{
"type": "URL",
"indicator": "https://response.oracle-mail.com/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://response.oracle-mail.com/",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4084144057,
"indicator": "https://response.oracle-mail.com/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 3,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686adf91f725a8b7f9850192",
"name": "Dystopian Life & Death of an American Crime Victim | Boldy predicted how she will die",
"description": "Palantir - a data analytics company, known as a military intelligence tool. co-founded by billionaire investor , Trump supporter and Republican mega donor Musk aligned; Peter Thiel, as per New York. \n\nFounded in 2003, known for its data analytics platforms - Palantir Gotham & Palantir Foundry are used by government & private sectors for various applications, including defense & healthcare. The company faces criticism for its role in government surveillance & data privacy concerns.\nPalantir can be linked to malicious, malware packed , compromised malvertisements about victim allegedly SA\u2019d by her physical therapist Jeffrey Scott Reimer DPT. Apparently target was paid a small settlement via lengthy phone battle by a man representing himself as Brian Sabey ,Esq of Hall Render. \n Palantir, admittedly designs cyber weapon that \u2018kills people\u2019. Are governments abusing to terrorize, silence & even harm/kill American citizens. Is this an elaborate hoax?\nTeam 8 \n#rip #plantantir #Hosanna #dystopian #targeted",
"modified": "2025-08-05T15:03:36.451000",
"created": "2025-07-06T20:41:53.748000",
"tags": [
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"url http",
"showing",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"ipv4",
"filehashmd5",
"filehashsha1",
"filehashsha256",
"indicators show",
"search",
"reputation",
"et att",
"ck id",
"t1060",
"run keys",
"startup",
"folder",
"scan",
"iocs",
"learn more",
"hostname",
"types of",
"pagehrsappjbpst",
"actionu",
"focusapplicant",
"siteid1",
"postingseq1",
"t1036",
"t1043",
"port",
"t1085",
"rundll32",
"t1114",
"t1179",
"fbi flash",
"cu000163mw",
"compromise",
"found",
"uunet",
"code",
"reverse domain",
"lookup",
"ragnar",
"locker",
"ragnar locker",
"cidr",
"pulses",
"types",
"windows",
"linux",
"united",
"trojandropper",
"mtb jun",
"trojan",
"win32upatre aug",
"mtb may",
"gmt server",
"ecacc",
"files",
"suspicious",
"body",
"data upload",
"extraction",
"cve cve20170147",
"cve cve20178570",
"cve cve20178977",
"url feb",
"pulses hostname",
"a1sticas",
"next associated",
"present mar",
"present jun",
"present may",
"france",
"date",
"ip address",
"present apr",
"virtool",
"name servers",
"value emails",
"name john",
"shipton",
"dynadot privacy",
"po box",
"city san",
"mateo country",
"us creation",
"news videos",
"maps assist",
"search settings",
"safe search",
"date more",
"images bae",
"systems defense",
"bae systems",
"london",
"britain",
"akamai rank",
"script urls",
"status",
"a domains",
"accept encoding",
"unknown ns",
"meta",
"encrypt",
"https",
"report spam",
"created",
"year ago",
"modified",
"octoseek public",
"cyber attack",
"pegasus",
"westlaw",
"hallrender",
"front",
"sabey",
"enter s",
"include review",
"exclude sugges",
"failed",
"sc type",
"extr included",
"manually add",
"puls",
"excludedocs",
"sugges data",
"phishing",
"apple pegasus",
"detections",
"references",
"stranger things",
"http",
"yara",
"upx alerts",
"fort collins",
"help4u",
"communications",
"orgtechhandle",
"domain",
"no entries",
"cchk asnas26658",
"vj92",
"search filter",
"time sabey",
"x show",
"indicator type",
"email",
"filehashimphash",
"filehashpehash",
"backdoor",
"ransom",
"checkin",
"alphacrypt cnc",
"beacon",
"jeffrey scott",
"terse http",
"possible",
"accept",
"xorddos",
"ck ids",
"t1512",
"camera",
"t1071",
"protocol",
"ta0001",
"access",
"ta0002",
"ta0003",
"ta0004",
"cookie",
"show",
"ally",
"melika",
"part1",
"trojanclicker",
"bayrob",
"android",
"ransomware",
"sakula rat",
"t1125",
"video capture",
"t1566",
"t1068",
"t1190",
"application",
"t1472",
"t1457",
"media content",
"social media",
"doppelgnging",
"t1080",
"shared content",
"t1449",
"exploit ss7",
"phone callssms",
"enter sc",
"type",
"no expiration",
"expiration",
"months ago",
"expiration http",
"reimer dpt",
"r role",
"sa victim",
"daisy coleman",
"source",
"weeks ago",
"tbmvid",
"sourcelnms",
"zx1724209326040",
"ahtrnaah typ",
"url url",
"url domain",
"pulse sthow",
"ah types",
"ind indicator",
"data uptoad",
"extrachttp",
"dulce sphown",
"aho data",
"typ url",
"url dom",
"hos hostname",
"hos host",
"dom dom"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1085",
"name": "Rundll32",
"display_name": "T1085 - Rundll32"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1506",
"name": "Web Session Cookie",
"display_name": "T1506 - Web Session Cookie"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 31,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8149,
"domain": 1067,
"hostname": 2103,
"FileHash-SHA256": 1617,
"URI": 1,
"FilePath": 1,
"FileHash-MD5": 412,
"FileHash-SHA1": 368,
"CIDR": 4,
"CVE": 6,
"email": 10
},
"indicator_count": 13738,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "298 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686c676bcc053e0fc51f01b2",
"name": "ALL T8 research led to Firm_IP\u2019s = BoFa , WikiLeaks, United Healthcare, HCA, T-Mobile, Dish , AT&T, Apple,+ Breaches despite other speculations with 0 relations",
"description": "",
"modified": "2025-08-05T15:03:36.451000",
"created": "2025-07-08T00:33:47.021000",
"tags": [
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"url http",
"showing",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"ipv4",
"filehashmd5",
"filehashsha1",
"filehashsha256",
"indicators show",
"search",
"reputation",
"et att",
"ck id",
"t1060",
"run keys",
"startup",
"folder",
"scan",
"iocs",
"learn more",
"hostname",
"types of",
"pagehrsappjbpst",
"actionu",
"focusapplicant",
"siteid1",
"postingseq1",
"t1036",
"t1043",
"port",
"t1085",
"rundll32",
"t1114",
"t1179",
"fbi flash",
"cu000163mw",
"compromise",
"found",
"uunet",
"code",
"reverse domain",
"lookup",
"ragnar",
"locker",
"ragnar locker",
"cidr",
"pulses",
"types",
"windows",
"linux",
"united",
"trojandropper",
"mtb jun",
"trojan",
"win32upatre aug",
"mtb may",
"gmt server",
"ecacc",
"files",
"suspicious",
"body",
"data upload",
"extraction",
"cve cve20170147",
"cve cve20178570",
"cve cve20178977",
"url feb",
"pulses hostname",
"a1sticas",
"next associated",
"present mar",
"present jun",
"present may",
"france",
"date",
"ip address",
"present apr",
"virtool",
"name servers",
"value emails",
"name john",
"shipton",
"dynadot privacy",
"po box",
"city san",
"mateo country",
"us creation",
"news videos",
"maps assist",
"search settings",
"safe search",
"date more",
"images bae",
"systems defense",
"bae systems",
"london",
"britain",
"akamai rank",
"script urls",
"status",
"a domains",
"accept encoding",
"unknown ns",
"meta",
"encrypt",
"https",
"report spam",
"created",
"year ago",
"modified",
"octoseek public",
"cyber attack",
"pegasus",
"westlaw",
"hallrender",
"front",
"sabey",
"enter s",
"include review",
"exclude sugges",
"failed",
"sc type",
"extr included",
"manually add",
"puls",
"excludedocs",
"sugges data",
"phishing",
"apple pegasus",
"detections",
"references",
"stranger things",
"http",
"yara",
"upx alerts",
"fort collins",
"help4u",
"communications",
"orgtechhandle",
"domain",
"no entries",
"cchk asnas26658",
"vj92",
"search filter",
"time sabey",
"x show",
"indicator type",
"email",
"filehashimphash",
"filehashpehash",
"backdoor",
"ransom",
"checkin",
"alphacrypt cnc",
"beacon",
"jeffrey scott",
"terse http",
"possible",
"accept",
"xorddos",
"ck ids",
"t1512",
"camera",
"t1071",
"protocol",
"ta0001",
"access",
"ta0002",
"ta0003",
"ta0004",
"cookie",
"show",
"ally",
"melika",
"part1",
"trojanclicker",
"bayrob",
"android",
"ransomware",
"sakula rat",
"t1125",
"video capture",
"t1566",
"t1068",
"t1190",
"application",
"t1472",
"t1457",
"media content",
"social media",
"doppelgnging",
"t1080",
"shared content",
"t1449",
"exploit ss7",
"phone callssms",
"enter sc",
"type",
"no expiration",
"expiration",
"months ago",
"expiration http",
"reimer dpt",
"r role",
"sa victim",
"daisy coleman",
"source",
"weeks ago",
"tbmvid",
"sourcelnms",
"zx1724209326040",
"ahtrnaah typ",
"url url",
"url domain",
"pulse sthow",
"ah types",
"ind indicator",
"data uptoad",
"extrachttp",
"dulce sphown",
"aho data",
"typ url",
"url dom",
"hos hostname",
"hos host",
"dom dom"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1085",
"name": "Rundll32",
"display_name": "T1085 - Rundll32"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1506",
"name": "Web Session Cookie",
"display_name": "T1506 - Web Session Cookie"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "686adf91f725a8b7f9850192",
"export_count": 56,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8149,
"domain": 1067,
"hostname": 2103,
"FileHash-SHA256": 1617,
"URI": 1,
"FilePath": 1,
"FileHash-MD5": 412,
"FileHash-SHA1": 368,
"CIDR": 4,
"CVE": 6,
"email": 10
},
"indicator_count": 13738,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "298 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"div>
",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"I apologize for the lack of reference.",
"Requires further research.",
"Same legal , and quasi governmental pattern identified",
"https://l.us-1.a.mimecastprotect.com/l",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"It appears there are 5-7 known affected that I was able to find",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"#lowfi:lua:dllsuspiciousexport.a",
"Trojan:win32/smkldr.h!mtb",
"Mydoom",
"Icedid"
],
"industries": [
"Legal",
"Technology",
"Telecom"
],
"unique_indicators": 26430
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/oracle-mail.com",
"whois": "http://whois.domaintools.com/oracle-mail.com",
"domain": "oracle-mail.com",
"hostname": "response.oracle-mail.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 3,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686adf91f725a8b7f9850192",
"name": "Dystopian Life & Death of an American Crime Victim | Boldy predicted how she will die",
"description": "Palantir - a data analytics company, known as a military intelligence tool. co-founded by billionaire investor , Trump supporter and Republican mega donor Musk aligned; Peter Thiel, as per New York. \n\nFounded in 2003, known for its data analytics platforms - Palantir Gotham & Palantir Foundry are used by government & private sectors for various applications, including defense & healthcare. The company faces criticism for its role in government surveillance & data privacy concerns.\nPalantir can be linked to malicious, malware packed , compromised malvertisements about victim allegedly SA\u2019d by her physical therapist Jeffrey Scott Reimer DPT. Apparently target was paid a small settlement via lengthy phone battle by a man representing himself as Brian Sabey ,Esq of Hall Render. \n Palantir, admittedly designs cyber weapon that \u2018kills people\u2019. Are governments abusing to terrorize, silence & even harm/kill American citizens. Is this an elaborate hoax?\nTeam 8 \n#rip #plantantir #Hosanna #dystopian #targeted",
"modified": "2025-08-05T15:03:36.451000",
"created": "2025-07-06T20:41:53.748000",
"tags": [
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"url http",
"showing",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"ipv4",
"filehashmd5",
"filehashsha1",
"filehashsha256",
"indicators show",
"search",
"reputation",
"et att",
"ck id",
"t1060",
"run keys",
"startup",
"folder",
"scan",
"iocs",
"learn more",
"hostname",
"types of",
"pagehrsappjbpst",
"actionu",
"focusapplicant",
"siteid1",
"postingseq1",
"t1036",
"t1043",
"port",
"t1085",
"rundll32",
"t1114",
"t1179",
"fbi flash",
"cu000163mw",
"compromise",
"found",
"uunet",
"code",
"reverse domain",
"lookup",
"ragnar",
"locker",
"ragnar locker",
"cidr",
"pulses",
"types",
"windows",
"linux",
"united",
"trojandropper",
"mtb jun",
"trojan",
"win32upatre aug",
"mtb may",
"gmt server",
"ecacc",
"files",
"suspicious",
"body",
"data upload",
"extraction",
"cve cve20170147",
"cve cve20178570",
"cve cve20178977",
"url feb",
"pulses hostname",
"a1sticas",
"next associated",
"present mar",
"present jun",
"present may",
"france",
"date",
"ip address",
"present apr",
"virtool",
"name servers",
"value emails",
"name john",
"shipton",
"dynadot privacy",
"po box",
"city san",
"mateo country",
"us creation",
"news videos",
"maps assist",
"search settings",
"safe search",
"date more",
"images bae",
"systems defense",
"bae systems",
"london",
"britain",
"akamai rank",
"script urls",
"status",
"a domains",
"accept encoding",
"unknown ns",
"meta",
"encrypt",
"https",
"report spam",
"created",
"year ago",
"modified",
"octoseek public",
"cyber attack",
"pegasus",
"westlaw",
"hallrender",
"front",
"sabey",
"enter s",
"include review",
"exclude sugges",
"failed",
"sc type",
"extr included",
"manually add",
"puls",
"excludedocs",
"sugges data",
"phishing",
"apple pegasus",
"detections",
"references",
"stranger things",
"http",
"yara",
"upx alerts",
"fort collins",
"help4u",
"communications",
"orgtechhandle",
"domain",
"no entries",
"cchk asnas26658",
"vj92",
"search filter",
"time sabey",
"x show",
"indicator type",
"email",
"filehashimphash",
"filehashpehash",
"backdoor",
"ransom",
"checkin",
"alphacrypt cnc",
"beacon",
"jeffrey scott",
"terse http",
"possible",
"accept",
"xorddos",
"ck ids",
"t1512",
"camera",
"t1071",
"protocol",
"ta0001",
"access",
"ta0002",
"ta0003",
"ta0004",
"cookie",
"show",
"ally",
"melika",
"part1",
"trojanclicker",
"bayrob",
"android",
"ransomware",
"sakula rat",
"t1125",
"video capture",
"t1566",
"t1068",
"t1190",
"application",
"t1472",
"t1457",
"media content",
"social media",
"doppelgnging",
"t1080",
"shared content",
"t1449",
"exploit ss7",
"phone callssms",
"enter sc",
"type",
"no expiration",
"expiration",
"months ago",
"expiration http",
"reimer dpt",
"r role",
"sa victim",
"daisy coleman",
"source",
"weeks ago",
"tbmvid",
"sourcelnms",
"zx1724209326040",
"ahtrnaah typ",
"url url",
"url domain",
"pulse sthow",
"ah types",
"ind indicator",
"data uptoad",
"extrachttp",
"dulce sphown",
"aho data",
"typ url",
"url dom",
"hos hostname",
"hos host",
"dom dom"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1085",
"name": "Rundll32",
"display_name": "T1085 - Rundll32"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1506",
"name": "Web Session Cookie",
"display_name": "T1506 - Web Session Cookie"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 31,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8149,
"domain": 1067,
"hostname": 2103,
"FileHash-SHA256": 1617,
"URI": 1,
"FilePath": 1,
"FileHash-MD5": 412,
"FileHash-SHA1": 368,
"CIDR": 4,
"CVE": 6,
"email": 10
},
"indicator_count": 13738,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "298 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686c676bcc053e0fc51f01b2",
"name": "ALL T8 research led to Firm_IP\u2019s = BoFa , WikiLeaks, United Healthcare, HCA, T-Mobile, Dish , AT&T, Apple,+ Breaches despite other speculations with 0 relations",
"description": "",
"modified": "2025-08-05T15:03:36.451000",
"created": "2025-07-08T00:33:47.021000",
"tags": [
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"url http",
"showing",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"ipv4",
"filehashmd5",
"filehashsha1",
"filehashsha256",
"indicators show",
"search",
"reputation",
"et att",
"ck id",
"t1060",
"run keys",
"startup",
"folder",
"scan",
"iocs",
"learn more",
"hostname",
"types of",
"pagehrsappjbpst",
"actionu",
"focusapplicant",
"siteid1",
"postingseq1",
"t1036",
"t1043",
"port",
"t1085",
"rundll32",
"t1114",
"t1179",
"fbi flash",
"cu000163mw",
"compromise",
"found",
"uunet",
"code",
"reverse domain",
"lookup",
"ragnar",
"locker",
"ragnar locker",
"cidr",
"pulses",
"types",
"windows",
"linux",
"united",
"trojandropper",
"mtb jun",
"trojan",
"win32upatre aug",
"mtb may",
"gmt server",
"ecacc",
"files",
"suspicious",
"body",
"data upload",
"extraction",
"cve cve20170147",
"cve cve20178570",
"cve cve20178977",
"url feb",
"pulses hostname",
"a1sticas",
"next associated",
"present mar",
"present jun",
"present may",
"france",
"date",
"ip address",
"present apr",
"virtool",
"name servers",
"value emails",
"name john",
"shipton",
"dynadot privacy",
"po box",
"city san",
"mateo country",
"us creation",
"news videos",
"maps assist",
"search settings",
"safe search",
"date more",
"images bae",
"systems defense",
"bae systems",
"london",
"britain",
"akamai rank",
"script urls",
"status",
"a domains",
"accept encoding",
"unknown ns",
"meta",
"encrypt",
"https",
"report spam",
"created",
"year ago",
"modified",
"octoseek public",
"cyber attack",
"pegasus",
"westlaw",
"hallrender",
"front",
"sabey",
"enter s",
"include review",
"exclude sugges",
"failed",
"sc type",
"extr included",
"manually add",
"puls",
"excludedocs",
"sugges data",
"phishing",
"apple pegasus",
"detections",
"references",
"stranger things",
"http",
"yara",
"upx alerts",
"fort collins",
"help4u",
"communications",
"orgtechhandle",
"domain",
"no entries",
"cchk asnas26658",
"vj92",
"search filter",
"time sabey",
"x show",
"indicator type",
"email",
"filehashimphash",
"filehashpehash",
"backdoor",
"ransom",
"checkin",
"alphacrypt cnc",
"beacon",
"jeffrey scott",
"terse http",
"possible",
"accept",
"xorddos",
"ck ids",
"t1512",
"camera",
"t1071",
"protocol",
"ta0001",
"access",
"ta0002",
"ta0003",
"ta0004",
"cookie",
"show",
"ally",
"melika",
"part1",
"trojanclicker",
"bayrob",
"android",
"ransomware",
"sakula rat",
"t1125",
"video capture",
"t1566",
"t1068",
"t1190",
"application",
"t1472",
"t1457",
"media content",
"social media",
"doppelgnging",
"t1080",
"shared content",
"t1449",
"exploit ss7",
"phone callssms",
"enter sc",
"type",
"no expiration",
"expiration",
"months ago",
"expiration http",
"reimer dpt",
"r role",
"sa victim",
"daisy coleman",
"source",
"weeks ago",
"tbmvid",
"sourcelnms",
"zx1724209326040",
"ahtrnaah typ",
"url url",
"url domain",
"pulse sthow",
"ah types",
"ind indicator",
"data uptoad",
"extrachttp",
"dulce sphown",
"aho data",
"typ url",
"url dom",
"hos hostname",
"hos host",
"dom dom"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1085",
"name": "Rundll32",
"display_name": "T1085 - Rundll32"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1506",
"name": "Web Session Cookie",
"display_name": "T1506 - Web Session Cookie"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "686adf91f725a8b7f9850192",
"export_count": 56,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8149,
"domain": 1067,
"hostname": 2103,
"FileHash-SHA256": 1617,
"URI": 1,
"FilePath": 1,
"FileHash-MD5": 412,
"FileHash-SHA1": 368,
"CIDR": 4,
"CVE": 6,
"email": 10
},
"indicator_count": 13738,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "298 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://response.oracle-mail.com/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://response.oracle-mail.com/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780222628.7650304
}