{
"type": "URL",
"indicator": "https://s1.swell.am",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://s1.swell.am",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 2834191016,
"indicator": "https://s1.swell.am",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 8,
"pulses": [
{
"id": "69ded8198b25581a09b90824",
"name": "BearShare \u2022 Solarwinds? \u2022 SearchSuite \u2022 Healthcare Administration",
"description": "",
"modified": "2026-04-15T00:13:13.981000",
"created": "2026-04-15T00:13:13.981000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": "69dab27a0493e0e80a0f35cd",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "5 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69ddeb45c45f6a3cd721397d",
"name": "Active attacks \u2022 Apple \u2022 Tulach",
"description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious",
"modified": "2026-04-14T07:22:45.250000",
"created": "2026-04-14T07:22:45.250000",
"tags": [
"url http",
"ipv4",
"indicator role",
"active related",
"united",
"moved",
"gmt content",
"certificate",
"all domain",
"msie",
"chrome",
"extraction",
"data upload",
"twitter",
"cookie",
"extra",
"include data",
"review locs",
"exclude",
"suggested os",
"onlv",
"failed",
"stop data",
"read c",
"unicode",
"rgba",
"memcommit",
"delete",
"dock",
"write",
"execution",
"sc type",
"extri",
"include review",
"exclude sugges",
"typ data",
"a domains",
"present apr",
"script urls",
"files",
"files ip",
"address",
"ios",
"mac",
"apple",
"appleid",
"itunes",
"next associated",
"all ipv4",
"included ic",
"uny teade",
"type hostnar",
"hostnar hostnar",
"hostnar",
"macair",
"macairaustralia",
"ipad",
"ipod",
"cryptexportkey",
"invalid pointer",
"cryptgenkey",
"stream",
"defender",
"delphi",
"class",
"stack",
"format",
"unknown",
"united states",
"phishing",
"password",
"traffic redirected",
"service mod",
"service execution",
"youtube",
"music",
"streams",
"songs",
"played songs",
"music streams",
"most played",
"fonelab",
"indicator",
"included iocs",
"manually add",
"review ocs",
"exclude inn",
"sugges data",
"find",
"include",
"url https",
"enter sc",
"type",
"no matchme",
"search otx",
"https",
"references x",
"analyze",
"open th",
"url data",
"se http",
"no match",
"excluded iocs",
"iocs",
"ip whitelisted",
"whitelisted",
"tcp include",
"analysis date",
"file score",
"medium risk",
"yara detections",
"contacted",
"related tags",
"x vercel",
"file type",
"type indicator",
"role title",
"related pulses",
"mulch virtua",
"library loade",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugt",
"samuel tulach",
"unity engine",
"tulach",
"sa awareness",
"sabey",
"sar cut",
"autofill",
"includer review",
"portiana oney",
"targeting",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"musickit_1_.js",
"lazarus",
"injection",
"CVE-2017-8570",
"prefetch2",
"target",
"aaaa",
"ip address",
"record value",
"emails",
"samuel tuachs",
"sapev",
"review exclude",
"monitored target",
"script",
"mitre att",
"ascii text",
"span",
"path",
"iframe",
"april",
"hybrid",
"general",
"local",
"click",
"strings",
"body",
"development att",
"t1055.012 list planting",
"active"
],
"references": [
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"https://podcasts.apple.com/us/podcast/lazarus",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://help.aiseesoft.jp/blu-ray-player",
"http://help.aiseesoft.jp/fonelab/",
"https://action.aiseesoft.jp/itunes.php",
"http://help.aiseesoft.jp/total-video-converter",
"http://help.aiseesoft.jp/total-video-converter/",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"http://test-firstmile.digitecgalaxus.ch",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"cdn.rss.applemarketingtools.com",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"1.bing.com.cn",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"www.phantomcameras.cn",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"podcasts.apple.com \u2022 23.34.32.21",
"www.apple.com \u2022 23.34.32.199",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"http://firstmile.digitecgalaxus.ch",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"Tulach.cc",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"asp.net domain pointer",
"developer.x.com",
"aotx.alienvault.com (aotx.?)",
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1020.001",
"name": "Traffic Duplication",
"display_name": "T1020.001 - Traffic Duplication"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591.002",
"name": "Business Relationships",
"display_name": "T1591.002 - Business Relationships"
},
{
"id": "T1591.001",
"name": "Determine Physical Locations",
"display_name": "T1591.001 - Determine Physical Locations"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1029,
"domain": 396,
"email": 7,
"URL": 2784,
"FileHash-SHA256": 898,
"FileHash-MD5": 79,
"FileHash-SHA1": 68,
"IPv4": 35,
"CVE": 1,
"SSLCertFingerprint": 13
},
"indicator_count": 5310,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "5 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69db05f833d3d6d2231fb201",
"name": "CREDIT: Q.Vashti's research: SearchSuite \u2022 Healthcare Administration CREATED 6 HOURS AGO by Q.Vashti",
"description": "",
"modified": "2026-04-12T02:39:52.993000",
"created": "2026-04-12T02:39:52.993000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": "69dab27a0493e0e80a0f35cd",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69dab27a0493e0e80a0f35cd",
"name": "SearchSuite \u2022 Healthcare Administration",
"description": "Embedded in communication between a healthcare system and a client. \n\nThis is just one of countless internal issues causing a gap in communication, malicious adware, spyware, system sweeps, injection, system modification, downloads , call failures.",
"modified": "2026-04-11T20:43:38.695000",
"created": "2026-04-11T20:43:38.695000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "26 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "694dc80ac6e7fd5474b316a1",
"name": "Malicious DDOS attacks targeting Brand New 2025 | Updated Apple Products affecting IRS payment portal",
"description": "Malicious actors continue to target certain users attempting to pay the IRS. Victim is redirected to : http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan after typing in IRS.gov (w/ secure header \u2018https\u2019 )\nOnce information is input it is payment is rejected, levy against bank accounts and assets and other threats. There is social engineering as one victim is communicating with someone allegedly from the IRS? \nAlthough malicious entities contacted , malicious behavior continues. Adversaries in the Middle attack. US hacker group. Denver, Iowa, Arizona, NY and abroad. \n\n*Targets: https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main |",
"modified": "2026-01-24T22:05:13.068000",
"created": "2025-12-25T23:26:02.712000",
"tags": [
"hash avast",
"avg clamav",
"msdefender feb",
"url http",
"url https",
"zipcode",
"active related",
"cage01195 dec",
"passports",
"ipv4",
"active",
"irs",
"apple",
"role title",
"indicator role",
"malware attacks",
"find encrypted",
"lumen",
"fastly",
"create c",
"read c",
"delete",
"write",
"default",
"medium",
"rgba",
"dock",
"execution",
"xport",
"united",
"passive dns",
"urls",
"expiration date",
"unknown ns",
"unknown aaaa",
"pulse pulses",
"merit",
"dod network",
"type indicator",
"related pulses",
"name",
"name servers",
"ffffff",
"ip address",
"emails",
"object",
"clsid6bf52a52",
"cookie",
"meta",
"united kingdom",
"germany",
"russia",
"search",
"added active",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"href",
"pattern match",
"ascii text",
"ck id",
"mitre att",
"ck matrix",
"t1071",
"general",
"local",
"path",
"iframe",
"click",
"beginstring",
"segoe ui",
"null",
"refresh",
"span",
"hybrid",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart",
"data upload",
"extraction",
"failed",
"include data",
"entries",
"unicode",
"high",
"memcommit",
"next",
"flag",
"process details",
"path expiresthu",
"moved",
"gmt set",
"domain",
"httponly path",
"encrypt",
"leaseweb",
"iowa",
"title added",
"bad traffic",
"et info",
"tls handshake",
"failure",
"command decode",
"suricata stream",
"circle",
"f5f8fa",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"development att",
"suricata http",
"windows nt",
"date",
"ips initial",
"prefetch8",
"localappdata",
"prefetch1",
"programfiles",
"edge",
"access att",
"t1566 phishing",
"initial access",
"show process",
"show technique",
"process",
"t1057",
"contacted",
"ck techniques",
"evasion att",
"body",
"report spam",
"apple",
"ddos",
"irs created",
"hours ago",
"white",
"apple user",
"industries",
"government",
"finance",
"trojandropper",
"appleservice",
"mirai",
"trojan",
"next associated",
"fastly error",
"please",
"sea p",
"mozilla",
"accept",
"alerts",
"filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"analysis date",
"file score",
"medium risk",
"copy",
"richhash",
"finding notes",
"clamav malware",
"files matching",
"number",
"sample analysis",
"samples show",
"date hash",
"yara rule",
"msie",
"t1063",
"windows",
"malware",
"detected",
"https domain",
"tls sni",
"markus",
"smartassembly",
"win64",
"exif data",
"present dec",
"status",
"showing",
"show",
"icmp traffic",
"pdb path",
"crlf line",
"mutex",
"ms defender",
"mtb malware",
"hide samples",
"rootkit",
"apple webkit",
"macbook pro",
"apple ios"
],
"references": [
"sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022",
"132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center",
"154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc",
"165.206.254.134 \u2022 Description: CC=US ASN=AS6122",
"192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company",
"195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet",
"205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company",
"207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network",
"207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network",
"214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center",
"216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies",
"78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh",
"95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content",
"http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content",
"http://www.anyxxxtube.net/search-porn/ - Adult Content",
"https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content",
"http://sissy.com/default - Adult Content",
"https://eliyporasa - Adult Content",
"64.38.232.180 - Adult Content IP",
"www.anyxxxtube.net - Adult Content",
"www.anyxxxtube.net - Adult Content IP",
"http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content",
"http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP",
"jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP",
"https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP",
"http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP",
"http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP",
"http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP",
"httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022",
"http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org",
"asp.bet",
"apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net",
"https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c",
"https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main",
"http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com",
"jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com",
"https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e",
"Information gathered equals 2 pulses. Pulse (1) included",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"Follow up need. This is a serious financial crime following the victims.",
"Victims have lost financial assets, jobs, vehicles",
"Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado",
"After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "Win.Malware.Msilperseus-6989564-0",
"display_name": "Win.Malware.Msilperseus-6989564-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Win.Trojan.Ramnit-1847",
"display_name": "Win.Trojan.Ramnit-1847",
"target": null
},
{
"id": "Win.Trojan.Fenomengame-14",
"display_name": "Win.Trojan.Fenomengame-14",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Pandex!gen1",
"display_name": "Pandex!gen1",
"target": null
},
{
"id": "Mirai Sim Swap",
"display_name": "Mirai Sim Swap",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Lumen IP",
"display_name": "Lumen IP",
"target": null
},
{
"id": "Unknown Malware \u2018Can't access file\u2019",
"display_name": "Unknown Malware \u2018Can't access file\u2019",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Win.Trojan.Fenomengame-8",
"display_name": "Win.Trojan.Fenomengame-8",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/Adialer",
"display_name": "ALF:JASYP:Trojan:Win32/Adialer",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop",
"display_name": "TrojanDropper:Win32/Muldrop",
"target": "/malware/TrojanDropper:Win32/Muldrop"
},
{
"id": "Appleservice",
"display_name": "Appleservice",
"target": null
},
{
"id": "ELF:DDoS-S\\ [Trj]",
"display_name": "ELF:DDoS-S\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Financial",
"Government",
"Technology",
"IRS"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 363,
"FileHash-SHA1": 360,
"FileHash-SHA256": 3009,
"URL": 3504,
"domain": 879,
"email": 15,
"hostname": 1487,
"SSLCertFingerprint": 3
},
"indicator_count": 9620,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "85 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "63f0d59458c28085290bf985",
"name": "http://time-osx.g.aaplimg.com/",
"description": "Hybrid ambigious",
"modified": "2023-03-20T13:02:37.822000",
"created": "2023-02-18T13:41:39.996000",
"tags": [
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"runtime data",
"ansi",
"unicode",
"programfiles",
"localappdata",
"hash seen",
"size",
"runtime process",
"sha256",
"prefetch8 ansi",
"date",
"hybrid",
"close",
"click",
"hosts",
"ransomware",
"february",
"general",
"strings",
"suspicious"
],
"references": [
"https://hybrid-analysis.com/sample/14eb31210220475b60801afeae9b6979ecaf76e9fce07f41f05cb4c2d63a3b70/63f0231ad6cbe30d2e28363e"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 190,
"hostname": 103,
"domain": 37,
"FileHash-SHA256": 96,
"email": 1,
"FileHash-MD5": 52,
"FileHash-SHA1": 52
},
"indicator_count": 531,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 91,
"modified_text": "1126 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network",
"http://www.icloud-sms-alert.com/",
"http://www.anyxxxtube.net/search-porn/ - Adult Content",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content",
"https://podcasts.apple.com/us/podcast/lazarus",
"asp.bet",
"http://apple.support.com/ht***** redirect",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"Musiclab, LLC",
"cdn.rss.applemarketingtools.com",
"http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"www.phantomcameras.cn",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"It appears there are 5-7 known affected that I was able to find",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"http://help.aiseesoft.jp/blu-ray-player",
"apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net",
"207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"asp.net domain pointer",
"mac.store",
"64.38.232.180 - Adult Content IP",
"https://icloud.ch/",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content",
"Tulach.cc",
"oas-japac-domains-applecomputer.cn",
"http://console.applemarketingtools.com/",
"95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.",
"jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com",
"Victims have lost financial assets, jobs, vehicles",
"monitoring.eurovision.net",
"http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP",
"https://icloud.ch/cn/ipod-touch/",
"http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP",
"http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org",
"BearShare Install File Version 12.0.0.135802",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"Information gathered equals 2 pulses. Pulse (1) included",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content",
"http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"https://l.us-1.a.mimecastprotect.com/l",
"78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh",
"205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company",
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"podcasts.apple.com \u2022 23.34.32.21",
"http://cab.applemarketingtools.com",
"account-apple.com",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"africa.konnect.com",
"Yara Detections: Tofsee",
"http://test-firstmile.digitecgalaxus.ch",
"smtp2.icl-privaterelay.appleid.com",
"sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022",
"applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com",
"apple.com(-inc.cc)",
"aotx.alienvault.com (aotx.?)",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"developer.x.com",
"monitor.kyos.ninja",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content",
"132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center",
"After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome",
"214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"Requires further research.",
"https://action.aiseesoft.jp/itunes.php",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"div>
",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content",
"Same legal , and quasi governmental pattern identified",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3",
"http://help.aiseesoft.jp/fonelab/",
"euw-serp-dev-testing19.duck.ai",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"iphonegermany.com",
"https://hybrid-analysis.com/sample/14eb31210220475b60801afeae9b6979ecaf76e9fce07f41f05cb4c2d63a3b70/63f0231ad6cbe30d2e28363e",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"Redirect: schemas.microsoft.com",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP",
"https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c",
"https://aspmx.l.google.com/",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://sissy.com/default - Adult Content",
"www.anyxxxtube.net - Adult Content IP",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content",
"192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company",
"robert-aebi.appleid.com",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"http://audaxgroup.appleid.com/",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"http://help.aiseesoft.jp/total-video-converter",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"I apologize for the lack of reference.",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f",
"1.bing.com.cn",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet",
"http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content",
"www.anyxxxtube.net - Adult Content",
"Follow up need. This is a serious financial crime following the victims.",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"http://help.aiseesoft.jp/total-video-converter/",
"http://firstmile.digitecgalaxus.ch",
"165.206.254.134 \u2022 Description: CC=US ASN=AS6122",
"216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content",
"https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content",
"https://eliyporasa - Adult Content",
"www.apple.com \u2022 23.34.32.199",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Trojandownloader:win32/cutwail",
"Trojan:win32/smkldr.h!mtb",
"Emotet",
"Pandex!gen1",
"Win32/searchsuite",
"#lowfi:lua:dllsuspiciousexport.a",
"Win.trojan.fenomengame-8",
"Lumen ip",
"Unknown malware \u2018can't access file\u2019",
"Trojandropper:win32/muldrop",
"Et",
"Trojan:win32/icedid.di!mtb",
"Mydoom",
"Elf:ddos-s\\ [trj]",
"Alf:jasyp:trojan:win32/ircbot!atmn",
"Win32.application.bearshare.a",
"Win.trojan.ramnit-1847",
"Alf:jasyp:trojan:win32/adialer",
"Appleservice",
"Win.trojan.fenomengame-14",
"Win.trojan.tofsee-7102058-0",
"Win.malware.msilperseus-6989564-0",
"Icedid",
"Unix.trojan.gafgyt-6981154-0",
"Cve-2023-22518",
"Win.malware.elenooka-6996044-0",
"Worm:win32/bloored",
"Backdoor:win32/tofsee.t",
"Mirai",
"Mirai sim swap",
"Win.packed.bandook-9882274-1",
"Exploit:win32/cve-2017-0147"
],
"industries": [
"Telecom",
"Government",
"Technology",
"Irs",
"Financial",
"Healthcare",
"Legal"
],
"unique_indicators": 50221
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/swell.am",
"whois": "http://whois.domaintools.com/swell.am",
"domain": "swell.am",
"hostname": "s1.swell.am"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 8,
"pulses": [
{
"id": "69ded8198b25581a09b90824",
"name": "BearShare \u2022 Solarwinds? \u2022 SearchSuite \u2022 Healthcare Administration",
"description": "",
"modified": "2026-04-15T00:13:13.981000",
"created": "2026-04-15T00:13:13.981000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": "69dab27a0493e0e80a0f35cd",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "5 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69ddeb45c45f6a3cd721397d",
"name": "Active attacks \u2022 Apple \u2022 Tulach",
"description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious",
"modified": "2026-04-14T07:22:45.250000",
"created": "2026-04-14T07:22:45.250000",
"tags": [
"url http",
"ipv4",
"indicator role",
"active related",
"united",
"moved",
"gmt content",
"certificate",
"all domain",
"msie",
"chrome",
"extraction",
"data upload",
"twitter",
"cookie",
"extra",
"include data",
"review locs",
"exclude",
"suggested os",
"onlv",
"failed",
"stop data",
"read c",
"unicode",
"rgba",
"memcommit",
"delete",
"dock",
"write",
"execution",
"sc type",
"extri",
"include review",
"exclude sugges",
"typ data",
"a domains",
"present apr",
"script urls",
"files",
"files ip",
"address",
"ios",
"mac",
"apple",
"appleid",
"itunes",
"next associated",
"all ipv4",
"included ic",
"uny teade",
"type hostnar",
"hostnar hostnar",
"hostnar",
"macair",
"macairaustralia",
"ipad",
"ipod",
"cryptexportkey",
"invalid pointer",
"cryptgenkey",
"stream",
"defender",
"delphi",
"class",
"stack",
"format",
"unknown",
"united states",
"phishing",
"password",
"traffic redirected",
"service mod",
"service execution",
"youtube",
"music",
"streams",
"songs",
"played songs",
"music streams",
"most played",
"fonelab",
"indicator",
"included iocs",
"manually add",
"review ocs",
"exclude inn",
"sugges data",
"find",
"include",
"url https",
"enter sc",
"type",
"no matchme",
"search otx",
"https",
"references x",
"analyze",
"open th",
"url data",
"se http",
"no match",
"excluded iocs",
"iocs",
"ip whitelisted",
"whitelisted",
"tcp include",
"analysis date",
"file score",
"medium risk",
"yara detections",
"contacted",
"related tags",
"x vercel",
"file type",
"type indicator",
"role title",
"related pulses",
"mulch virtua",
"library loade",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugt",
"samuel tulach",
"unity engine",
"tulach",
"sa awareness",
"sabey",
"sar cut",
"autofill",
"includer review",
"portiana oney",
"targeting",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"musickit_1_.js",
"lazarus",
"injection",
"CVE-2017-8570",
"prefetch2",
"target",
"aaaa",
"ip address",
"record value",
"emails",
"samuel tuachs",
"sapev",
"review exclude",
"monitored target",
"script",
"mitre att",
"ascii text",
"span",
"path",
"iframe",
"april",
"hybrid",
"general",
"local",
"click",
"strings",
"body",
"development att",
"t1055.012 list planting",
"active"
],
"references": [
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"https://podcasts.apple.com/us/podcast/lazarus",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://help.aiseesoft.jp/blu-ray-player",
"http://help.aiseesoft.jp/fonelab/",
"https://action.aiseesoft.jp/itunes.php",
"http://help.aiseesoft.jp/total-video-converter",
"http://help.aiseesoft.jp/total-video-converter/",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"http://test-firstmile.digitecgalaxus.ch",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"cdn.rss.applemarketingtools.com",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"1.bing.com.cn",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"www.phantomcameras.cn",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"podcasts.apple.com \u2022 23.34.32.21",
"www.apple.com \u2022 23.34.32.199",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"http://firstmile.digitecgalaxus.ch",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"Tulach.cc",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"asp.net domain pointer",
"developer.x.com",
"aotx.alienvault.com (aotx.?)",
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1020.001",
"name": "Traffic Duplication",
"display_name": "T1020.001 - Traffic Duplication"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591.002",
"name": "Business Relationships",
"display_name": "T1591.002 - Business Relationships"
},
{
"id": "T1591.001",
"name": "Determine Physical Locations",
"display_name": "T1591.001 - Determine Physical Locations"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1029,
"domain": 396,
"email": 7,
"URL": 2784,
"FileHash-SHA256": 898,
"FileHash-MD5": 79,
"FileHash-SHA1": 68,
"IPv4": 35,
"CVE": 1,
"SSLCertFingerprint": 13
},
"indicator_count": 5310,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "5 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69db05f833d3d6d2231fb201",
"name": "CREDIT: Q.Vashti's research: SearchSuite \u2022 Healthcare Administration CREATED 6 HOURS AGO by Q.Vashti",
"description": "",
"modified": "2026-04-12T02:39:52.993000",
"created": "2026-04-12T02:39:52.993000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": "69dab27a0493e0e80a0f35cd",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69dab27a0493e0e80a0f35cd",
"name": "SearchSuite \u2022 Healthcare Administration",
"description": "Embedded in communication between a healthcare system and a client. \n\nThis is just one of countless internal issues causing a gap in communication, malicious adware, spyware, system sweeps, injection, system modification, downloads , call failures.",
"modified": "2026-04-11T20:43:38.695000",
"created": "2026-04-11T20:43:38.695000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "26 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "694dc80ac6e7fd5474b316a1",
"name": "Malicious DDOS attacks targeting Brand New 2025 | Updated Apple Products affecting IRS payment portal",
"description": "Malicious actors continue to target certain users attempting to pay the IRS. Victim is redirected to : http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan after typing in IRS.gov (w/ secure header \u2018https\u2019 )\nOnce information is input it is payment is rejected, levy against bank accounts and assets and other threats. There is social engineering as one victim is communicating with someone allegedly from the IRS? \nAlthough malicious entities contacted , malicious behavior continues. Adversaries in the Middle attack. US hacker group. Denver, Iowa, Arizona, NY and abroad. \n\n*Targets: https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main |",
"modified": "2026-01-24T22:05:13.068000",
"created": "2025-12-25T23:26:02.712000",
"tags": [
"hash avast",
"avg clamav",
"msdefender feb",
"url http",
"url https",
"zipcode",
"active related",
"cage01195 dec",
"passports",
"ipv4",
"active",
"irs",
"apple",
"role title",
"indicator role",
"malware attacks",
"find encrypted",
"lumen",
"fastly",
"create c",
"read c",
"delete",
"write",
"default",
"medium",
"rgba",
"dock",
"execution",
"xport",
"united",
"passive dns",
"urls",
"expiration date",
"unknown ns",
"unknown aaaa",
"pulse pulses",
"merit",
"dod network",
"type indicator",
"related pulses",
"name",
"name servers",
"ffffff",
"ip address",
"emails",
"object",
"clsid6bf52a52",
"cookie",
"meta",
"united kingdom",
"germany",
"russia",
"search",
"added active",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"href",
"pattern match",
"ascii text",
"ck id",
"mitre att",
"ck matrix",
"t1071",
"general",
"local",
"path",
"iframe",
"click",
"beginstring",
"segoe ui",
"null",
"refresh",
"span",
"hybrid",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart",
"data upload",
"extraction",
"failed",
"include data",
"entries",
"unicode",
"high",
"memcommit",
"next",
"flag",
"process details",
"path expiresthu",
"moved",
"gmt set",
"domain",
"httponly path",
"encrypt",
"leaseweb",
"iowa",
"title added",
"bad traffic",
"et info",
"tls handshake",
"failure",
"command decode",
"suricata stream",
"circle",
"f5f8fa",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"development att",
"suricata http",
"windows nt",
"date",
"ips initial",
"prefetch8",
"localappdata",
"prefetch1",
"programfiles",
"edge",
"access att",
"t1566 phishing",
"initial access",
"show process",
"show technique",
"process",
"t1057",
"contacted",
"ck techniques",
"evasion att",
"body",
"report spam",
"apple",
"ddos",
"irs created",
"hours ago",
"white",
"apple user",
"industries",
"government",
"finance",
"trojandropper",
"appleservice",
"mirai",
"trojan",
"next associated",
"fastly error",
"please",
"sea p",
"mozilla",
"accept",
"alerts",
"filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"analysis date",
"file score",
"medium risk",
"copy",
"richhash",
"finding notes",
"clamav malware",
"files matching",
"number",
"sample analysis",
"samples show",
"date hash",
"yara rule",
"msie",
"t1063",
"windows",
"malware",
"detected",
"https domain",
"tls sni",
"markus",
"smartassembly",
"win64",
"exif data",
"present dec",
"status",
"showing",
"show",
"icmp traffic",
"pdb path",
"crlf line",
"mutex",
"ms defender",
"mtb malware",
"hide samples",
"rootkit",
"apple webkit",
"macbook pro",
"apple ios"
],
"references": [
"sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022",
"132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center",
"154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc",
"165.206.254.134 \u2022 Description: CC=US ASN=AS6122",
"192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company",
"195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet",
"205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company",
"207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network",
"207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network",
"214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center",
"216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies",
"78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh",
"95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content",
"http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content",
"http://www.anyxxxtube.net/search-porn/ - Adult Content",
"https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content",
"http://sissy.com/default - Adult Content",
"https://eliyporasa - Adult Content",
"64.38.232.180 - Adult Content IP",
"www.anyxxxtube.net - Adult Content",
"www.anyxxxtube.net - Adult Content IP",
"http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content",
"http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP",
"jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP",
"https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP",
"http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP",
"http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP",
"http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP",
"httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022",
"http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org",
"asp.bet",
"apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net",
"https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c",
"https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main",
"http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com",
"jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com",
"https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e",
"Information gathered equals 2 pulses. Pulse (1) included",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"Follow up need. This is a serious financial crime following the victims.",
"Victims have lost financial assets, jobs, vehicles",
"Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado",
"After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "Win.Malware.Msilperseus-6989564-0",
"display_name": "Win.Malware.Msilperseus-6989564-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Win.Trojan.Ramnit-1847",
"display_name": "Win.Trojan.Ramnit-1847",
"target": null
},
{
"id": "Win.Trojan.Fenomengame-14",
"display_name": "Win.Trojan.Fenomengame-14",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Pandex!gen1",
"display_name": "Pandex!gen1",
"target": null
},
{
"id": "Mirai Sim Swap",
"display_name": "Mirai Sim Swap",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Lumen IP",
"display_name": "Lumen IP",
"target": null
},
{
"id": "Unknown Malware \u2018Can't access file\u2019",
"display_name": "Unknown Malware \u2018Can't access file\u2019",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Win.Trojan.Fenomengame-8",
"display_name": "Win.Trojan.Fenomengame-8",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/Adialer",
"display_name": "ALF:JASYP:Trojan:Win32/Adialer",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop",
"display_name": "TrojanDropper:Win32/Muldrop",
"target": "/malware/TrojanDropper:Win32/Muldrop"
},
{
"id": "Appleservice",
"display_name": "Appleservice",
"target": null
},
{
"id": "ELF:DDoS-S\\ [Trj]",
"display_name": "ELF:DDoS-S\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Financial",
"Government",
"Technology",
"IRS"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 363,
"FileHash-SHA1": 360,
"FileHash-SHA256": 3009,
"URL": 3504,
"domain": 879,
"email": 15,
"hostname": 1487,
"SSLCertFingerprint": 3
},
"indicator_count": 9620,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "85 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "63f0d59458c28085290bf985",
"name": "http://time-osx.g.aaplimg.com/",
"description": "Hybrid ambigious",
"modified": "2023-03-20T13:02:37.822000",
"created": "2023-02-18T13:41:39.996000",
"tags": [
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"runtime data",
"ansi",
"unicode",
"programfiles",
"localappdata",
"hash seen",
"size",
"runtime process",
"sha256",
"prefetch8 ansi",
"date",
"hybrid",
"close",
"click",
"hosts",
"ransomware",
"february",
"general",
"strings",
"suspicious"
],
"references": [
"https://hybrid-analysis.com/sample/14eb31210220475b60801afeae9b6979ecaf76e9fce07f41f05cb4c2d63a3b70/63f0231ad6cbe30d2e28363e"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 190,
"hostname": 103,
"domain": 37,
"FileHash-SHA256": 96,
"email": 1,
"FileHash-MD5": 52,
"FileHash-SHA1": 52
},
"indicator_count": 531,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 91,
"modified_text": "1126 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://s1.swell.am",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://s1.swell.am",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776661320.9138384
}