{
"type": "URL",
"indicator": "https://sa.jmtstudios.org/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://sa.jmtstudios.org/",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4180634646,
"indicator": "https://sa.jmtstudios.org/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 12,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b7cb05b2098c1d2bf20f",
"name": "federal goverment clone cellbrite credit q vashti",
"description": "",
"modified": "2026-03-12T12:55:39.046000",
"created": "2026-03-12T12:55:39.046000",
"tags": [
"url https",
"url http",
"germany",
"united",
"ukraine",
"japan",
"extraction",
"data upload",
"urls",
"url analysis",
"enter sc",
"extr",
"iocs",
"active",
"france unknown",
"present jan",
"servers",
"homair sweet",
"grabber",
"encrypt",
"ipv4",
"role title",
"divx",
"pitfall",
"internet",
"ip role",
"america asn",
"extraction data",
"leveibielabs",
"all se",
"enter source",
"url or",
"texirag",
"drop",
"present nov",
"united states",
"america",
"levdibidelabs",
"failed",
"idron anv",
"include manualv",
"review data",
"iterng",
"name servers",
"passive dns",
"incapsula",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"script head",
"request",
"cookie",
"indicator",
"msie",
"chrome",
"backdoor",
"gmt content",
"ipv4 add",
"twitter",
"title",
"process32nextw",
"ms windows",
"intel",
"pe32",
"regopenkeyexa",
"read c",
"medium",
"class",
"write",
"template",
"present oct",
"present jul",
"aaaa",
"present sep",
"present aug",
"url add",
"http",
"hostname",
"related tags",
"kx81xdbx0f",
"x86xd3",
"xa7xe28x06",
"x82xd4",
"delete c",
"regsetvalueexa",
"regbinary",
"xa1xf1",
"xe8xc2x14",
"malware",
"stream",
"unknown",
"win32",
"persistence",
"execution",
"push",
"present dec",
"italy",
"present jun",
"embeddedwb",
"whitelisted",
"windows nt",
"dns traffic",
"russia",
"cname",
"accept",
"destination",
"port",
"et smtp",
"message",
"et trojan",
"components",
"suspicious",
"download",
"hostile",
"next",
"logic",
"gather victim",
"et info",
"etpro trojan",
"trojan",
"report spam",
"interesting",
"created",
"pegasus",
"manipulation",
"service",
"capture",
"et",
"etpro",
"host",
"attack",
"mtb description",
"windows",
"shellexecuteexw",
"writeconsolew",
"registry",
"t1031",
"modify existing",
"dock",
"type indicator",
"added active",
"related pulses",
"arcflex",
"filehashsha1",
"types of",
"learn more",
"filehashsha256",
"cellebrite",
"white label",
"search",
"sha1",
"france",
"cmanual jan",
"expiration date",
"domain add",
"pulse submit",
"files",
"ip address",
"gmt cache",
"sameorigin",
"reverse dns",
"unknown ns",
"admin org",
"zipcode",
"gmt server",
"pulse pulses",
"entries",
"hostname add",
"verdict",
"germany unknown",
"status",
"domain",
"xpirat",
"netherlands",
"netherlands asn",
"as35280 acorus",
"dns resolutions",
"error",
"files ip",
"copy",
"telnet login",
"suspicious path",
"busybox",
"login attempt",
"gpl telnet",
"high",
"tcp syn",
"telnet root",
"path",
"mirai",
"emails",
"domain name",
"jlu11q",
"tqbplo",
"hours ago",
"found",
"yahoo",
"gmail",
"yandex",
"https://cellebrite.com/en/federal-government/",
"monitoring",
"monitored target",
"dangerous",
"spyware",
"80211",
"colorado",
"x amz",
"government",
"mirai login attempt",
"emotet",
"c2",
".ru",
".com",
"denver",
"indicator role",
"title added",
"active related",
"pulses hostname",
"dead connect",
"hostile",
"adversarial",
"abuse",
"criminal intent",
"block messages",
"botnet"
],
"references": [
"fastwebnet.it | Cellebrite White Label Spyware Service",
"putrhnwl.exe",
"Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"IP\u2019s Contacted : 54.230.129.165",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"Domains Contacted: pitfall.divx.com www.google.com",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Yara: Detections Tofsee",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"ET TROJAN Suspicious double Server Header",
"ET DNS DNS Query to a .tk domain - Likey",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"Needs to be sorted. Actively being exploited on US",
"162.159.134.42 \u2022 https://cellebrite.com/",
"https://cellebrite.com/en/federal-government/",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Germany",
"Ireland",
"Switzerland",
"Poland",
"Belgium",
"Netherlands",
"Sweden"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
},
{
"id": "Trojan:Win32/Emotet.PC!MTB",
"display_name": "Trojan:Win32/Emotet.PC!MTB",
"target": "/malware/Trojan:Win32/Emotet.PC!MTB"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Trojan:Win32/Danabot",
"display_name": "Trojan:Win32/Danabot",
"target": "/malware/Trojan:Win32/Danabot"
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Trojan:Win32/Aptdrop.RU",
"display_name": "Trojan:Win32/Aptdrop.RU",
"target": "/malware/Trojan:Win32/Aptdrop.RU"
},
{
"id": "Ransomware/Win.Stop.R4529",
"display_name": "Ransomware/Win.Stop.R4529",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32/BackdoorX",
"display_name": "Win32/BackdoorX",
"target": null
},
{
"id": "Win.Trojan.Dialog-9873788-0",
"display_name": "Win.Trojan.Dialog-9873788-0",
"target": null
},
{
"id": "Tsunami-6981155-0",
"display_name": "Tsunami-6981155-0",
"target": null
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1196",
"name": "Control Panel Items",
"display_name": "T1196 - Control Panel Items"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1414",
"name": "Capture Clipboard Data",
"display_name": "T1414 - Capture Clipboard Data"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1556",
"name": "Modify Authentication Process",
"display_name": "T1556 - Modify Authentication Process"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1581",
"name": "Geofencing",
"display_name": "T1581 - Geofencing"
},
{
"id": "T1582",
"name": "SMS Control",
"display_name": "T1582 - SMS Control"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1587",
"name": "Develop Capabilities",
"display_name": "T1587 - Develop Capabilities"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Journalists",
"Government",
"Civil Society"
],
"TLP": "green",
"cloned_from": "696f7d467763ed4d4e74d133",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4994,
"domain": 2519,
"hostname": 3281,
"FileHash-SHA256": 4467,
"FileHash-MD5": 1118,
"FileHash-SHA1": 1056,
"email": 12,
"SSLCertFingerprint": 1
},
"indicator_count": 17448,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d69ecbc0497f97e28618",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:10.502000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6a601f06adcd1ed22fc",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:18.022000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6afd744c55bd596ed6e",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:27.248000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6975c5cd4db6104ea1a3d69b",
"name": "The Blender Foundation BouncyCastle-Virut | Malware /Stealer Empty FileHash | Eternal7 (Shadow Broker) Related",
"description": "Empty FileHash isn\u2019t benign. Interesting relationships to the Eternal 7. Malware, Stealer and Suspicious History File Operation. BouncyCastle-Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys / Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"modified": "2026-02-24T06:02:43.853000",
"created": "2026-01-25T07:27:09.640000",
"tags": [
"empty",
"blender",
"eurostile",
"augustin",
"butterfield",
"cook",
"drummer",
"erickson",
"fjsv",
"flynn",
"gorman",
"holmes",
"easy",
"rada",
"xanadu",
"config",
"reboot",
"screen",
"microsoft",
"commerce server",
"edition",
"draw",
"exchange server",
"tools",
"linux",
"ideal link",
"nsrl test",
"nist",
"file",
"cultureneutral",
"fix pack",
"free download",
"bouncycastle",
"read c",
"search",
"et trojan",
"w32kegotip cnc",
"whitelisted",
"ids detections",
"intel",
"write",
"trojan",
"malware",
"yara detections",
"productversion",
"fileversion",
"av detections",
"alerts",
"analysis date",
"file score",
"united",
"aaaa",
"passive dns",
"ip address",
"present dec",
"body html",
"head meta",
"title",
"urls",
"url https",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"beacon",
"et",
"ipv4",
"files",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"related pulses",
"show",
"win32virut",
"destination",
"port",
"ms windows",
"pe32",
"medium",
"suspicious",
"virustotal",
"startul",
"shadowbrokers",
"total",
"delete",
"artemis",
"win32.injector",
"trendmicro",
"data upload",
"extraction",
"included iocs"
],
"references": [
"The Blender Foundation",
"website \u2022 http://oldapps.com/blender.php?old_blender=7584",
"oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]",
"Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community",
"Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks",
"ET TROJAN W32/Kegotip CnC Beacon",
"IDS Detections ET POLICY Suspicious User-Agent Containing .exe",
"Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit",
"Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /",
"Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "BouncyCastle",
"display_name": "BouncyCastle",
"target": null
},
{
"id": "Sf:ShellCode-AU",
"display_name": "Sf:ShellCode-AU",
"target": null
},
{
"id": "Win.Trojan.Fareit-82",
"display_name": "Win.Trojan.Fareit-82",
"target": null
},
{
"id": "Win.Trojan.Agent-245901",
"display_name": "Win.Trojan.Agent-245901",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "W32/Kegotip CnC",
"display_name": "W32/Kegotip CnC",
"target": null
},
{
"id": "W32.Virut.ci",
"display_name": "W32.Virut.ci",
"target": null
},
{
"id": "Downloader.Generic13.CMTW",
"display_name": "Downloader.Generic13.CMTW",
"target": null
},
{
"id": "Downloader.Generic13.BOBZ",
"display_name": "Downloader.Generic13.BOBZ",
"target": null
},
{
"id": "Win.Trojan.Injector-12138",
"display_name": "Win.Trojan.Injector-12138",
"target": null
},
{
"id": "Generic36.ADTY",
"display_name": "Generic36.ADTY",
"target": null
},
{
"id": "Generic36.AIAA.Dropper",
"display_name": "Generic36.AIAA.Dropper",
"target": null
},
{
"id": "Generic36.AJSM",
"display_name": "Generic36.AJSM",
"target": null
},
{
"id": "Win32/Virut",
"display_name": "Win32/Virut",
"target": null
},
{
"id": "Win32/Ramnit.A",
"display_name": "Win32/Ramnit.A",
"target": null
},
{
"id": "Worm.Autorun-6180",
"display_name": "Worm.Autorun-6180",
"target": null
},
{
"id": "Hider.BIY",
"display_name": "Hider.BIY",
"target": null
},
{
"id": "Win.Trojan.Rootkit-4532",
"display_name": "Win.Trojan.Rootkit-4532",
"target": null
},
{
"id": "Win32/Blacked",
"display_name": "Win32/Blacked",
"target": null
},
{
"id": "Win32.Injector",
"display_name": "Win32.Injector",
"target": null
},
{
"id": "TrendMicro",
"display_name": "TrendMicro",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 71,
"FileHash-SHA256": 853,
"URL": 1639,
"domain": 288,
"FileHash-MD5": 78,
"hostname": 545
},
"indicator_count": 3474,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "54 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69754a5dd138f73f5cfdf78c",
"name": "EternalRocks (SHADOW BROKERS) MicroBotMassiveNet - NSA Exploits",
"description": "Exploited | Active | Continuous \n\u201cEternalRocks\u201d (also known as MicroBotMassiveNet) is a sophisticated computer worm discovered in May 2017 that targets Windows machines, utilizing seven different NSA-leaked exploits\u2014far more than the two used by the infamous WannaCry ransomware. Trend Micro and other security researchers highlighted the danger of this malware because, unlike WannaCry, it does not have a \"kill switch\" and is designed to create a backdoor for future, more severe, and adaptable attacks * While initially, it appeared to only act as a downloader for other tools, the danger lay in its potential to be weaponized for launching ransomware, Remote Access Trojans (RATs), or other malware at a later date. \nThank you Winston & Vogt",
"modified": "2026-02-23T19:02:00.548000",
"created": "2026-01-24T22:40:29.680000",
"tags": [
"regsetvalueexa",
"default",
"regdword",
"regbinary",
"module download",
"tls handshake",
"high",
"regsetvalueexw",
"malware",
"write",
"win32",
"ids detections",
"download tls",
"eternalrocks",
"nsa exploits",
"worm",
"cryptojackers",
"shadow brokers",
"ransom",
"ingress tool",
"channel",
"udp a83f8110",
"get http",
"get https",
"dns resolutions",
"root path",
"encrypted",
"native",
"required.exe",
"stolen toolset",
"cyber weapons",
"cyber warfare",
"autonomous",
"tor",
"dark web",
"black paper",
"nsa weapons",
"2017",
"tao?",
"targeting",
"breach",
"equation group tools",
"installer",
"stealer",
"apt",
"empty",
"not an exit node",
"empty file",
"tor relay router",
"traffic groups",
"traffic group 815",
"el tor",
"tor relay",
"traffic group 778",
"traffic group 238",
"traffic group 333",
"traffic group 333",
"node",
"traffic group 252",
"open_source_tool",
"confuserex",
"susp_net_name_confuserex",
"eternalrocks",
"svchost",
"eternalrocks_svchost_fr",
"obfuscated",
"susp_confuserex_obfuscated",
"encryption",
"module",
"msil",
"net",
"bing",
"android",
"libre",
"mcsf",
"microsoft",
"active attack",
"financial crimes",
"EternalBlue",
"EternalChampion",
"EternalRocks",
"Stealth",
"EternalSynergy",
"EternalRomance",
"checks-network-adapters",
"checks-user-input",
"crypto",
"detect-deb",
"environment",
"direct-cpu-clock-access",
"long-sleeps",
"runtime-modules"
],
"references": [
"EternalRocks MALWARE RANSOM TROJAN EVADER",
"The 2017 timeline accurately fits victim\u2019s major financial and other continuous First attacks began in 10/2013. Upgraded",
"With so many \u2018officials\u2019 involved, it\u2019s hard to believe \u2018 The Shadow Brokers\u2019 isnt a government entity.",
"Strangely NSO Group The Lazarus Group The Shadow Brokers and others attack an individual",
"Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,TrojanDownloader:Win32/Eterock.A",
"IDS Detections: Possible ETERNALROCKS .Net Module Download TLS Handshake Failure",
"Yara Detections: SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost ,",
"Yara Detections: EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Alerts: network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_i",
"NSA Exploits Used: The malware uses seven Shadow Brokers-leaked tools, including EternalBlue, EternalChampion,",
"EternalRomance, and EternalSynergy. Stealth",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Yara Matches",
"Matches rule EternalRocks_svchost from ruleset crime_eternalrocks by Florian Roth (Nextron Systems)",
"Matches rule SUSP_NET_NAME_ConfuserEx from ruleset gen_github_net_redteam_tools_names by Arnim Rupp",
"Matches rule INDICATOR_EXE_Packed_ConfuserEx from ruleset indicator_packed",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Sigma Matches",
"Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Uncommon Svchost Command Line Parameter by Liran Ravich",
"Matches rule Uncommon Schost Parent Process by Florian Roth (Nextron Systems)",
"Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Shelton, Nasreddine Bencherchali (Nextron stems",
"Matches rule Windows Processes Suspicious Parent Directory by vburov",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced IDS rules",
"Matches rule DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt",
"Matches rule MALWARE-CNC DNS Fast Flux attempt",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 778",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 815",
"Matches rule ET POLICY TLS possible TOR SSL traffic",
"Matches rule ET JA3 Hash - Possible Malwar RigEK/Cryptowall/Dridex",
"Matches rule ET JA3 Hash - [Abuse.ch] Possible Ransomware",
"Matches rule SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware)",
"Matches rule POLICY-OTHER TOR Project domain request",
"Dynamic sandbox CZAE flags this file as: STEALER",
"https://github.com/stamparm/EternalRocks",
"(The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION,",
"ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.",
"REFERENCE: https://twitter.com/stamparm/status/864865144748298242 RULE_AUTHOR: Florian Roth",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/EternalRocks_svchost_FR",
"DESCRIPTION: Detects EternalRocks Malware - file taskhost.exe",
"TNULL: unknown empty EMPTY FILEHASH-MD5 d41d8cd98f00b204e9800998ecf8427e",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Matches rule Suspicious History File Operat Mikhail Larin, oscd.community",
"Matches rule SURICATA STREAM Packet with invalid timestamp"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "EternalRocks",
"display_name": "EternalRocks",
"target": null
},
{
"id": "CVE-2017-0148",
"display_name": "CVE-2017-0148",
"target": null
},
{
"id": "Exploit:PowerShell/CVE-2017-0143",
"display_name": "Exploit:PowerShell/CVE-2017-0143",
"target": "/malware/Exploit:PowerShell/CVE-2017-0143"
},
{
"id": "trojan.eternalrocks/shadowbrokers",
"display_name": "trojan.eternalrocks/shadowbrokers",
"target": null
}
],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
}
],
"industries": [
"Finance",
"Government",
"Insurance",
"Civilians",
"Health"
],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 82,
"FileHash-SHA1": 76,
"FileHash-SHA256": 700,
"URL": 280,
"domain": 46,
"hostname": 233,
"CVE": 2
},
"indicator_count": 1419,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "54 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "697488f095f69d392afd00fb",
"name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes",
"description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.",
"modified": "2026-02-23T07:04:04.285000",
"created": "2026-01-24T08:55:12.845000",
"tags": [
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"ck techniques",
"evasion att",
"t1480 execution",
"href",
"ascii text",
"pattern match",
"mitre att",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"form",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"active related",
"url https",
"related pulses",
"url http",
"united",
"czechia",
"hong kong",
"ipv4",
"indicators hong",
"kong",
"south korea",
"netherlands",
"germany",
"ireland",
"denmark",
"sweden",
"active",
"government",
"finance",
"security",
"type indicator",
"yara detections",
"av detections",
"ids detections",
"alerts",
"analysis date",
"mcsf",
"microsoft",
"yara",
"insurance",
"fidelity investments",
"description",
"fidelity international",
"ms windows",
"pe32",
"writeconsolew",
"read c",
"pe32 executable",
"t1045",
"susp",
"write",
"win64",
"malware",
"modified",
"ck ids",
"t1040",
"sniffing",
"packing",
"t1112",
"packing t1045",
"icmp traffic",
"memcommit",
"pe section",
"low software",
"pe resource",
"win32",
"trojan",
"april",
"sara ligorria",
"tramp advert",
"black paper",
"createdate",
"subject laser",
"title laser",
"format",
"types of",
"japan",
"regsetvalueexa",
"regdword",
"regbinary",
"module download",
"tls handshake",
"high",
"defense evasion",
"discovery att",
"adversaries",
"title",
"role",
"flag",
"name server",
"server",
"domain address",
"markmonitor",
"clicktale ltd",
"enom",
"whoisguard",
"medium",
"unicode",
"rgba",
"delete",
"crlf line",
"next",
"dock",
"execution",
"date",
"users",
"tls sni",
"total",
"cnc domain",
"search",
"oamazon",
"cnamazon rsa",
"push",
"failure yara",
"contacted",
"hours ago",
"created",
"cia",
"fbi",
"telegram",
"tulach",
"sabey",
"state",
"gov",
"ahmann",
"financial fraud",
"t-mobile",
"walmartmobile",
"life insurance",
"fidelity life",
"guarantee",
"team",
"role title",
"added active",
"scan",
"iocs",
"learn more",
"filehashsha1",
"filehashmd5",
"kw3recepten",
"domainname0",
"searchbox0",
"kw1brinta",
"kw2muesli",
"indicator role",
"title added",
"pulses url",
"cve cve20170147",
"apple",
"apple id"
],
"references": [
"https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226",
"https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com",
"http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com",
"https://bhive.nectar.social/rKvoMY",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,",
"TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161",
"Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.",
"EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name",
"Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.",
"Domains Contacted api.nuget.org",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png",
"https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.fidelity.com/ https://www.fidelity.com/",
"cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99",
"cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl",
"https://www.anyxxxtube.net/search-porn/",
"https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears",
"fidelity-account.com e http://fidelity-account.com/fidelity/code.html",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex",
"http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022",
"\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:",
"https://bhive.nectar.social/rKvoMY",
"apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co",
"http://appleid.app",
"https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win64:Trojan-gen",
"display_name": "Win64:Trojan-gen",
"target": null
},
{
"id": "Trojan:MSIL/Ursu.KP",
"display_name": "Trojan:MSIL/Ursu.KP",
"target": "/malware/Trojan:MSIL/Ursu.KP"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F",
"target": null
},
{
"id": "Trojan:PDF/Phish.RR!MTB",
"display_name": "Trojan:PDF/Phish.RR!MTB",
"target": "/malware/Trojan:PDF/Phish.RR!MTB"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": ": ALF:Trojan:MSIL/Azorult.AC!",
"display_name": ": ALF:Trojan:MSIL/Azorult.AC!",
"target": null
},
{
"id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB",
"display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB",
"target": null
},
{
"id": "Trojan:Win32/Conbea!rfn",
"display_name": "Trojan:Win32/Conbea!rfn",
"target": "/malware/Trojan:Win32/Conbea!rfn"
},
{
"id": "Trojan:Win32/Ausiv!rfn",
"display_name": "Trojan:Win32/Ausiv!rfn",
"target": "/malware/Trojan:Win32/Ausiv!rfn"
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat",
"target": null
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "TrojanDropper:Win32/Qhost",
"display_name": "TrojanDropper:Win32/Qhost",
"target": "/malware/TrojanDropper:Win32/Qhost"
},
{
"id": "Trojan:Win32/Miner.KA!MTB",
"display_name": "Trojan:Win32/Miner.KA!MTB",
"target": "/malware/Trojan:Win32/Miner.KA!MTB"
},
{
"id": "DNSTrojan",
"display_name": "DNSTrojan",
"target": null
},
{
"id": "EternalRocks",
"display_name": "EternalRocks",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Government",
"Finance",
"Insurance"
],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2793,
"URL": 6639,
"FileHash-SHA256": 2462,
"domain": 1070,
"FileHash-MD5": 307,
"FileHash-SHA1": 186,
"SSLCertFingerprint": 1,
"email": 1,
"CVE": 3
},
"indicator_count": 13462,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "55 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696f7d467763ed4d4e74d133",
"name": "Federal Government-Cellebrite Attack found actively targeting iOS and other devices | Mirai login attempts | TelNet Login",
"description": "https://cellebrite.com/en/federal-government/ | Found on a crime victims devices. Targets abused by spyware in an unethical manner by andvesarial \u2018governmental\u2019 possibly \u2018contracted\u2019 entities. Waged against targets such as victims of crime , journalists , researchers , students. Target Users: Serves public safety, enterprise, and government sectors, aiding first responders, investigators, prosecutors, and analysts. How it's Used Law enforcement uses it to unlock devices and retrieve evidence like messages, location history, and app data for criminal investigations. It helps uncover critical information from digital devices, even recovering data that users thought was permanently deleted. Controversy & Privacy Concerns While marketed as a tool for lawful investigations, its powerful data extraction capabilities raise significant privacy concerns and ethical debates.",
"modified": "2026-02-19T12:05:47.166000",
"created": "2026-01-20T13:04:06.622000",
"tags": [
"url https",
"url http",
"germany",
"united",
"ukraine",
"japan",
"extraction",
"data upload",
"urls",
"url analysis",
"enter sc",
"extr",
"iocs",
"active",
"france unknown",
"present jan",
"servers",
"homair sweet",
"grabber",
"encrypt",
"ipv4",
"role title",
"divx",
"pitfall",
"internet",
"ip role",
"america asn",
"extraction data",
"leveibielabs",
"all se",
"enter source",
"url or",
"texirag",
"drop",
"present nov",
"united states",
"america",
"levdibidelabs",
"failed",
"idron anv",
"include manualv",
"review data",
"iterng",
"name servers",
"passive dns",
"incapsula",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"script head",
"request",
"cookie",
"indicator",
"msie",
"chrome",
"backdoor",
"gmt content",
"ipv4 add",
"twitter",
"title",
"process32nextw",
"ms windows",
"intel",
"pe32",
"regopenkeyexa",
"read c",
"medium",
"class",
"write",
"template",
"present oct",
"present jul",
"aaaa",
"present sep",
"present aug",
"url add",
"http",
"hostname",
"related tags",
"kx81xdbx0f",
"x86xd3",
"xa7xe28x06",
"x82xd4",
"delete c",
"regsetvalueexa",
"regbinary",
"xa1xf1",
"xe8xc2x14",
"malware",
"stream",
"unknown",
"win32",
"persistence",
"execution",
"push",
"present dec",
"italy",
"present jun",
"embeddedwb",
"whitelisted",
"windows nt",
"dns traffic",
"russia",
"cname",
"accept",
"destination",
"port",
"et smtp",
"message",
"et trojan",
"components",
"suspicious",
"download",
"hostile",
"next",
"logic",
"gather victim",
"et info",
"etpro trojan",
"trojan",
"report spam",
"interesting",
"created",
"pegasus",
"manipulation",
"service",
"capture",
"et",
"etpro",
"host",
"attack",
"mtb description",
"windows",
"shellexecuteexw",
"writeconsolew",
"registry",
"t1031",
"modify existing",
"dock",
"type indicator",
"added active",
"related pulses",
"arcflex",
"filehashsha1",
"types of",
"learn more",
"filehashsha256",
"cellebrite",
"white label",
"search",
"sha1",
"france",
"cmanual jan",
"expiration date",
"domain add",
"pulse submit",
"files",
"ip address",
"gmt cache",
"sameorigin",
"reverse dns",
"unknown ns",
"admin org",
"zipcode",
"gmt server",
"pulse pulses",
"entries",
"hostname add",
"verdict",
"germany unknown",
"status",
"domain",
"xpirat",
"netherlands",
"netherlands asn",
"as35280 acorus",
"dns resolutions",
"error",
"files ip",
"copy",
"telnet login",
"suspicious path",
"busybox",
"login attempt",
"gpl telnet",
"high",
"tcp syn",
"telnet root",
"path",
"mirai",
"emails",
"domain name",
"jlu11q",
"tqbplo",
"hours ago",
"found",
"yahoo",
"gmail",
"yandex",
"https://cellebrite.com/en/federal-government/",
"monitoring",
"monitored target",
"dangerous",
"spyware",
"80211",
"colorado",
"x amz",
"government",
"mirai login attempt",
"emotet",
"c2",
".ru",
".com",
"denver",
"indicator role",
"title added",
"active related",
"pulses hostname",
"dead connect",
"hostile",
"adversarial",
"abuse",
"criminal intent",
"block messages",
"botnet"
],
"references": [
"fastwebnet.it | Cellebrite White Label Spyware Service",
"putrhnwl.exe",
"Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"IP\u2019s Contacted : 54.230.129.165",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"Domains Contacted: pitfall.divx.com www.google.com",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Yara: Detections Tofsee",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"ET TROJAN Suspicious double Server Header",
"ET DNS DNS Query to a .tk domain - Likey",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"Needs to be sorted. Actively being exploited on US",
"162.159.134.42 \u2022 https://cellebrite.com/",
"https://cellebrite.com/en/federal-government/",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Germany",
"Ireland",
"Switzerland",
"Poland",
"Belgium",
"Netherlands",
"Sweden"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
},
{
"id": "Trojan:Win32/Emotet.PC!MTB",
"display_name": "Trojan:Win32/Emotet.PC!MTB",
"target": "/malware/Trojan:Win32/Emotet.PC!MTB"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Trojan:Win32/Danabot",
"display_name": "Trojan:Win32/Danabot",
"target": "/malware/Trojan:Win32/Danabot"
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Trojan:Win32/Aptdrop.RU",
"display_name": "Trojan:Win32/Aptdrop.RU",
"target": "/malware/Trojan:Win32/Aptdrop.RU"
},
{
"id": "Ransomware/Win.Stop.R4529",
"display_name": "Ransomware/Win.Stop.R4529",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32/BackdoorX",
"display_name": "Win32/BackdoorX",
"target": null
},
{
"id": "Win.Trojan.Dialog-9873788-0",
"display_name": "Win.Trojan.Dialog-9873788-0",
"target": null
},
{
"id": "Tsunami-6981155-0",
"display_name": "Tsunami-6981155-0",
"target": null
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1196",
"name": "Control Panel Items",
"display_name": "T1196 - Control Panel Items"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1414",
"name": "Capture Clipboard Data",
"display_name": "T1414 - Capture Clipboard Data"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1556",
"name": "Modify Authentication Process",
"display_name": "T1556 - Modify Authentication Process"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1581",
"name": "Geofencing",
"display_name": "T1581 - Geofencing"
},
{
"id": "T1582",
"name": "SMS Control",
"display_name": "T1582 - SMS Control"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1587",
"name": "Develop Capabilities",
"display_name": "T1587 - Develop Capabilities"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Journalists",
"Government",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4994,
"domain": 2519,
"hostname": 3281,
"FileHash-SHA256": 4467,
"FileHash-MD5": 1118,
"FileHash-SHA1": 1056,
"email": 12,
"SSLCertFingerprint": 1
},
"indicator_count": 17448,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "59 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac416596cd89cf76bce55",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:04:53.997000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac4327b5bc2e8be34f78a",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:22.323000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac438a696c993b672106d",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:28.261000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Pegasus | A targets devices are obviously infiltrated",
"Matches rule EternalRocks_svchost from ruleset crime_eternalrocks by Florian Roth (Nextron Systems)",
"ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.",
"Matches rule SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware)",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"ET TROJAN W32/Kegotip CnC Beacon",
"Matches rule POLICY-OTHER TOR Project domain request",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"ET DNS DNS Query to a .tk domain - Likey",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"okta-dev.gov2x.com",
"Yara Detections: Nullsoft_NSIS",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161",
"http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:",
"freedns.afraid.org",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 778",
"I apologize for the lack of reference.",
"Malware Hosting: 13.107.226.70",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Needs to be sorted. Actively being exploited on US",
"IDS Detections: Possible ETERNALROCKS .Net Module Download TLS Handshake Failure",
"Scanning Host: 13.107.246.70",
"https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/EternalRocks_svchost_FR",
"https://cellebrite.com/en/federal-government/",
"Sprouts Farmers Market",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co",
"sprouts@em.sprouts.com?",
"api.optimizer.insitemaxdev.gov2x.com",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"Matches rule Suspicious History File Operat Mikhail Larin, oscd.community",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e",
"search.roi.ros.gov.uk",
"(The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION,",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"http://appleid.app",
"Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /",
"Strangely NSO Group The Lazarus Group The Shadow Brokers and others attack an individual",
"https://github.com/stamparm/EternalRocks",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"Domains Contacted api.nuget.org",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"Domains Contacted: drive.usercontent.google.com",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"NSA Exploits Used: The malware uses seven Shadow Brokers-leaked tools, including EternalBlue, EternalChampion,",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"Sabey , Ahmann, Quasi Government, Government",
"oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download",
"android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Yara Matches",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"It appears there are 5-7 known affected that I was able to find",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"fastwebnet.it | Cellebrite White Label Spyware Service",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Shelton, Nasreddine Bencherchali (Nextron stems",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Sigma Matches",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht",
"TNULL: unknown empty EMPTY FILEHASH-MD5 d41d8cd98f00b204e9800998ecf8427e",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"Matches rule SUSP_NET_NAME_ConfuserEx from ruleset gen_github_net_redteam_tools_names by Arnim Rupp",
"Requires further research.",
"Domains Contacted: pitfall.divx.com www.google.com",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks",
"EternalRocks MALWARE RANSOM TROJAN EVADER",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"Matches rule ET JA3 Hash - Possible Malwar RigEK/Cryptowall/Dridex",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"verify.gov.tl",
"putrhnwl.exe",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 815",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"https://www.anyxxxtube.net/search-porn/",
"The Blender Foundation",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"Matches rule SURICATA STREAM Packet with invalid timestamp",
"IDS Detections ET POLICY Suspicious User-Agent Containing .exe",
"https://www.fidelity.com/ https://www.fidelity.com/",
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"https://jviwczq.zc-apple.com/",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"Denver, US 80211 http://library.verizon.onereach.ai",
"cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99",
"Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"supply.qld.gov.au",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,TrojanDownloader:Win32/Eterock.A",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"http://blackrock.work.gd/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name",
"fidelity-account.com e http://fidelity-account.com/fidelity/code.html",
"Yara: Detections Tofsee",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community",
"iot.insitemaxdev.gov2x.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.",
"Matches rule MALWARE-CNC DNS Fast Flux attempt",
"https://l.us-1.a.mimecastprotect.com/l",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333",
"supplierportal.gov2x.com",
"Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit",
"website \u2022 http://oldapps.com/blender.php?old_blender=7584",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl",
"Alerts: network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_i",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"Same legal , and quasi governmental pattern identified",
"Dynamic sandbox CZAE flags this file as: STEALER",
"https://bhive.nectar.social/rKvoMY",
"Matches rule Windows Processes Suspicious Parent Directory by vburov",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"Matches rule ET JA3 Hash - [Abuse.ch] Possible Ransomware",
"pegasuspartners.followupboss.com",
"Matches rule DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt",
"Matches rule Uncommon Svchost Command Line Parameter by Liran Ravich",
"Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)",
"hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"Matches rule Uncommon Schost Parent Process by Florian Roth (Nextron Systems)",
"https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"http://wonporn.com/top/Pakistani_Sucking",
"The 2017 timeline accurately fits victim\u2019s major financial and other continuous First attacks began in 10/2013. Upgraded",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"Matches rule ET POLICY TLS possible TOR SSL traffic",
"cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf",
"Yara Detections: EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"Alerts: cape_detected_threat https_ urls",
"div>
",
"Matches rule INDICATOR_EXE_Packed_ConfuserEx from ruleset indicator_packed",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"EternalRomance, and EternalSynergy. Stealth",
"ET TROJAN Suspicious double Server Header",
"With so many \u2018officials\u2019 involved, it\u2019s hard to believe \u2018 The Shadow Brokers\u2019 isnt a government entity.",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"REFERENCE: https://twitter.com/stamparm/status/864865144748298242 RULE_AUTHOR: Florian Roth",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"IP\u2019s Contacted : 54.230.129.165",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"162.159.134.42 \u2022 https://cellebrite.com/",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced IDS rules",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html",
"DESCRIPTION: Detects EternalRocks Malware - file taskhost.exe",
"Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.",
"EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Yara Detections: SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost ,",
"https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Trendmicro",
"Trojan:win32/aptdrop.ru",
"#lowfienabledtcontinueafterunpacking",
"Generic36.adty",
"Trojandropper:win32/qhost",
"Sf:shellcode-au\\ [trj]",
"Win.trojan.agent-245901",
"Win64:trojan-gen",
"Alf:heraklezeval:trojan:win32/eqtonex.f",
"Win.trojan.cobaltstrike-9044898-1",
"Dnstrojan",
"Bouncycastle",
"Trojan:win32/conbea!rfn",
"Worm:win32/mofksys.rnd!mtb",
"Tofsee",
"Win.trojan.rootkit-4532",
"Worm.autorun-6180",
"W32/kegotip cnc",
"Win32:trojano-chf\\ [trj]",
"Win.trojan.injector-12138",
"Generic36.ajsm",
"Win32:trojanx-gen\\ [trj]",
"Alf:trojan:win32/anorocuriv.a",
"Icedid",
"Win.downloader.3867-1",
"Trojan:bat/musecador",
"Sf:shellcode-au",
"Win32/blacked",
"Crypt3.bxvc",
"Mirai",
"Downloader.generic13.cmtw",
"Win.trojan.dialog-9873788-0",
"Alf:trojan:win32/cryptwrapper.rt!mtb",
"Backdoor:linux/demonbot",
"Trojan:win32/miner.ka!mtb",
"Trojan:win32/smkldr.h!mtb",
"Win.trojan.fareit-82",
"Generic36.aiaa.dropper",
"Unix.trojan.tsunami-6981155-0",
"Slf:win64/cobpipe.a",
"Win32.injector",
"Pegasus",
"Exploit:powershell/cve-2017-0143",
"Win.trojan.emotet-9850453-0",
"Trojan:win32/emotet.pc!mtb",
"Trojandownloader:win32/cutwail.bs",
": alf:trojan:msil/azorult.ac!",
"Win32/backdoorx",
"Etpro",
"Trojan:win32/danabot",
"Alf:program:win32/webcompanion",
"Trojan.eternalrocks/shadowbrokers",
"#lowfi:lua:dllsuspiciousexport.a",
"W32.virut.ci",
"Alf:heraklezeval:trojan:msil/gravityrat",
"Backdoor:win32/tofsee.t",
"Virtool:win32/ceeinject.gen!ah",
"Worm:win32/autorun!atmn",
"Other malware",
"Ransomware/win.stop.r4529",
"Et",
"Win32:trojan-gen",
"Trojan:msil/ursu.kp",
"Win32/ramnit.a",
"Win32:evo-gen\\ [susp]",
"Trojan:pdf/phish.rr!mtb",
"Cve-2017-0148",
"Win.trojan.vbgeneric-6735875-0",
"#lowfi:hookwowlow",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Hider.biy",
"Win32/virut",
"Mydoom",
"Eternalrocks",
"Trojan:win32/ausiv!rfn",
"Tsunami-6981155-0",
"Win.trojan.pushdo-15",
"Downloader.generic13.bobz"
],
"industries": [
"Civilians",
"Finance",
"Journalists",
"Legal",
"Civil society",
"Retail",
"Insurance",
"Telecom",
"Health",
"Government",
"Technology"
],
"unique_indicators": 83857
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/jmtstudios.org",
"whois": "http://whois.domaintools.com/jmtstudios.org",
"domain": "jmtstudios.org",
"hostname": "sa.jmtstudios.org"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 12,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b7cb05b2098c1d2bf20f",
"name": "federal goverment clone cellbrite credit q vashti",
"description": "",
"modified": "2026-03-12T12:55:39.046000",
"created": "2026-03-12T12:55:39.046000",
"tags": [
"url https",
"url http",
"germany",
"united",
"ukraine",
"japan",
"extraction",
"data upload",
"urls",
"url analysis",
"enter sc",
"extr",
"iocs",
"active",
"france unknown",
"present jan",
"servers",
"homair sweet",
"grabber",
"encrypt",
"ipv4",
"role title",
"divx",
"pitfall",
"internet",
"ip role",
"america asn",
"extraction data",
"leveibielabs",
"all se",
"enter source",
"url or",
"texirag",
"drop",
"present nov",
"united states",
"america",
"levdibidelabs",
"failed",
"idron anv",
"include manualv",
"review data",
"iterng",
"name servers",
"passive dns",
"incapsula",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"script head",
"request",
"cookie",
"indicator",
"msie",
"chrome",
"backdoor",
"gmt content",
"ipv4 add",
"twitter",
"title",
"process32nextw",
"ms windows",
"intel",
"pe32",
"regopenkeyexa",
"read c",
"medium",
"class",
"write",
"template",
"present oct",
"present jul",
"aaaa",
"present sep",
"present aug",
"url add",
"http",
"hostname",
"related tags",
"kx81xdbx0f",
"x86xd3",
"xa7xe28x06",
"x82xd4",
"delete c",
"regsetvalueexa",
"regbinary",
"xa1xf1",
"xe8xc2x14",
"malware",
"stream",
"unknown",
"win32",
"persistence",
"execution",
"push",
"present dec",
"italy",
"present jun",
"embeddedwb",
"whitelisted",
"windows nt",
"dns traffic",
"russia",
"cname",
"accept",
"destination",
"port",
"et smtp",
"message",
"et trojan",
"components",
"suspicious",
"download",
"hostile",
"next",
"logic",
"gather victim",
"et info",
"etpro trojan",
"trojan",
"report spam",
"interesting",
"created",
"pegasus",
"manipulation",
"service",
"capture",
"et",
"etpro",
"host",
"attack",
"mtb description",
"windows",
"shellexecuteexw",
"writeconsolew",
"registry",
"t1031",
"modify existing",
"dock",
"type indicator",
"added active",
"related pulses",
"arcflex",
"filehashsha1",
"types of",
"learn more",
"filehashsha256",
"cellebrite",
"white label",
"search",
"sha1",
"france",
"cmanual jan",
"expiration date",
"domain add",
"pulse submit",
"files",
"ip address",
"gmt cache",
"sameorigin",
"reverse dns",
"unknown ns",
"admin org",
"zipcode",
"gmt server",
"pulse pulses",
"entries",
"hostname add",
"verdict",
"germany unknown",
"status",
"domain",
"xpirat",
"netherlands",
"netherlands asn",
"as35280 acorus",
"dns resolutions",
"error",
"files ip",
"copy",
"telnet login",
"suspicious path",
"busybox",
"login attempt",
"gpl telnet",
"high",
"tcp syn",
"telnet root",
"path",
"mirai",
"emails",
"domain name",
"jlu11q",
"tqbplo",
"hours ago",
"found",
"yahoo",
"gmail",
"yandex",
"https://cellebrite.com/en/federal-government/",
"monitoring",
"monitored target",
"dangerous",
"spyware",
"80211",
"colorado",
"x amz",
"government",
"mirai login attempt",
"emotet",
"c2",
".ru",
".com",
"denver",
"indicator role",
"title added",
"active related",
"pulses hostname",
"dead connect",
"hostile",
"adversarial",
"abuse",
"criminal intent",
"block messages",
"botnet"
],
"references": [
"fastwebnet.it | Cellebrite White Label Spyware Service",
"putrhnwl.exe",
"Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"IP\u2019s Contacted : 54.230.129.165",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"Domains Contacted: pitfall.divx.com www.google.com",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Yara: Detections Tofsee",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"ET TROJAN Suspicious double Server Header",
"ET DNS DNS Query to a .tk domain - Likey",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"Needs to be sorted. Actively being exploited on US",
"162.159.134.42 \u2022 https://cellebrite.com/",
"https://cellebrite.com/en/federal-government/",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Germany",
"Ireland",
"Switzerland",
"Poland",
"Belgium",
"Netherlands",
"Sweden"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
},
{
"id": "Trojan:Win32/Emotet.PC!MTB",
"display_name": "Trojan:Win32/Emotet.PC!MTB",
"target": "/malware/Trojan:Win32/Emotet.PC!MTB"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Trojan:Win32/Danabot",
"display_name": "Trojan:Win32/Danabot",
"target": "/malware/Trojan:Win32/Danabot"
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Trojan:Win32/Aptdrop.RU",
"display_name": "Trojan:Win32/Aptdrop.RU",
"target": "/malware/Trojan:Win32/Aptdrop.RU"
},
{
"id": "Ransomware/Win.Stop.R4529",
"display_name": "Ransomware/Win.Stop.R4529",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32/BackdoorX",
"display_name": "Win32/BackdoorX",
"target": null
},
{
"id": "Win.Trojan.Dialog-9873788-0",
"display_name": "Win.Trojan.Dialog-9873788-0",
"target": null
},
{
"id": "Tsunami-6981155-0",
"display_name": "Tsunami-6981155-0",
"target": null
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1196",
"name": "Control Panel Items",
"display_name": "T1196 - Control Panel Items"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1414",
"name": "Capture Clipboard Data",
"display_name": "T1414 - Capture Clipboard Data"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1556",
"name": "Modify Authentication Process",
"display_name": "T1556 - Modify Authentication Process"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1581",
"name": "Geofencing",
"display_name": "T1581 - Geofencing"
},
{
"id": "T1582",
"name": "SMS Control",
"display_name": "T1582 - SMS Control"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1587",
"name": "Develop Capabilities",
"display_name": "T1587 - Develop Capabilities"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Journalists",
"Government",
"Civil Society"
],
"TLP": "green",
"cloned_from": "696f7d467763ed4d4e74d133",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4994,
"domain": 2519,
"hostname": 3281,
"FileHash-SHA256": 4467,
"FileHash-MD5": 1118,
"FileHash-SHA1": 1056,
"email": 12,
"SSLCertFingerprint": 1
},
"indicator_count": 17448,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d69ecbc0497f97e28618",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:10.502000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6a601f06adcd1ed22fc",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:18.022000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6afd744c55bd596ed6e",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:27.248000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6975c5cd4db6104ea1a3d69b",
"name": "The Blender Foundation BouncyCastle-Virut | Malware /Stealer Empty FileHash | Eternal7 (Shadow Broker) Related",
"description": "Empty FileHash isn\u2019t benign. Interesting relationships to the Eternal 7. Malware, Stealer and Suspicious History File Operation. BouncyCastle-Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys / Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"modified": "2026-02-24T06:02:43.853000",
"created": "2026-01-25T07:27:09.640000",
"tags": [
"empty",
"blender",
"eurostile",
"augustin",
"butterfield",
"cook",
"drummer",
"erickson",
"fjsv",
"flynn",
"gorman",
"holmes",
"easy",
"rada",
"xanadu",
"config",
"reboot",
"screen",
"microsoft",
"commerce server",
"edition",
"draw",
"exchange server",
"tools",
"linux",
"ideal link",
"nsrl test",
"nist",
"file",
"cultureneutral",
"fix pack",
"free download",
"bouncycastle",
"read c",
"search",
"et trojan",
"w32kegotip cnc",
"whitelisted",
"ids detections",
"intel",
"write",
"trojan",
"malware",
"yara detections",
"productversion",
"fileversion",
"av detections",
"alerts",
"analysis date",
"file score",
"united",
"aaaa",
"passive dns",
"ip address",
"present dec",
"body html",
"head meta",
"title",
"urls",
"url https",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"beacon",
"et",
"ipv4",
"files",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"related pulses",
"show",
"win32virut",
"destination",
"port",
"ms windows",
"pe32",
"medium",
"suspicious",
"virustotal",
"startul",
"shadowbrokers",
"total",
"delete",
"artemis",
"win32.injector",
"trendmicro",
"data upload",
"extraction",
"included iocs"
],
"references": [
"The Blender Foundation",
"website \u2022 http://oldapps.com/blender.php?old_blender=7584",
"oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]",
"Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community",
"Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks",
"ET TROJAN W32/Kegotip CnC Beacon",
"IDS Detections ET POLICY Suspicious User-Agent Containing .exe",
"Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit",
"Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /",
"Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "BouncyCastle",
"display_name": "BouncyCastle",
"target": null
},
{
"id": "Sf:ShellCode-AU",
"display_name": "Sf:ShellCode-AU",
"target": null
},
{
"id": "Win.Trojan.Fareit-82",
"display_name": "Win.Trojan.Fareit-82",
"target": null
},
{
"id": "Win.Trojan.Agent-245901",
"display_name": "Win.Trojan.Agent-245901",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "W32/Kegotip CnC",
"display_name": "W32/Kegotip CnC",
"target": null
},
{
"id": "W32.Virut.ci",
"display_name": "W32.Virut.ci",
"target": null
},
{
"id": "Downloader.Generic13.CMTW",
"display_name": "Downloader.Generic13.CMTW",
"target": null
},
{
"id": "Downloader.Generic13.BOBZ",
"display_name": "Downloader.Generic13.BOBZ",
"target": null
},
{
"id": "Win.Trojan.Injector-12138",
"display_name": "Win.Trojan.Injector-12138",
"target": null
},
{
"id": "Generic36.ADTY",
"display_name": "Generic36.ADTY",
"target": null
},
{
"id": "Generic36.AIAA.Dropper",
"display_name": "Generic36.AIAA.Dropper",
"target": null
},
{
"id": "Generic36.AJSM",
"display_name": "Generic36.AJSM",
"target": null
},
{
"id": "Win32/Virut",
"display_name": "Win32/Virut",
"target": null
},
{
"id": "Win32/Ramnit.A",
"display_name": "Win32/Ramnit.A",
"target": null
},
{
"id": "Worm.Autorun-6180",
"display_name": "Worm.Autorun-6180",
"target": null
},
{
"id": "Hider.BIY",
"display_name": "Hider.BIY",
"target": null
},
{
"id": "Win.Trojan.Rootkit-4532",
"display_name": "Win.Trojan.Rootkit-4532",
"target": null
},
{
"id": "Win32/Blacked",
"display_name": "Win32/Blacked",
"target": null
},
{
"id": "Win32.Injector",
"display_name": "Win32.Injector",
"target": null
},
{
"id": "TrendMicro",
"display_name": "TrendMicro",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 71,
"FileHash-SHA256": 853,
"URL": 1639,
"domain": 288,
"FileHash-MD5": 78,
"hostname": 545
},
"indicator_count": 3474,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "54 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69754a5dd138f73f5cfdf78c",
"name": "EternalRocks (SHADOW BROKERS) MicroBotMassiveNet - NSA Exploits",
"description": "Exploited | Active | Continuous \n\u201cEternalRocks\u201d (also known as MicroBotMassiveNet) is a sophisticated computer worm discovered in May 2017 that targets Windows machines, utilizing seven different NSA-leaked exploits\u2014far more than the two used by the infamous WannaCry ransomware. Trend Micro and other security researchers highlighted the danger of this malware because, unlike WannaCry, it does not have a \"kill switch\" and is designed to create a backdoor for future, more severe, and adaptable attacks * While initially, it appeared to only act as a downloader for other tools, the danger lay in its potential to be weaponized for launching ransomware, Remote Access Trojans (RATs), or other malware at a later date. \nThank you Winston & Vogt",
"modified": "2026-02-23T19:02:00.548000",
"created": "2026-01-24T22:40:29.680000",
"tags": [
"regsetvalueexa",
"default",
"regdword",
"regbinary",
"module download",
"tls handshake",
"high",
"regsetvalueexw",
"malware",
"write",
"win32",
"ids detections",
"download tls",
"eternalrocks",
"nsa exploits",
"worm",
"cryptojackers",
"shadow brokers",
"ransom",
"ingress tool",
"channel",
"udp a83f8110",
"get http",
"get https",
"dns resolutions",
"root path",
"encrypted",
"native",
"required.exe",
"stolen toolset",
"cyber weapons",
"cyber warfare",
"autonomous",
"tor",
"dark web",
"black paper",
"nsa weapons",
"2017",
"tao?",
"targeting",
"breach",
"equation group tools",
"installer",
"stealer",
"apt",
"empty",
"not an exit node",
"empty file",
"tor relay router",
"traffic groups",
"traffic group 815",
"el tor",
"tor relay",
"traffic group 778",
"traffic group 238",
"traffic group 333",
"traffic group 333",
"node",
"traffic group 252",
"open_source_tool",
"confuserex",
"susp_net_name_confuserex",
"eternalrocks",
"svchost",
"eternalrocks_svchost_fr",
"obfuscated",
"susp_confuserex_obfuscated",
"encryption",
"module",
"msil",
"net",
"bing",
"android",
"libre",
"mcsf",
"microsoft",
"active attack",
"financial crimes",
"EternalBlue",
"EternalChampion",
"EternalRocks",
"Stealth",
"EternalSynergy",
"EternalRomance",
"checks-network-adapters",
"checks-user-input",
"crypto",
"detect-deb",
"environment",
"direct-cpu-clock-access",
"long-sleeps",
"runtime-modules"
],
"references": [
"EternalRocks MALWARE RANSOM TROJAN EVADER",
"The 2017 timeline accurately fits victim\u2019s major financial and other continuous First attacks began in 10/2013. Upgraded",
"With so many \u2018officials\u2019 involved, it\u2019s hard to believe \u2018 The Shadow Brokers\u2019 isnt a government entity.",
"Strangely NSO Group The Lazarus Group The Shadow Brokers and others attack an individual",
"Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,TrojanDownloader:Win32/Eterock.A",
"IDS Detections: Possible ETERNALROCKS .Net Module Download TLS Handshake Failure",
"Yara Detections: SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost ,",
"Yara Detections: EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Alerts: network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_i",
"NSA Exploits Used: The malware uses seven Shadow Brokers-leaked tools, including EternalBlue, EternalChampion,",
"EternalRomance, and EternalSynergy. Stealth",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Yara Matches",
"Matches rule EternalRocks_svchost from ruleset crime_eternalrocks by Florian Roth (Nextron Systems)",
"Matches rule SUSP_NET_NAME_ConfuserEx from ruleset gen_github_net_redteam_tools_names by Arnim Rupp",
"Matches rule INDICATOR_EXE_Packed_ConfuserEx from ruleset indicator_packed",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Sigma Matches",
"Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Uncommon Svchost Command Line Parameter by Liran Ravich",
"Matches rule Uncommon Schost Parent Process by Florian Roth (Nextron Systems)",
"Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Shelton, Nasreddine Bencherchali (Nextron stems",
"Matches rule Windows Processes Suspicious Parent Directory by vburov",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced IDS rules",
"Matches rule DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt",
"Matches rule MALWARE-CNC DNS Fast Flux attempt",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 778",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 815",
"Matches rule ET POLICY TLS possible TOR SSL traffic",
"Matches rule ET JA3 Hash - Possible Malwar RigEK/Cryptowall/Dridex",
"Matches rule ET JA3 Hash - [Abuse.ch] Possible Ransomware",
"Matches rule SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware)",
"Matches rule POLICY-OTHER TOR Project domain request",
"Dynamic sandbox CZAE flags this file as: STEALER",
"https://github.com/stamparm/EternalRocks",
"(The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION,",
"ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.",
"REFERENCE: https://twitter.com/stamparm/status/864865144748298242 RULE_AUTHOR: Florian Roth",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/EternalRocks_svchost_FR",
"DESCRIPTION: Detects EternalRocks Malware - file taskhost.exe",
"TNULL: unknown empty EMPTY FILEHASH-MD5 d41d8cd98f00b204e9800998ecf8427e",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Matches rule Suspicious History File Operat Mikhail Larin, oscd.community",
"Matches rule SURICATA STREAM Packet with invalid timestamp"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "EternalRocks",
"display_name": "EternalRocks",
"target": null
},
{
"id": "CVE-2017-0148",
"display_name": "CVE-2017-0148",
"target": null
},
{
"id": "Exploit:PowerShell/CVE-2017-0143",
"display_name": "Exploit:PowerShell/CVE-2017-0143",
"target": "/malware/Exploit:PowerShell/CVE-2017-0143"
},
{
"id": "trojan.eternalrocks/shadowbrokers",
"display_name": "trojan.eternalrocks/shadowbrokers",
"target": null
}
],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
}
],
"industries": [
"Finance",
"Government",
"Insurance",
"Civilians",
"Health"
],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 82,
"FileHash-SHA1": 76,
"FileHash-SHA256": 700,
"URL": 280,
"domain": 46,
"hostname": 233,
"CVE": 2
},
"indicator_count": 1419,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "54 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "697488f095f69d392afd00fb",
"name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes",
"description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.",
"modified": "2026-02-23T07:04:04.285000",
"created": "2026-01-24T08:55:12.845000",
"tags": [
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"ck techniques",
"evasion att",
"t1480 execution",
"href",
"ascii text",
"pattern match",
"mitre att",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"form",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"active related",
"url https",
"related pulses",
"url http",
"united",
"czechia",
"hong kong",
"ipv4",
"indicators hong",
"kong",
"south korea",
"netherlands",
"germany",
"ireland",
"denmark",
"sweden",
"active",
"government",
"finance",
"security",
"type indicator",
"yara detections",
"av detections",
"ids detections",
"alerts",
"analysis date",
"mcsf",
"microsoft",
"yara",
"insurance",
"fidelity investments",
"description",
"fidelity international",
"ms windows",
"pe32",
"writeconsolew",
"read c",
"pe32 executable",
"t1045",
"susp",
"write",
"win64",
"malware",
"modified",
"ck ids",
"t1040",
"sniffing",
"packing",
"t1112",
"packing t1045",
"icmp traffic",
"memcommit",
"pe section",
"low software",
"pe resource",
"win32",
"trojan",
"april",
"sara ligorria",
"tramp advert",
"black paper",
"createdate",
"subject laser",
"title laser",
"format",
"types of",
"japan",
"regsetvalueexa",
"regdword",
"regbinary",
"module download",
"tls handshake",
"high",
"defense evasion",
"discovery att",
"adversaries",
"title",
"role",
"flag",
"name server",
"server",
"domain address",
"markmonitor",
"clicktale ltd",
"enom",
"whoisguard",
"medium",
"unicode",
"rgba",
"delete",
"crlf line",
"next",
"dock",
"execution",
"date",
"users",
"tls sni",
"total",
"cnc domain",
"search",
"oamazon",
"cnamazon rsa",
"push",
"failure yara",
"contacted",
"hours ago",
"created",
"cia",
"fbi",
"telegram",
"tulach",
"sabey",
"state",
"gov",
"ahmann",
"financial fraud",
"t-mobile",
"walmartmobile",
"life insurance",
"fidelity life",
"guarantee",
"team",
"role title",
"added active",
"scan",
"iocs",
"learn more",
"filehashsha1",
"filehashmd5",
"kw3recepten",
"domainname0",
"searchbox0",
"kw1brinta",
"kw2muesli",
"indicator role",
"title added",
"pulses url",
"cve cve20170147",
"apple",
"apple id"
],
"references": [
"https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226",
"https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com",
"http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com",
"https://bhive.nectar.social/rKvoMY",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,",
"TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161",
"Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.",
"EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name",
"Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.",
"Domains Contacted api.nuget.org",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png",
"https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.fidelity.com/ https://www.fidelity.com/",
"cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99",
"cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl",
"https://www.anyxxxtube.net/search-porn/",
"https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears",
"fidelity-account.com e http://fidelity-account.com/fidelity/code.html",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex",
"http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022",
"\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:",
"https://bhive.nectar.social/rKvoMY",
"apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co",
"http://appleid.app",
"https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win64:Trojan-gen",
"display_name": "Win64:Trojan-gen",
"target": null
},
{
"id": "Trojan:MSIL/Ursu.KP",
"display_name": "Trojan:MSIL/Ursu.KP",
"target": "/malware/Trojan:MSIL/Ursu.KP"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F",
"target": null
},
{
"id": "Trojan:PDF/Phish.RR!MTB",
"display_name": "Trojan:PDF/Phish.RR!MTB",
"target": "/malware/Trojan:PDF/Phish.RR!MTB"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": ": ALF:Trojan:MSIL/Azorult.AC!",
"display_name": ": ALF:Trojan:MSIL/Azorult.AC!",
"target": null
},
{
"id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB",
"display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB",
"target": null
},
{
"id": "Trojan:Win32/Conbea!rfn",
"display_name": "Trojan:Win32/Conbea!rfn",
"target": "/malware/Trojan:Win32/Conbea!rfn"
},
{
"id": "Trojan:Win32/Ausiv!rfn",
"display_name": "Trojan:Win32/Ausiv!rfn",
"target": "/malware/Trojan:Win32/Ausiv!rfn"
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat",
"target": null
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "TrojanDropper:Win32/Qhost",
"display_name": "TrojanDropper:Win32/Qhost",
"target": "/malware/TrojanDropper:Win32/Qhost"
},
{
"id": "Trojan:Win32/Miner.KA!MTB",
"display_name": "Trojan:Win32/Miner.KA!MTB",
"target": "/malware/Trojan:Win32/Miner.KA!MTB"
},
{
"id": "DNSTrojan",
"display_name": "DNSTrojan",
"target": null
},
{
"id": "EternalRocks",
"display_name": "EternalRocks",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Government",
"Finance",
"Insurance"
],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2793,
"URL": 6639,
"FileHash-SHA256": 2462,
"domain": 1070,
"FileHash-MD5": 307,
"FileHash-SHA1": 186,
"SSLCertFingerprint": 1,
"email": 1,
"CVE": 3
},
"indicator_count": 13462,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "55 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696f7d467763ed4d4e74d133",
"name": "Federal Government-Cellebrite Attack found actively targeting iOS and other devices | Mirai login attempts | TelNet Login",
"description": "https://cellebrite.com/en/federal-government/ | Found on a crime victims devices. Targets abused by spyware in an unethical manner by andvesarial \u2018governmental\u2019 possibly \u2018contracted\u2019 entities. Waged against targets such as victims of crime , journalists , researchers , students. Target Users: Serves public safety, enterprise, and government sectors, aiding first responders, investigators, prosecutors, and analysts. How it's Used Law enforcement uses it to unlock devices and retrieve evidence like messages, location history, and app data for criminal investigations. It helps uncover critical information from digital devices, even recovering data that users thought was permanently deleted. Controversy & Privacy Concerns While marketed as a tool for lawful investigations, its powerful data extraction capabilities raise significant privacy concerns and ethical debates.",
"modified": "2026-02-19T12:05:47.166000",
"created": "2026-01-20T13:04:06.622000",
"tags": [
"url https",
"url http",
"germany",
"united",
"ukraine",
"japan",
"extraction",
"data upload",
"urls",
"url analysis",
"enter sc",
"extr",
"iocs",
"active",
"france unknown",
"present jan",
"servers",
"homair sweet",
"grabber",
"encrypt",
"ipv4",
"role title",
"divx",
"pitfall",
"internet",
"ip role",
"america asn",
"extraction data",
"leveibielabs",
"all se",
"enter source",
"url or",
"texirag",
"drop",
"present nov",
"united states",
"america",
"levdibidelabs",
"failed",
"idron anv",
"include manualv",
"review data",
"iterng",
"name servers",
"passive dns",
"incapsula",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"script head",
"request",
"cookie",
"indicator",
"msie",
"chrome",
"backdoor",
"gmt content",
"ipv4 add",
"twitter",
"title",
"process32nextw",
"ms windows",
"intel",
"pe32",
"regopenkeyexa",
"read c",
"medium",
"class",
"write",
"template",
"present oct",
"present jul",
"aaaa",
"present sep",
"present aug",
"url add",
"http",
"hostname",
"related tags",
"kx81xdbx0f",
"x86xd3",
"xa7xe28x06",
"x82xd4",
"delete c",
"regsetvalueexa",
"regbinary",
"xa1xf1",
"xe8xc2x14",
"malware",
"stream",
"unknown",
"win32",
"persistence",
"execution",
"push",
"present dec",
"italy",
"present jun",
"embeddedwb",
"whitelisted",
"windows nt",
"dns traffic",
"russia",
"cname",
"accept",
"destination",
"port",
"et smtp",
"message",
"et trojan",
"components",
"suspicious",
"download",
"hostile",
"next",
"logic",
"gather victim",
"et info",
"etpro trojan",
"trojan",
"report spam",
"interesting",
"created",
"pegasus",
"manipulation",
"service",
"capture",
"et",
"etpro",
"host",
"attack",
"mtb description",
"windows",
"shellexecuteexw",
"writeconsolew",
"registry",
"t1031",
"modify existing",
"dock",
"type indicator",
"added active",
"related pulses",
"arcflex",
"filehashsha1",
"types of",
"learn more",
"filehashsha256",
"cellebrite",
"white label",
"search",
"sha1",
"france",
"cmanual jan",
"expiration date",
"domain add",
"pulse submit",
"files",
"ip address",
"gmt cache",
"sameorigin",
"reverse dns",
"unknown ns",
"admin org",
"zipcode",
"gmt server",
"pulse pulses",
"entries",
"hostname add",
"verdict",
"germany unknown",
"status",
"domain",
"xpirat",
"netherlands",
"netherlands asn",
"as35280 acorus",
"dns resolutions",
"error",
"files ip",
"copy",
"telnet login",
"suspicious path",
"busybox",
"login attempt",
"gpl telnet",
"high",
"tcp syn",
"telnet root",
"path",
"mirai",
"emails",
"domain name",
"jlu11q",
"tqbplo",
"hours ago",
"found",
"yahoo",
"gmail",
"yandex",
"https://cellebrite.com/en/federal-government/",
"monitoring",
"monitored target",
"dangerous",
"spyware",
"80211",
"colorado",
"x amz",
"government",
"mirai login attempt",
"emotet",
"c2",
".ru",
".com",
"denver",
"indicator role",
"title added",
"active related",
"pulses hostname",
"dead connect",
"hostile",
"adversarial",
"abuse",
"criminal intent",
"block messages",
"botnet"
],
"references": [
"fastwebnet.it | Cellebrite White Label Spyware Service",
"putrhnwl.exe",
"Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"IP\u2019s Contacted : 54.230.129.165",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"Domains Contacted: pitfall.divx.com www.google.com",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Yara: Detections Tofsee",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"ET TROJAN Suspicious double Server Header",
"ET DNS DNS Query to a .tk domain - Likey",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"Needs to be sorted. Actively being exploited on US",
"162.159.134.42 \u2022 https://cellebrite.com/",
"https://cellebrite.com/en/federal-government/",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Germany",
"Ireland",
"Switzerland",
"Poland",
"Belgium",
"Netherlands",
"Sweden"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
},
{
"id": "Trojan:Win32/Emotet.PC!MTB",
"display_name": "Trojan:Win32/Emotet.PC!MTB",
"target": "/malware/Trojan:Win32/Emotet.PC!MTB"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Trojan:Win32/Danabot",
"display_name": "Trojan:Win32/Danabot",
"target": "/malware/Trojan:Win32/Danabot"
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Trojan:Win32/Aptdrop.RU",
"display_name": "Trojan:Win32/Aptdrop.RU",
"target": "/malware/Trojan:Win32/Aptdrop.RU"
},
{
"id": "Ransomware/Win.Stop.R4529",
"display_name": "Ransomware/Win.Stop.R4529",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32/BackdoorX",
"display_name": "Win32/BackdoorX",
"target": null
},
{
"id": "Win.Trojan.Dialog-9873788-0",
"display_name": "Win.Trojan.Dialog-9873788-0",
"target": null
},
{
"id": "Tsunami-6981155-0",
"display_name": "Tsunami-6981155-0",
"target": null
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1196",
"name": "Control Panel Items",
"display_name": "T1196 - Control Panel Items"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1414",
"name": "Capture Clipboard Data",
"display_name": "T1414 - Capture Clipboard Data"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1556",
"name": "Modify Authentication Process",
"display_name": "T1556 - Modify Authentication Process"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1581",
"name": "Geofencing",
"display_name": "T1581 - Geofencing"
},
{
"id": "T1582",
"name": "SMS Control",
"display_name": "T1582 - SMS Control"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1587",
"name": "Develop Capabilities",
"display_name": "T1587 - Develop Capabilities"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Journalists",
"Government",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4994,
"domain": 2519,
"hostname": 3281,
"FileHash-SHA256": 4467,
"FileHash-MD5": 1118,
"FileHash-SHA1": 1056,
"email": 12,
"SSLCertFingerprint": 1
},
"indicator_count": 17448,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "59 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac416596cd89cf76bce55",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:04:53.997000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://sa.jmtstudios.org/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://sa.jmtstudios.org/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776622631.2884605
}