", "aa2023", "aamirai", "a2scanner", "apple inc", "issuer", "valid", "algorit", "thum", "name", "a9 a8", "status", "macho", "macho 64bit", "mac os", "x macho", "intel", "typ no", "td td", "td tr", "a td", "dynamic dns", "date", "name servers", "arial", "error", "null", "enough", "hosts", "win32", "fast", "contacted", "MacSync_AppleScript_Stealer", "cve-2018-10562", "source", "roboto", "robotodraft", "helvetica", "iframe", "manually ada", "review iocs", "abv0", "qaeaav0", "cptbdev", "w4uninitialized", "qaeaav01", "abv01", "qaexn", "qbenxz", "phoneidentify", "qbepaxxz" ], "references": [ "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Zercega \u2022 IPv4 84.54.51.82", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "Zercega \u2022 multi-user.target", "Zercega \u2022 ootheca.pw", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS rules:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "Yara detected: Xmrig cryptocurrency miner", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "meta.com \u2022 meta.com.apple", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "ELF contains segments with high entropy indicating compressed/encrypted content", "/etc/systemd/system/geomi.service File type: ASCII text", "http://www.bing.lt/search?q=", "Win.Malware.Salat-10058846-0", "Yara Detections: MacSync_AppleScript_Stealer", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Alerts: packer_unknown_pe_section_name script_tool_executed", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Contacted: 188.114.96.1 Domains Contacted dns.google", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "CVE-2014-2321", "display_name": "CVE-2014-2321", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1871, "domain": 393, "hostname": 925, "FileHash-MD5": 391, "FileHash-SHA1": 390, "FileHash-SHA256": 2452, "CVE": 1, "SSLCertFingerprint": 1, "email": 4, "CIDR": 1 }, "indicator_count": 6429, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d586108786e7be59439809", "name": "Bot.io", "description": "", "modified": "2026-05-07T21:06:09.549000", "created": "2026-04-07T22:32:48.996000", "tags": [ "added active", "related pulses", "found", "zergeca botnet", "zergeca", "upx packer", "khtml", "gecko", "united", "ids detections", "yara detections", "https domain", "tls sni", "ip lookup", "external ip", "malware", "encrypt", "techniques", "modify system", "process", "https", "performs dns", "tls version", "reads cpu", "proc indicative", "urls", "downloads", "persistence", "data upload", "extraction", "find s", "failed", "typ don", "ipv4 url", "canreb", "type ipv4", "url domail", "domail showing", "elf conta", "typ url", "zercega", "enter sc", "type", "include", "review", "n1 exclude", "suggestedincc", "a50 typ", "ipv4", "matches yara", "dete data", "yara detectea", "cro intormation", "exclude sugges", "sc car", "extra lte", "referen", "l extraction", "droo anv", "extr referen", "lte all", "je matches", "yara detel", "yara dete", "include review", "exchange lte", "je elf", "passive dns", "certificate", "files", "trojan", "related tags", "worm", "medium", "write c", "write", "high", "binary", "yara rule", "default", "moved", "schaan", "as834 ipxo", "dynamicloader", "program", "ee fc", "users", "ff d5", "python", "windows", "autoit", "confuserex", "stream", "guard", "launcher", "updater", "global", "america flag", "ashburn", "america related", "tags", "indicator facts", "historical otx", "controller fake", "akamai rank", "russia", "present nov", "aaaa", "link", "a domains", "ip address", "meta", "cve -2014-2321", "handle", "address range", "cidr", "network name", "allocation type", "pa status", "whois server", "included iocs", "manually add", "iocs o", "iocs", "sugges", "stop show", "types", "external", "ripe", "pa abusec", "neterra", "sofia", "bulgaria phone", "filtered person", "neven dilkov", "bg phone", "filtered route", "a5ip", "aa2023", "aamirai", "a2scanner", "apple inc", "issuer", "valid", "algorit", "thum", "name", "a9 a8", "status", "macho", "macho 64bit", "mac os", "x macho", "intel", "typ no", "td td", "td tr", "a td", "dynamic dns", "date", "name servers", "arial", "error", "null", "enough", "hosts", "win32", "fast", "contacted", "MacSync_AppleScript_Stealer", "cve-2018-10562", "source", "roboto", "robotodraft", "helvetica", "iframe", "manually ada", "review iocs", "abv0", "qaeaav0", "cptbdev", "w4uninitialized", "qaeaav01", "abv01", "qaexn", "qbenxz", "phoneidentify", "qbepaxxz" ], "references": [ "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Zercega \u2022 IPv4 84.54.51.82", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "Zercega \u2022 multi-user.target", "Zercega \u2022 ootheca.pw", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS rules:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "Yara detected: Xmrig cryptocurrency miner", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "meta.com \u2022 meta.com.apple", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "ELF contains segments with high entropy indicating compressed/encrypted content", "/etc/systemd/system/geomi.service File type: ASCII text", "http://www.bing.lt/search?q=", "Win.Malware.Salat-10058846-0", "Yara Detections: MacSync_AppleScript_Stealer", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Alerts: packer_unknown_pe_section_name script_tool_executed", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Contacted: 188.114.96.1 Domains Contacted dns.google", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "CVE-2014-2321", "display_name": "CVE-2014-2321", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" } ], "industries": [], "TLP": "green", "cloned_from": "69d5859750dfad7fe7989ef4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1871, "domain": 393, "hostname": 925, "FileHash-MD5": 391, "FileHash-SHA1": 390, "FileHash-SHA256": 2452, "CVE": 1, "SSLCertFingerprint": 1, "email": 4, "CIDR": 1 }, "indicator_count": 6429, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f97a905451e3304319988b", "name": ".may 4 clone own on may 5", "description": "", "modified": "2026-05-07T02:57:38.229000", "created": "2026-05-05T05:05:20.493000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "69f7fa1a282840a6e0aa370c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 368, "FileHash-SHA256": 3143, "hostname": 2037, "IPv4": 186, "URL": 3288, "CIDR": 12, "email": 43, "domain": 1645, "URI": 1, "SSLCertFingerprint": 18, "CVE": 1 }, "indicator_count": 11083, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f7fa1a282840a6e0aa370c", "name": "May the 4th be with... every destructed file that never died", "description": "[undreds of thousands of people have been signing a petition calling for the removal of the president, Barack Obama, from the White House and the UK's prime minister, Theresa May, to be remove] The wording here. Its also May3rd not May 4th.", "modified": "2026-05-05T05:04:02.911000", "created": "2026-05-04T01:44:57.811000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 368, "FileHash-SHA256": 3142, "hostname": 1890, "IPv4": 162, "URL": 3241, "CIDR": 12, "email": 37, "domain": 1616, "URI": 1, "SSLCertFingerprint": 18 }, "indicator_count": 10828, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "ELF contains segments with high entropy indicating compressed/encrypted content", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "http://www.bing.lt/search?q=", "Yara Detections: MacSync_AppleScript_Stealer", "/etc/systemd/system/geomi.service File type: ASCII text", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Zercega \u2022 IPv4 84.54.51.82", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "meta.com \u2022 meta.com.apple", "Alerts: packer_unknown_pe_section_name script_tool_executed", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Contacted: 188.114.96.1 Domains Contacted dns.google", "Zercega \u2022 multi-user.target", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Crowdsourced IDS rules:", "Win.Malware.Salat-10058846-0", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Yara detected: Xmrig cryptocurrency miner", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Zercega \u2022 ootheca.pw", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Cve-2014-2321", "Cve-2024-6387", "Alf:jasyp:trojandownloader:win32/smallagent!", "Cve-2018-10562", "Cve-2023-22518", "Win.trojan.emotet-9850453-0", "Win.malware.salat-10058846-0", "Worm:win32/autorun!atmn", "Win.trojan.tofsee-7102058-0\tbackdoor:win32/tofsee.t", "Autoit", "Cve-2025-20393", "Botnet", "Zergeca" ], "industries": [], "unique_indicators": 10914 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/ripe.net", "whois": "http://whois.domaintools.com/ripe.net", "domain": "ripe.net", "hostname": "rdap.db.ripe.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69d5859750dfad7fe7989ef4", "name": "Apple / Cloud/ Data Network within Zergeca / Zerg Botnet \u2022 MacSync_AppleScript_Stealer", "description": "", "modified": "2026-05-07T21:06:09.549000", "created": "2026-04-07T22:30:47.312000", "tags": [ "added active", "related pulses", "found", "zergeca botnet", "zergeca", "upx packer", "khtml", "gecko", "united", "ids detections", "yara detections", "https domain", "tls sni", "ip lookup", "external ip", "malware", "encrypt", "techniques", "modify system", "process", "https", "performs dns", "tls version", "reads cpu", "proc indicative", "urls", "downloads", "persistence", "data upload", "extraction", "find s", "failed", "typ don", "ipv4 url", "canreb", "type ipv4", "url domail", "domail showing", "elf conta", "typ url", "zercega", "enter sc", "type", "include", "review", "n1 exclude", "suggestedincc", "a50 typ", "ipv4", "matches yara", "dete data", "yara detectea", "cro intormation", "exclude sugges", "sc car", "extra lte", "referen", "l extraction", "droo anv", "extr referen", "lte all", "je matches", "yara detel", "yara dete", "include review", "exchange lte", "je elf", "passive dns", "certificate", "files", "trojan", "related tags", "worm", "medium", "write c", "write", "high", "binary", "yara rule", "default", "moved", "schaan", "as834 ipxo", "dynamicloader", "program", "ee fc", "users", "ff d5", "python", "windows", "autoit", "confuserex", "stream", "guard", "launcher", "updater", "global", "america flag", "ashburn", "america related", "tags", "indicator facts", "historical otx", "controller fake", "akamai rank", "russia", "present nov", "aaaa", "link", "a domains", "ip address", "meta", "cve -2014-2321", "handle", "address range", "cidr", "network name", "allocation type", "pa status", "whois server", "included iocs", "manually add", "iocs o", "iocs", "sugges", "stop show", "types", "external", "ripe", "pa abusec", "neterra", "sofia", "bulgaria phone", "filtered person", "neven dilkov", "bg phone", "filtered route", "a5ip", "aa2023", "aamirai", "a2scanner", "apple inc", "issuer", "valid", "algorit", "thum", "name", "a9 a8", "status", "macho", "macho 64bit", "mac os", "x macho", "intel", "typ no", "td td", "td tr", "a td", "dynamic dns", "date", "name servers", "arial", "error", "null", "enough", "hosts", "win32", "fast", "contacted", "MacSync_AppleScript_Stealer", "cve-2018-10562", "source", "roboto", "robotodraft", "helvetica", "iframe", "manually ada", "review iocs", "abv0", "qaeaav0", "cptbdev", "w4uninitialized", "qaeaav01", "abv01", "qaexn", "qbenxz", "phoneidentify", "qbepaxxz" ], "references": [ "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Zercega \u2022 IPv4 84.54.51.82", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "Zercega \u2022 multi-user.target", "Zercega \u2022 ootheca.pw", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS rules:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "Yara detected: Xmrig cryptocurrency miner", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "meta.com \u2022 meta.com.apple", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "ELF contains segments with high entropy indicating compressed/encrypted content", "/etc/systemd/system/geomi.service File type: ASCII text", "http://www.bing.lt/search?q=", "Win.Malware.Salat-10058846-0", "Yara Detections: MacSync_AppleScript_Stealer", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Alerts: packer_unknown_pe_section_name script_tool_executed", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Contacted: 188.114.96.1 Domains Contacted dns.google", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "CVE-2014-2321", "display_name": "CVE-2014-2321", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1871, "domain": 393, "hostname": 925, "FileHash-MD5": 391, "FileHash-SHA1": 390, "FileHash-SHA256": 2452, "CVE": 1, "SSLCertFingerprint": 1, "email": 4, "CIDR": 1 }, "indicator_count": 6429, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d586108786e7be59439809", "name": "Bot.io", "description": "", "modified": "2026-05-07T21:06:09.549000", "created": "2026-04-07T22:32:48.996000", "tags": [ "added active", "related pulses", "found", "zergeca botnet", "zergeca", "upx packer", "khtml", "gecko", "united", "ids detections", "yara detections", "https domain", "tls sni", "ip lookup", "external ip", "malware", "encrypt", "techniques", "modify system", "process", "https", "performs dns", "tls version", "reads cpu", "proc indicative", "urls", "downloads", "persistence", "data upload", "extraction", "find s", "failed", "typ don", "ipv4 url", "canreb", "type ipv4", "url domail", "domail showing", "elf conta", "typ url", "zercega", "enter sc", "type", "include", "review", "n1 exclude", "suggestedincc", "a50 typ", "ipv4", "matches yara", "dete data", "yara detectea", "cro intormation", "exclude sugges", "sc car", "extra lte", "referen", "l extraction", "droo anv", "extr referen", "lte all", "je matches", "yara detel", "yara dete", "include review", "exchange lte", "je elf", "passive dns", "certificate", "files", "trojan", "related tags", "worm", "medium", "write c", "write", "high", "binary", "yara rule", "default", "moved", "schaan", "as834 ipxo", "dynamicloader", "program", "ee fc", "users", "ff d5", "python", "windows", "autoit", "confuserex", "stream", "guard", "launcher", "updater", "global", "america flag", "ashburn", "america related", "tags", "indicator facts", "historical otx", "controller fake", "akamai rank", "russia", "present nov", "aaaa", "link", "a domains", "ip address", "meta", "cve -2014-2321", "handle", "address range", "cidr", "network name", "allocation type", "pa status", "whois server", "included iocs", "manually add", "iocs o", "iocs", "sugges", "stop show", "types", "external", "ripe", "pa abusec", "neterra", "sofia", "bulgaria phone", "filtered person", "neven dilkov", "bg phone", "filtered route", "a5ip", "aa2023", "aamirai", "a2scanner", "apple inc", "issuer", "valid", "algorit", "thum", "name", "a9 a8", "status", "macho", "macho 64bit", "mac os", "x macho", "intel", "typ no", "td td", "td tr", "a td", "dynamic dns", "date", "name servers", "arial", "error", "null", "enough", "hosts", "win32", "fast", "contacted", "MacSync_AppleScript_Stealer", "cve-2018-10562", "source", "roboto", "robotodraft", "helvetica", "iframe", "manually ada", "review iocs", "abv0", "qaeaav0", "cptbdev", "w4uninitialized", "qaeaav01", "abv01", "qaexn", "qbenxz", "phoneidentify", "qbepaxxz" ], "references": [ "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Zercega \u2022 IPv4 84.54.51.82", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "Zercega \u2022 multi-user.target", "Zercega \u2022 ootheca.pw", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS rules:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "Yara detected: Xmrig cryptocurrency miner", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "meta.com \u2022 meta.com.apple", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "ELF contains segments with high entropy indicating compressed/encrypted content", "/etc/systemd/system/geomi.service File type: ASCII text", "http://www.bing.lt/search?q=", "Win.Malware.Salat-10058846-0", "Yara Detections: MacSync_AppleScript_Stealer", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Alerts: packer_unknown_pe_section_name script_tool_executed", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Contacted: 188.114.96.1 Domains Contacted dns.google", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "CVE-2014-2321", "display_name": "CVE-2014-2321", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" } ], "industries": [], "TLP": "green", "cloned_from": "69d5859750dfad7fe7989ef4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1871, "domain": 393, "hostname": 925, "FileHash-MD5": 391, "FileHash-SHA1": 390, "FileHash-SHA256": 2452, "CVE": 1, "SSLCertFingerprint": 1, "email": 4, "CIDR": 1 }, "indicator_count": 6429, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f97a905451e3304319988b", "name": ".may 4 clone own on may 5", "description": "", "modified": "2026-05-07T02:57:38.229000", "created": "2026-05-05T05:05:20.493000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "69f7fa1a282840a6e0aa370c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 368, "FileHash-SHA256": 3143, "hostname": 2037, "IPv4": 186, "URL": 3288, "CIDR": 12, "email": 43, "domain": 1645, "URI": 1, "SSLCertFingerprint": 18, "CVE": 1 }, "indicator_count": 11083, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f7fa1a282840a6e0aa370c", "name": "May the 4th be with... every destructed file that never died", "description": "[undreds of thousands of people have been signing a petition calling for the removal of the president, Barack Obama, from the White House and the UK's prime minister, Theresa May, to be remove] The wording here. Its also May3rd not May 4th.", "modified": "2026-05-05T05:04:02.911000", "created": "2026-05-04T01:44:57.811000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 368, "FileHash-SHA256": 3142, "hostname": 1890, "IPv4": 162, "URL": 3241, "CIDR": 12, "email": 37, "domain": 1616, "URI": 1, "SSLCertFingerprint": 18 }, "indicator_count": 10828, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://rdap.db.ripe.net/entity/MNT-NETERRA", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://rdap.db.ripe.net/entity/MNT-NETERRA", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780292144.6939118 }