{ "type": "URL", "indicator": "https://rdap.fabulous.com/rdap/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://rdap.fabulous.com/rdap/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3818952709, "indicator": "https://rdap.fabulous.com/rdap/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69efc3a63f5aa5107bb41dbf", "name": "[clone-Jeffrey Reimer DPT Tsara Brashears Court Records | ]by scoreblue", "description": "", "modified": "2026-04-27T23:20:58.970000", "created": "2026-04-27T20:14:30.720000", "tags": [ "reimer-jeffrey-v-brashears-tsara", "2017cv030026 suppressed", "case 2017cv030026 suppressed", "docket", "legal case", "legal", "litigation", "court cases", "state court docket", "robert r", "lung", "county", "case", "money", "ben l", "leutwyler iii", "reimer", "brashears", "douglas county", "tips", "district", "date", "judge", "shane", "bank", "contact", "service", "brashears accepts", "jeffrey scott", "reimer dpt", "reimer paid", "sa victim", "settlement", "reimer-jeffrey-paid-tsara-brahears-settlement", "reimer-jeffrey-claim-dismissed", "brashears-tsara-claims-upheld", "reverse dns", "general full", "protocol h2", "security tls", "resource", "united", "hash", "name value", "security", "main", "facebook", "brashears-tsara-v-reimer-jeffrey", "so false", "as134548 dxtl", "kwan o", "hong kong", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "export graph", "historical ssl", "referrer", "gameprofitshack", "webstudio", "smartdata", "alloymedia", "industries", "theakkas", "korplug", "default", "module load", "t1129", "show", "search", "regbinary", "malware beacon", "upatre", "suspicious", "trojan", "copy", "dock", "downloader", "loader", "write", "malware", "av detections", "ids detections", "yara detections", "alerts", "related pulses", "dashboard", "browse scan", "endpoints all", "showing", "p2p zeus", "september", "popper", "cookies", "x function", "hsp boolean", "oribili boolean", "hstcran", "hsusertoken", "domainpath name", "ns nxdomain", "parked", "tsara won", "brashears prevails", "reimer dismissal", "dangerous data collection", "get device", "parked uri" ], "references": [ "Scam Aggregators: https://trellis.law/case/8035/2017cv030026-suppressed/reimer-jeffrey-v-brashears-tsara [parked here: ctjsz.com]", "http://www.qq664.com/seximanhua/22128.html [looks legit to me]", "sex2e.com | http://qq664.com/seximanhua/22128.html [trellis.law]", "https://prnbae.com/191693/at-37-ellie-discovers-the-unique-sensations-of-double-vaginal-sex/ [trellis.law]", "http://www.philippinesredcat.com/girls-for-sex-in-manila/ [trellis.law]", "http://us.1.powerfront.com/thehealthylivingshow/scripts/redir.asp?link=https://www.sexbestgals.info/cougar-porn/ [trellis.law]", "https://help.competitionsuite.com/article/76-using-the-judge-app-tablets", "https://www.paidhmars.com/", "https://urlscan.io/result/e4ed8a1d-1b23-46cd-a237-a2ad4e974fc3/content/", "False: This case was filed in Douglas County Superior Courts with Jeffrey K Holmes presiding. | Who is he?", "False: Never served. Had several PI's and background checks", "Jeffrey Scott Reimer DPT was allegedly arrested 02/14/2022 | Very unreliable self proclaimed PI's (multiple)", "Brian Sabey begged victim to accept tiny settlement. Contingency, 'Brashears may use settlement to find hacker.'", "Judge Shay Whittaker dismissed Reimers 'malicious' prosecution claom", "Reimers case V Brashears in 2017 after Denver Police Major Crimes located Reimer", "Brashears documented on corr record she wanted to proceed with case", "Brian Sabey Speaking for Jeffrey Scott Reimer DPT refused further court proceedings", "Brian Sabey offered Brashears a settlement. Begged her to accept it.", "Case: Defamation of character based on truthful reviews left on HealthGrades.", "A series of reviews detailing Jeffrey Reimer DPT egregious behavior proved not left by Brashears except 2 with comments -4", "Brashears Review: 'He would benefit from more training' [Very considerate considering the complimentary spinal cord injuries 'plural']", "Health Grades erased 20+ positive reviews that originated from Reimers email address.", "Most of not all positive Jeffrey Reimer DPT reviews are false. Reimer wasn't practicing when 'amazing' trat,ent alleged", "Brian Sabey. Esq filed motion to dismiss after judge dismissed Reimers meritlesscase", "Brian Sabey would be most foolish after it was determined Brashears was 100% disabled. This was cause by Jeffrey Scott Reimer DPT", "Brashears would gladly go to court as stated in court documents to then judge who wished to be briefed by Brashears. Thwarted by Sabey.", "Brian Sabey wanted to appear to win. Sandy demanded Brashears remove every patients negative review about Jeffrey Reimer DPT", "Brian Sabey had cashiers check delivered to Brashears in person.", "Victim is willing to have her attorney post entire court proceedings online , on YouTube and more", "There is NO other physical therapist with as many reviews as Jeffrey Reimer DPT, even non offenders. Reimers clientele is largely non-english speaking.", "Reimer often criticized non English speakers, large women and short Hispanic men according to witness.", "He also spoke frequently about Brashears infamously 'real' large bosom and figure. He decided to touch, grab, grope, assault,injure, beg for more", "Jeffrey Scott Reimer PT , DPT. assaulters defense: 'I had to be of the top/front of Brashears, She consented!'", "False: Brashears didn't expect this coming. Jeffrey Reimer DPT suddenly jumped on top of Brashears and tried to start a family. He didn't ask.", "Unless tampered with, court records will show Brashears dropped as a patient to be told she'd face legal consequences if she did.", "Survivor was told an investigation would begin, she'd be safe among other careless things her MD advised", "Brashears would LOVE for the true court proceedings to be read. She feels they were hacked away. DougCo was unable to 'print' records 'glitch'", "Did I mention she prevailed, won, got a check? Tsara Lynn Brashears survivor; won her counter claim. Weak Reimer claim burned like a dying moth.", "Trellis: 3.223.115.185 In cloud provider range: provider=AWS\t IPv4 34.240.160.162 In cloud provider range: provider=AWS", "Trellis: http://blockpage.bt.com/pcstaticpage/blocked.html?list=BT | https://search.app.goo.gl/?ofl", "Trellis: www.youtube.com/watch?v=GyuMozsVyYs \t\u00bb Survivors video references assault. Does not name or depict Reimers likeness.", "Trellis: Hostname blockpage.bt.com | hdredirect-lb7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com | itunes.apple.com | search.app.goo.gl | www.youtube.com", "Trellis: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "IDS Detections: Downloader (P2P Zeus dropper UA) Common Upatre Header Structure 2 Upatre Retrieving encoded payload (Common Header Struct)", "IDS Detections: Suspicious User-Agent containing Loader Observed TLS Handshake Failure", "Trellis: High Priority Alerts: network_icmp modifies_proxy_wpad packer_polymorphic", "Trellis:TrojanDownloader:Win32/Upatre.A | Yara Detections Upack_all_versions", "Trellis: secure04-appleid.com | http://secure04-appleid.com | cpcalendars.secure04-appleid.com" ], "public": 1, "adversary": "Parking Crew", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zbot.SIBG3!MTB", "display_name": "Trojan:Win32/Zbot.SIBG3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBG3!MTB" }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "P2P ZeuS - S0016", "display_name": "P2P ZeuS - S0016", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Research", "Telecommunications", "Technology", "Civilians" ], "TLP": "green", "cloned_from": "66d490668683aec2631cfa20", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 266, "FileHash-SHA256": 981, "domain": 480, "hostname": 684, "email": 1, "URL": 2102 }, "indicator_count": 4783, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "66 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "66 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d490668683aec2631cfa20", "name": "Jeffrey Reimer DPT Tsara Brashears Court Records | Trellis.Law", "description": "Phishing expedition: Malicious bait. Threat actor/s attempting to hack whoever can see and clicks on link. The URl is parked, is malicious, attempts infiltrate device.", "modified": "2024-11-05T00:02:43.336000", "created": "2024-09-01T16:03:50.411000", "tags": [ "reimer-jeffrey-v-brashears-tsara", "2017cv030026 suppressed", "case 2017cv030026 suppressed", "docket", "legal case", "legal", "litigation", "court cases", "state court docket", "robert r", "lung", "county", "case", "money", "ben l", "leutwyler iii", "reimer", "brashears", "douglas county", "tips", "district", "date", "judge", "shane", "bank", "contact", "service", "brashears accepts", "jeffrey scott", "reimer dpt", "reimer paid", "sa victim", "settlement", "reimer-jeffrey-paid-tsara-brahears-settlement", "reimer-jeffrey-claim-dismissed", "brashears-tsara-claims-upheld", "reverse dns", "general full", "protocol h2", "security tls", "resource", "united", "hash", "name value", "security", "main", "facebook", "brashears-tsara-v-reimer-jeffrey", "so false", "as134548 dxtl", "kwan o", "hong kong", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "export graph", "historical ssl", "referrer", "gameprofitshack", "webstudio", "smartdata", "alloymedia", "industries", "theakkas", "korplug", "default", "module load", "t1129", "show", "search", "regbinary", "malware beacon", "upatre", "suspicious", "trojan", "copy", "dock", "downloader", "loader", "write", "malware", "av detections", "ids detections", "yara detections", "alerts", "related pulses", "dashboard", "browse scan", "endpoints all", "showing", "p2p zeus", "september", "popper", "cookies", "x function", "hsp boolean", "oribili boolean", "hstcran", "hsusertoken", "domainpath name", "ns nxdomain", "parked", "tsara won", "brashears prevails", "reimer dismissal", "dangerous data collection", "get device", "parked uri" ], "references": [ "Scam Aggregators: https://trellis.law/case/8035/2017cv030026-suppressed/reimer-jeffrey-v-brashears-tsara [parked here: ctjsz.com]", "http://www.qq664.com/seximanhua/22128.html [looks legit to me]", "sex2e.com | http://qq664.com/seximanhua/22128.html [trellis.law]", "https://prnbae.com/191693/at-37-ellie-discovers-the-unique-sensations-of-double-vaginal-sex/ [trellis.law]", "http://www.philippinesredcat.com/girls-for-sex-in-manila/ [trellis.law]", "http://us.1.powerfront.com/thehealthylivingshow/scripts/redir.asp?link=https://www.sexbestgals.info/cougar-porn/ [trellis.law]", "https://help.competitionsuite.com/article/76-using-the-judge-app-tablets", "https://www.paidhmars.com/", "https://urlscan.io/result/e4ed8a1d-1b23-46cd-a237-a2ad4e974fc3/content/", "False: This case was filed in Douglas County Superior Courts with Jeffrey K Holmes presiding. | Who is he?", "False: Never served. Had several PI's and background checks", "Jeffrey Scott Reimer DPT was allegedly arrested 02/14/2022 | Very unreliable self proclaimed PI's (multiple)", "Brian Sabey begged victim to accept tiny settlement. Contingency, 'Brashears may use settlement to find hacker.'", "Judge Shay Whittaker dismissed Reimers 'malicious' prosecution claom", "Reimers case V Brashears in 2017 after Denver Police Major Crimes located Reimer", "Brashears documented on corr record she wanted to proceed with case", "Brian Sabey Speaking for Jeffrey Scott Reimer DPT refused further court proceedings", "Brian Sabey offered Brashears a settlement. Begged her to accept it.", "Case: Defamation of character based on truthful reviews left on HealthGrades.", "A series of reviews detailing Jeffrey Reimer DPT egregious behavior proved not left by Brashears except 2 with comments -4", "Brashears Review: 'He would benefit from more training' [Very considerate considering the complimentary spinal cord injuries 'plural']", "Health Grades erased 20+ positive reviews that originated from Reimers email address.", "Most of not all positive Jeffrey Reimer DPT reviews are false. Reimer wasn't practicing when 'amazing' trat,ent alleged", "Brian Sabey. Esq filed motion to dismiss after judge dismissed Reimers meritlesscase", "Brian Sabey would be most foolish after it was determined Brashears was 100% disabled. This was cause by Jeffrey Scott Reimer DPT", "Brashears would gladly go to court as stated in court documents to then judge who wished to be briefed by Brashears. Thwarted by Sabey.", "Brian Sabey wanted to appear to win. Sandy demanded Brashears remove every patients negative review about Jeffrey Reimer DPT", "Brian Sabey had cashiers check delivered to Brashears in person.", "Victim is willing to have her attorney post entire court proceedings online , on YouTube and more", "There is NO other physical therapist with as many reviews as Jeffrey Reimer DPT, even non offenders. Reimers clientele is largely non-english speaking.", "Reimer often criticized non English speakers, large women and short Hispanic men according to witness.", "He also spoke frequently about Brashears infamously 'real' large bosom and figure. He decided to touch, grab, grope, assault,injure, beg for more", "Jeffrey Scott Reimer PT , DPT. assaulters defense: 'I had to be of the top/front of Brashears, She consented!'", "False: Brashears didn't expect this coming. Jeffrey Reimer DPT suddenly jumped on top of Brashears and tried to start a family. He didn't ask.", "Unless tampered with, court records will show Brashears dropped as a patient to be told she'd face legal consequences if she did.", "Survivor was told an investigation would begin, she'd be safe among other careless things her MD advised", "Brashears would LOVE for the true court proceedings to be read. She feels they were hacked away. DougCo was unable to 'print' records 'glitch'", "Did I mention she prevailed, won, got a check? Tsara Lynn Brashears survivor; won her counter claim. Weak Reimer claim burned like a dying moth.", "Trellis: 3.223.115.185 In cloud provider range: provider=AWS\t IPv4 34.240.160.162 In cloud provider range: provider=AWS", "Trellis: http://blockpage.bt.com/pcstaticpage/blocked.html?list=BT | https://search.app.goo.gl/?ofl", "Trellis: www.youtube.com/watch?v=GyuMozsVyYs \t\u00bb Survivors video references assault. Does not name or depict Reimers likeness.", "Trellis: Hostname blockpage.bt.com | hdredirect-lb7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com | itunes.apple.com | search.app.goo.gl | www.youtube.com", "Trellis: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "IDS Detections: Downloader (P2P Zeus dropper UA) Common Upatre Header Structure 2 Upatre Retrieving encoded payload (Common Header Struct)", "IDS Detections: Suspicious User-Agent containing Loader Observed TLS Handshake Failure", "Trellis: High Priority Alerts: network_icmp modifies_proxy_wpad packer_polymorphic", "Trellis:TrojanDownloader:Win32/Upatre.A | Yara Detections Upack_all_versions", "Trellis: secure04-appleid.com | http://secure04-appleid.com | cpcalendars.secure04-appleid.com" ], "public": 1, "adversary": "Parking Crew", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zbot.SIBG3!MTB", "display_name": "Trojan:Win32/Zbot.SIBG3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBG3!MTB" }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "P2P ZeuS - S0016", "display_name": "P2P ZeuS - S0016", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Research", "Telecommunications", "Technology", "Civilians" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 266, "FileHash-SHA256": 981, "domain": 480, "hostname": 684, "email": 1, "URL": 2102 }, "indicator_count": 4783, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "573 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65975575264e6fd3bc055201", "name": "Accredited IANA Registrars", "description": "", "modified": "2024-01-05T01:03:49.531000", "created": "2024-01-05T01:03:49.531000", "tags": [], "references": [ "https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 431, "domain": 19, "hostname": 410 }, "indicator_count": 860, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "878 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "sex2e.com | http://qq664.com/seximanhua/22128.html [trellis.law]", "Survivor was told an investigation would begin, she'd be safe among other careless things her MD advised", "Trellis: www.youtube.com/watch?v=GyuMozsVyYs \t\u00bb Survivors video references assault. Does not name or depict Reimers likeness.", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "Judge Shay Whittaker dismissed Reimers 'malicious' prosecution claom", "IDS Detections: Downloader (P2P Zeus dropper UA) Common Upatre Header Structure 2 Upatre Retrieving encoded payload (Common Header Struct)", "http://www.qq664.com/seximanhua/22128.html [looks legit to me]", "Unless tampered with, court records will show Brashears dropped as a patient to be told she'd face legal consequences if she did.", "A series of reviews detailing Jeffrey Reimer DPT egregious behavior proved not left by Brashears except 2 with comments -4", "Reimer often criticized non English speakers, large women and short Hispanic men according to witness.", "Jeffrey Scott Reimer PT , DPT. assaulters defense: 'I had to be of the top/front of Brashears, She consented!'", "Brian Sabey. Esq filed motion to dismiss after judge dismissed Reimers meritlesscase", "Trellis: http://blockpage.bt.com/pcstaticpage/blocked.html?list=BT | https://search.app.goo.gl/?ofl", "Trellis: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "Scam Aggregators: https://trellis.law/case/8035/2017cv030026-suppressed/reimer-jeffrey-v-brashears-tsara [parked here: ctjsz.com]", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "He also spoke frequently about Brashears infamously 'real' large bosom and figure. He decided to touch, grab, grope, assault,injure, beg for more", "Most of not all positive Jeffrey Reimer DPT reviews are false. Reimer wasn't practicing when 'amazing' trat,ent alleged", "http://us.1.powerfront.com/thehealthylivingshow/scripts/redir.asp?link=https://www.sexbestgals.info/cougar-porn/ [trellis.law]", "Brashears documented on corr record she wanted to proceed with case", "Brian Sabey had cashiers check delivered to Brashears in person.", "There is NO other physical therapist with as many reviews as Jeffrey Reimer DPT, even non offenders. Reimers clientele is largely non-english speaking.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "Health Grades erased 20+ positive reviews that originated from Reimers email address.", "Trellis:TrojanDownloader:Win32/Upatre.A | Yara Detections Upack_all_versions", "https://prnbae.com/191693/at-37-ellie-discovers-the-unique-sensations-of-double-vaginal-sex/ [trellis.law]", "https://www.paidhmars.com/", "Trellis: Hostname blockpage.bt.com | hdredirect-lb7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com | itunes.apple.com | search.app.goo.gl | www.youtube.com", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.", "Brian Sabey begged victim to accept tiny settlement. Contingency, 'Brashears may use settlement to find hacker.'", "Brian Sabey Speaking for Jeffrey Scott Reimer DPT refused further court proceedings", "Victim is willing to have her attorney post entire court proceedings online , on YouTube and more", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "http://www.philippinesredcat.com/girls-for-sex-in-manila/ [trellis.law]", "False: This case was filed in Douglas County Superior Courts with Jeffrey K Holmes presiding. | Who is he?", "Jeffrey Scott Reimer DPT was allegedly arrested 02/14/2022 | Very unreliable self proclaimed PI's (multiple)", "Case: Defamation of character based on truthful reviews left on HealthGrades.", "Trellis: secure04-appleid.com | http://secure04-appleid.com | cpcalendars.secure04-appleid.com", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "IDS Detections: Suspicious User-Agent containing Loader Observed TLS Handshake Failure", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Brian Sabey wanted to appear to win. Sandy demanded Brashears remove every patients negative review about Jeffrey Reimer DPT", "Trellis: High Priority Alerts: network_icmp modifies_proxy_wpad packer_polymorphic", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "https://urlscan.io/result/e4ed8a1d-1b23-46cd-a237-a2ad4e974fc3/content/", "https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml", "Brian Sabey would be most foolish after it was determined Brashears was 100% disabled. This was cause by Jeffrey Scott Reimer DPT", "False: Never served. Had several PI's and background checks", "Brian Sabey offered Brashears a settlement. Begged her to accept it.", "Reimers case V Brashears in 2017 after Denver Police Major Crimes located Reimer", "Brashears would LOVE for the true court proceedings to be read. She feels they were hacked away. DougCo was unable to 'print' records 'glitch'", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Did I mention she prevailed, won, got a check? Tsara Lynn Brashears survivor; won her counter claim. Weak Reimer claim burned like a dying moth.", "https://help.competitionsuite.com/article/76-using-the-judge-app-tablets", "Brashears would gladly go to court as stated in court documents to then judge who wished to be briefed by Brashears. Thwarted by Sabey.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "Brashears Review: 'He would benefit from more training' [Very considerate considering the complimentary spinal cord injuries 'plural']", "False: Brashears didn't expect this coming. Jeffrey Reimer DPT suddenly jumped on top of Brashears and tried to start a family. He didn't ask.", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Trellis: 3.223.115.185 In cloud provider range: provider=AWS\t IPv4 34.240.160.162 In cloud provider range: provider=AWS" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Parking Crew" ], "malware_families": [ "Trojan:win32/zbot.sibg3!mtb", "Trojandownloader:win32/upatre.a", "P2p zeus - s0016" ], "industries": [ "Civilians", "Telecommunications", "Technology", "Research", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in" ], "unique_indicators": 135841 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/fabulous.com", "whois": "http://whois.domaintools.com/fabulous.com", "domain": "fabulous.com", "hostname": "rdap.fabulous.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69efc3a63f5aa5107bb41dbf", "name": "[clone-Jeffrey Reimer DPT Tsara Brashears Court Records | ]by scoreblue", "description": "", "modified": "2026-04-27T23:20:58.970000", "created": "2026-04-27T20:14:30.720000", "tags": [ "reimer-jeffrey-v-brashears-tsara", "2017cv030026 suppressed", "case 2017cv030026 suppressed", "docket", "legal case", "legal", "litigation", "court cases", "state court docket", "robert r", "lung", "county", "case", "money", "ben l", "leutwyler iii", "reimer", "brashears", "douglas county", "tips", "district", "date", "judge", "shane", "bank", "contact", "service", "brashears accepts", "jeffrey scott", "reimer dpt", "reimer paid", "sa victim", "settlement", "reimer-jeffrey-paid-tsara-brahears-settlement", "reimer-jeffrey-claim-dismissed", "brashears-tsara-claims-upheld", "reverse dns", "general full", "protocol h2", "security tls", "resource", "united", "hash", "name value", "security", "main", "facebook", "brashears-tsara-v-reimer-jeffrey", "so false", "as134548 dxtl", "kwan o", "hong kong", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "export graph", "historical ssl", "referrer", "gameprofitshack", "webstudio", "smartdata", "alloymedia", "industries", "theakkas", "korplug", "default", "module load", "t1129", "show", "search", "regbinary", "malware beacon", "upatre", "suspicious", "trojan", "copy", "dock", "downloader", "loader", "write", "malware", "av detections", "ids detections", "yara detections", "alerts", "related pulses", "dashboard", "browse scan", "endpoints all", "showing", "p2p zeus", "september", "popper", "cookies", "x function", "hsp boolean", "oribili boolean", "hstcran", "hsusertoken", "domainpath name", "ns nxdomain", "parked", "tsara won", "brashears prevails", "reimer dismissal", "dangerous data collection", "get device", "parked uri" ], "references": [ "Scam Aggregators: https://trellis.law/case/8035/2017cv030026-suppressed/reimer-jeffrey-v-brashears-tsara [parked here: ctjsz.com]", "http://www.qq664.com/seximanhua/22128.html [looks legit to me]", "sex2e.com | http://qq664.com/seximanhua/22128.html [trellis.law]", "https://prnbae.com/191693/at-37-ellie-discovers-the-unique-sensations-of-double-vaginal-sex/ [trellis.law]", "http://www.philippinesredcat.com/girls-for-sex-in-manila/ [trellis.law]", "http://us.1.powerfront.com/thehealthylivingshow/scripts/redir.asp?link=https://www.sexbestgals.info/cougar-porn/ [trellis.law]", "https://help.competitionsuite.com/article/76-using-the-judge-app-tablets", "https://www.paidhmars.com/", "https://urlscan.io/result/e4ed8a1d-1b23-46cd-a237-a2ad4e974fc3/content/", "False: This case was filed in Douglas County Superior Courts with Jeffrey K Holmes presiding. | Who is he?", "False: Never served. Had several PI's and background checks", "Jeffrey Scott Reimer DPT was allegedly arrested 02/14/2022 | Very unreliable self proclaimed PI's (multiple)", "Brian Sabey begged victim to accept tiny settlement. Contingency, 'Brashears may use settlement to find hacker.'", "Judge Shay Whittaker dismissed Reimers 'malicious' prosecution claom", "Reimers case V Brashears in 2017 after Denver Police Major Crimes located Reimer", "Brashears documented on corr record she wanted to proceed with case", "Brian Sabey Speaking for Jeffrey Scott Reimer DPT refused further court proceedings", "Brian Sabey offered Brashears a settlement. Begged her to accept it.", "Case: Defamation of character based on truthful reviews left on HealthGrades.", "A series of reviews detailing Jeffrey Reimer DPT egregious behavior proved not left by Brashears except 2 with comments -4", "Brashears Review: 'He would benefit from more training' [Very considerate considering the complimentary spinal cord injuries 'plural']", "Health Grades erased 20+ positive reviews that originated from Reimers email address.", "Most of not all positive Jeffrey Reimer DPT reviews are false. Reimer wasn't practicing when 'amazing' trat,ent alleged", "Brian Sabey. Esq filed motion to dismiss after judge dismissed Reimers meritlesscase", "Brian Sabey would be most foolish after it was determined Brashears was 100% disabled. This was cause by Jeffrey Scott Reimer DPT", "Brashears would gladly go to court as stated in court documents to then judge who wished to be briefed by Brashears. Thwarted by Sabey.", "Brian Sabey wanted to appear to win. Sandy demanded Brashears remove every patients negative review about Jeffrey Reimer DPT", "Brian Sabey had cashiers check delivered to Brashears in person.", "Victim is willing to have her attorney post entire court proceedings online , on YouTube and more", "There is NO other physical therapist with as many reviews as Jeffrey Reimer DPT, even non offenders. Reimers clientele is largely non-english speaking.", "Reimer often criticized non English speakers, large women and short Hispanic men according to witness.", "He also spoke frequently about Brashears infamously 'real' large bosom and figure. He decided to touch, grab, grope, assault,injure, beg for more", "Jeffrey Scott Reimer PT , DPT. assaulters defense: 'I had to be of the top/front of Brashears, She consented!'", "False: Brashears didn't expect this coming. Jeffrey Reimer DPT suddenly jumped on top of Brashears and tried to start a family. He didn't ask.", "Unless tampered with, court records will show Brashears dropped as a patient to be told she'd face legal consequences if she did.", "Survivor was told an investigation would begin, she'd be safe among other careless things her MD advised", "Brashears would LOVE for the true court proceedings to be read. She feels they were hacked away. DougCo was unable to 'print' records 'glitch'", "Did I mention she prevailed, won, got a check? Tsara Lynn Brashears survivor; won her counter claim. Weak Reimer claim burned like a dying moth.", "Trellis: 3.223.115.185 In cloud provider range: provider=AWS\t IPv4 34.240.160.162 In cloud provider range: provider=AWS", "Trellis: http://blockpage.bt.com/pcstaticpage/blocked.html?list=BT | https://search.app.goo.gl/?ofl", "Trellis: www.youtube.com/watch?v=GyuMozsVyYs \t\u00bb Survivors video references assault. Does not name or depict Reimers likeness.", "Trellis: Hostname blockpage.bt.com | hdredirect-lb7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com | itunes.apple.com | search.app.goo.gl | www.youtube.com", "Trellis: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "IDS Detections: Downloader (P2P Zeus dropper UA) Common Upatre Header Structure 2 Upatre Retrieving encoded payload (Common Header Struct)", "IDS Detections: Suspicious User-Agent containing Loader Observed TLS Handshake Failure", "Trellis: High Priority Alerts: network_icmp modifies_proxy_wpad packer_polymorphic", "Trellis:TrojanDownloader:Win32/Upatre.A | Yara Detections Upack_all_versions", "Trellis: secure04-appleid.com | http://secure04-appleid.com | cpcalendars.secure04-appleid.com" ], "public": 1, "adversary": "Parking Crew", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zbot.SIBG3!MTB", "display_name": "Trojan:Win32/Zbot.SIBG3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBG3!MTB" }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "P2P ZeuS - S0016", "display_name": "P2P ZeuS - S0016", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Research", "Telecommunications", "Technology", "Civilians" ], "TLP": "green", "cloned_from": "66d490668683aec2631cfa20", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 266, "FileHash-SHA256": 981, "domain": 480, "hostname": 684, "email": 1, "URL": 2102 }, "indicator_count": 4783, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "66 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "66 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d490668683aec2631cfa20", "name": "Jeffrey Reimer DPT Tsara Brashears Court Records | Trellis.Law", "description": "Phishing expedition: Malicious bait. Threat actor/s attempting to hack whoever can see and clicks on link. The URl is parked, is malicious, attempts infiltrate device.", "modified": "2024-11-05T00:02:43.336000", "created": "2024-09-01T16:03:50.411000", "tags": [ "reimer-jeffrey-v-brashears-tsara", "2017cv030026 suppressed", "case 2017cv030026 suppressed", "docket", "legal case", "legal", "litigation", "court cases", "state court docket", "robert r", "lung", "county", "case", "money", "ben l", "leutwyler iii", "reimer", "brashears", "douglas county", "tips", "district", "date", "judge", "shane", "bank", "contact", "service", "brashears accepts", "jeffrey scott", "reimer dpt", "reimer paid", "sa victim", "settlement", "reimer-jeffrey-paid-tsara-brahears-settlement", "reimer-jeffrey-claim-dismissed", "brashears-tsara-claims-upheld", "reverse dns", "general full", "protocol h2", "security tls", "resource", "united", "hash", "name value", "security", "main", "facebook", "brashears-tsara-v-reimer-jeffrey", "so false", "as134548 dxtl", "kwan o", "hong kong", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "export graph", "historical ssl", "referrer", "gameprofitshack", "webstudio", "smartdata", "alloymedia", "industries", "theakkas", "korplug", "default", "module load", "t1129", "show", "search", "regbinary", "malware beacon", "upatre", "suspicious", "trojan", "copy", "dock", "downloader", "loader", "write", "malware", "av detections", "ids detections", "yara detections", "alerts", "related pulses", "dashboard", "browse scan", "endpoints all", "showing", "p2p zeus", "september", "popper", "cookies", "x function", "hsp boolean", "oribili boolean", "hstcran", "hsusertoken", "domainpath name", "ns nxdomain", "parked", "tsara won", "brashears prevails", "reimer dismissal", "dangerous data collection", "get device", "parked uri" ], "references": [ "Scam Aggregators: https://trellis.law/case/8035/2017cv030026-suppressed/reimer-jeffrey-v-brashears-tsara [parked here: ctjsz.com]", "http://www.qq664.com/seximanhua/22128.html [looks legit to me]", "sex2e.com | http://qq664.com/seximanhua/22128.html [trellis.law]", "https://prnbae.com/191693/at-37-ellie-discovers-the-unique-sensations-of-double-vaginal-sex/ [trellis.law]", "http://www.philippinesredcat.com/girls-for-sex-in-manila/ [trellis.law]", "http://us.1.powerfront.com/thehealthylivingshow/scripts/redir.asp?link=https://www.sexbestgals.info/cougar-porn/ [trellis.law]", "https://help.competitionsuite.com/article/76-using-the-judge-app-tablets", "https://www.paidhmars.com/", "https://urlscan.io/result/e4ed8a1d-1b23-46cd-a237-a2ad4e974fc3/content/", "False: This case was filed in Douglas County Superior Courts with Jeffrey K Holmes presiding. | Who is he?", "False: Never served. Had several PI's and background checks", "Jeffrey Scott Reimer DPT was allegedly arrested 02/14/2022 | Very unreliable self proclaimed PI's (multiple)", "Brian Sabey begged victim to accept tiny settlement. Contingency, 'Brashears may use settlement to find hacker.'", "Judge Shay Whittaker dismissed Reimers 'malicious' prosecution claom", "Reimers case V Brashears in 2017 after Denver Police Major Crimes located Reimer", "Brashears documented on corr record she wanted to proceed with case", "Brian Sabey Speaking for Jeffrey Scott Reimer DPT refused further court proceedings", "Brian Sabey offered Brashears a settlement. Begged her to accept it.", "Case: Defamation of character based on truthful reviews left on HealthGrades.", "A series of reviews detailing Jeffrey Reimer DPT egregious behavior proved not left by Brashears except 2 with comments -4", "Brashears Review: 'He would benefit from more training' [Very considerate considering the complimentary spinal cord injuries 'plural']", "Health Grades erased 20+ positive reviews that originated from Reimers email address.", "Most of not all positive Jeffrey Reimer DPT reviews are false. Reimer wasn't practicing when 'amazing' trat,ent alleged", "Brian Sabey. Esq filed motion to dismiss after judge dismissed Reimers meritlesscase", "Brian Sabey would be most foolish after it was determined Brashears was 100% disabled. This was cause by Jeffrey Scott Reimer DPT", "Brashears would gladly go to court as stated in court documents to then judge who wished to be briefed by Brashears. Thwarted by Sabey.", "Brian Sabey wanted to appear to win. Sandy demanded Brashears remove every patients negative review about Jeffrey Reimer DPT", "Brian Sabey had cashiers check delivered to Brashears in person.", "Victim is willing to have her attorney post entire court proceedings online , on YouTube and more", "There is NO other physical therapist with as many reviews as Jeffrey Reimer DPT, even non offenders. Reimers clientele is largely non-english speaking.", "Reimer often criticized non English speakers, large women and short Hispanic men according to witness.", "He also spoke frequently about Brashears infamously 'real' large bosom and figure. He decided to touch, grab, grope, assault,injure, beg for more", "Jeffrey Scott Reimer PT , DPT. assaulters defense: 'I had to be of the top/front of Brashears, She consented!'", "False: Brashears didn't expect this coming. Jeffrey Reimer DPT suddenly jumped on top of Brashears and tried to start a family. He didn't ask.", "Unless tampered with, court records will show Brashears dropped as a patient to be told she'd face legal consequences if she did.", "Survivor was told an investigation would begin, she'd be safe among other careless things her MD advised", "Brashears would LOVE for the true court proceedings to be read. She feels they were hacked away. DougCo was unable to 'print' records 'glitch'", "Did I mention she prevailed, won, got a check? Tsara Lynn Brashears survivor; won her counter claim. Weak Reimer claim burned like a dying moth.", "Trellis: 3.223.115.185 In cloud provider range: provider=AWS\t IPv4 34.240.160.162 In cloud provider range: provider=AWS", "Trellis: http://blockpage.bt.com/pcstaticpage/blocked.html?list=BT | https://search.app.goo.gl/?ofl", "Trellis: www.youtube.com/watch?v=GyuMozsVyYs \t\u00bb Survivors video references assault. Does not name or depict Reimers likeness.", "Trellis: Hostname blockpage.bt.com | hdredirect-lb7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com | itunes.apple.com | search.app.goo.gl | www.youtube.com", "Trellis: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "IDS Detections: Downloader (P2P Zeus dropper UA) Common Upatre Header Structure 2 Upatre Retrieving encoded payload (Common Header Struct)", "IDS Detections: Suspicious User-Agent containing Loader Observed TLS Handshake Failure", "Trellis: High Priority Alerts: network_icmp modifies_proxy_wpad packer_polymorphic", "Trellis:TrojanDownloader:Win32/Upatre.A | Yara Detections Upack_all_versions", "Trellis: secure04-appleid.com | http://secure04-appleid.com | cpcalendars.secure04-appleid.com" ], "public": 1, "adversary": "Parking Crew", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zbot.SIBG3!MTB", "display_name": "Trojan:Win32/Zbot.SIBG3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBG3!MTB" }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "P2P ZeuS - S0016", "display_name": "P2P ZeuS - S0016", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Research", "Telecommunications", "Technology", "Civilians" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 266, "FileHash-SHA256": 981, "domain": 480, "hostname": 684, "email": 1, "URL": 2102 }, "indicator_count": 4783, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "573 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65975575264e6fd3bc055201", "name": "Accredited IANA Registrars", "description": "", "modified": "2024-01-05T01:03:49.531000", "created": "2024-01-05T01:03:49.531000", "tags": [], "references": [ "https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 431, "domain": 19, "hostname": 410 }, "indicator_count": 860, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "878 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://rdap.fabulous.com/rdap/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://rdap.fabulous.com/rdap/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780347456.99011 }