{
"type": "URL",
"indicator": "https://sa.josht.ca/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://sa.josht.ca/",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4154664613,
"indicator": "https://sa.josht.ca/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 16,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b7cb05b2098c1d2bf20f",
"name": "federal goverment clone cellbrite credit q vashti",
"description": "",
"modified": "2026-03-12T12:55:39.046000",
"created": "2026-03-12T12:55:39.046000",
"tags": [
"url https",
"url http",
"germany",
"united",
"ukraine",
"japan",
"extraction",
"data upload",
"urls",
"url analysis",
"enter sc",
"extr",
"iocs",
"active",
"france unknown",
"present jan",
"servers",
"homair sweet",
"grabber",
"encrypt",
"ipv4",
"role title",
"divx",
"pitfall",
"internet",
"ip role",
"america asn",
"extraction data",
"leveibielabs",
"all se",
"enter source",
"url or",
"texirag",
"drop",
"present nov",
"united states",
"america",
"levdibidelabs",
"failed",
"idron anv",
"include manualv",
"review data",
"iterng",
"name servers",
"passive dns",
"incapsula",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"script head",
"request",
"cookie",
"indicator",
"msie",
"chrome",
"backdoor",
"gmt content",
"ipv4 add",
"twitter",
"title",
"process32nextw",
"ms windows",
"intel",
"pe32",
"regopenkeyexa",
"read c",
"medium",
"class",
"write",
"template",
"present oct",
"present jul",
"aaaa",
"present sep",
"present aug",
"url add",
"http",
"hostname",
"related tags",
"kx81xdbx0f",
"x86xd3",
"xa7xe28x06",
"x82xd4",
"delete c",
"regsetvalueexa",
"regbinary",
"xa1xf1",
"xe8xc2x14",
"malware",
"stream",
"unknown",
"win32",
"persistence",
"execution",
"push",
"present dec",
"italy",
"present jun",
"embeddedwb",
"whitelisted",
"windows nt",
"dns traffic",
"russia",
"cname",
"accept",
"destination",
"port",
"et smtp",
"message",
"et trojan",
"components",
"suspicious",
"download",
"hostile",
"next",
"logic",
"gather victim",
"et info",
"etpro trojan",
"trojan",
"report spam",
"interesting",
"created",
"pegasus",
"manipulation",
"service",
"capture",
"et",
"etpro",
"host",
"attack",
"mtb description",
"windows",
"shellexecuteexw",
"writeconsolew",
"registry",
"t1031",
"modify existing",
"dock",
"type indicator",
"added active",
"related pulses",
"arcflex",
"filehashsha1",
"types of",
"learn more",
"filehashsha256",
"cellebrite",
"white label",
"search",
"sha1",
"france",
"cmanual jan",
"expiration date",
"domain add",
"pulse submit",
"files",
"ip address",
"gmt cache",
"sameorigin",
"reverse dns",
"unknown ns",
"admin org",
"zipcode",
"gmt server",
"pulse pulses",
"entries",
"hostname add",
"verdict",
"germany unknown",
"status",
"domain",
"xpirat",
"netherlands",
"netherlands asn",
"as35280 acorus",
"dns resolutions",
"error",
"files ip",
"copy",
"telnet login",
"suspicious path",
"busybox",
"login attempt",
"gpl telnet",
"high",
"tcp syn",
"telnet root",
"path",
"mirai",
"emails",
"domain name",
"jlu11q",
"tqbplo",
"hours ago",
"found",
"yahoo",
"gmail",
"yandex",
"https://cellebrite.com/en/federal-government/",
"monitoring",
"monitored target",
"dangerous",
"spyware",
"80211",
"colorado",
"x amz",
"government",
"mirai login attempt",
"emotet",
"c2",
".ru",
".com",
"denver",
"indicator role",
"title added",
"active related",
"pulses hostname",
"dead connect",
"hostile",
"adversarial",
"abuse",
"criminal intent",
"block messages",
"botnet"
],
"references": [
"fastwebnet.it | Cellebrite White Label Spyware Service",
"putrhnwl.exe",
"Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"IP\u2019s Contacted : 54.230.129.165",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"Domains Contacted: pitfall.divx.com www.google.com",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Yara: Detections Tofsee",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"ET TROJAN Suspicious double Server Header",
"ET DNS DNS Query to a .tk domain - Likey",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"Needs to be sorted. Actively being exploited on US",
"162.159.134.42 \u2022 https://cellebrite.com/",
"https://cellebrite.com/en/federal-government/",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Germany",
"Ireland",
"Switzerland",
"Poland",
"Belgium",
"Netherlands",
"Sweden"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
},
{
"id": "Trojan:Win32/Emotet.PC!MTB",
"display_name": "Trojan:Win32/Emotet.PC!MTB",
"target": "/malware/Trojan:Win32/Emotet.PC!MTB"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Trojan:Win32/Danabot",
"display_name": "Trojan:Win32/Danabot",
"target": "/malware/Trojan:Win32/Danabot"
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Trojan:Win32/Aptdrop.RU",
"display_name": "Trojan:Win32/Aptdrop.RU",
"target": "/malware/Trojan:Win32/Aptdrop.RU"
},
{
"id": "Ransomware/Win.Stop.R4529",
"display_name": "Ransomware/Win.Stop.R4529",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32/BackdoorX",
"display_name": "Win32/BackdoorX",
"target": null
},
{
"id": "Win.Trojan.Dialog-9873788-0",
"display_name": "Win.Trojan.Dialog-9873788-0",
"target": null
},
{
"id": "Tsunami-6981155-0",
"display_name": "Tsunami-6981155-0",
"target": null
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1196",
"name": "Control Panel Items",
"display_name": "T1196 - Control Panel Items"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1414",
"name": "Capture Clipboard Data",
"display_name": "T1414 - Capture Clipboard Data"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1556",
"name": "Modify Authentication Process",
"display_name": "T1556 - Modify Authentication Process"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1581",
"name": "Geofencing",
"display_name": "T1581 - Geofencing"
},
{
"id": "T1582",
"name": "SMS Control",
"display_name": "T1582 - SMS Control"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1587",
"name": "Develop Capabilities",
"display_name": "T1587 - Develop Capabilities"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Journalists",
"Government",
"Civil Society"
],
"TLP": "green",
"cloned_from": "696f7d467763ed4d4e74d133",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4994,
"domain": 2519,
"hostname": 3281,
"FileHash-SHA256": 4467,
"FileHash-MD5": 1118,
"FileHash-SHA1": 1056,
"email": 12,
"SSLCertFingerprint": 1
},
"indicator_count": 17448,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "37 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d69ecbc0497f97e28618",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:10.502000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6a601f06adcd1ed22fc",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:18.022000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6afd744c55bd596ed6e",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:27.248000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6975c5cd4db6104ea1a3d69b",
"name": "The Blender Foundation BouncyCastle-Virut | Malware /Stealer Empty FileHash | Eternal7 (Shadow Broker) Related",
"description": "Empty FileHash isn\u2019t benign. Interesting relationships to the Eternal 7. Malware, Stealer and Suspicious History File Operation. BouncyCastle-Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys / Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"modified": "2026-02-24T06:02:43.853000",
"created": "2026-01-25T07:27:09.640000",
"tags": [
"empty",
"blender",
"eurostile",
"augustin",
"butterfield",
"cook",
"drummer",
"erickson",
"fjsv",
"flynn",
"gorman",
"holmes",
"easy",
"rada",
"xanadu",
"config",
"reboot",
"screen",
"microsoft",
"commerce server",
"edition",
"draw",
"exchange server",
"tools",
"linux",
"ideal link",
"nsrl test",
"nist",
"file",
"cultureneutral",
"fix pack",
"free download",
"bouncycastle",
"read c",
"search",
"et trojan",
"w32kegotip cnc",
"whitelisted",
"ids detections",
"intel",
"write",
"trojan",
"malware",
"yara detections",
"productversion",
"fileversion",
"av detections",
"alerts",
"analysis date",
"file score",
"united",
"aaaa",
"passive dns",
"ip address",
"present dec",
"body html",
"head meta",
"title",
"urls",
"url https",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"beacon",
"et",
"ipv4",
"files",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"related pulses",
"show",
"win32virut",
"destination",
"port",
"ms windows",
"pe32",
"medium",
"suspicious",
"virustotal",
"startul",
"shadowbrokers",
"total",
"delete",
"artemis",
"win32.injector",
"trendmicro",
"data upload",
"extraction",
"included iocs"
],
"references": [
"The Blender Foundation",
"website \u2022 http://oldapps.com/blender.php?old_blender=7584",
"oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]",
"Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community",
"Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks",
"ET TROJAN W32/Kegotip CnC Beacon",
"IDS Detections ET POLICY Suspicious User-Agent Containing .exe",
"Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit",
"Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /",
"Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "BouncyCastle",
"display_name": "BouncyCastle",
"target": null
},
{
"id": "Sf:ShellCode-AU",
"display_name": "Sf:ShellCode-AU",
"target": null
},
{
"id": "Win.Trojan.Fareit-82",
"display_name": "Win.Trojan.Fareit-82",
"target": null
},
{
"id": "Win.Trojan.Agent-245901",
"display_name": "Win.Trojan.Agent-245901",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "W32/Kegotip CnC",
"display_name": "W32/Kegotip CnC",
"target": null
},
{
"id": "W32.Virut.ci",
"display_name": "W32.Virut.ci",
"target": null
},
{
"id": "Downloader.Generic13.CMTW",
"display_name": "Downloader.Generic13.CMTW",
"target": null
},
{
"id": "Downloader.Generic13.BOBZ",
"display_name": "Downloader.Generic13.BOBZ",
"target": null
},
{
"id": "Win.Trojan.Injector-12138",
"display_name": "Win.Trojan.Injector-12138",
"target": null
},
{
"id": "Generic36.ADTY",
"display_name": "Generic36.ADTY",
"target": null
},
{
"id": "Generic36.AIAA.Dropper",
"display_name": "Generic36.AIAA.Dropper",
"target": null
},
{
"id": "Generic36.AJSM",
"display_name": "Generic36.AJSM",
"target": null
},
{
"id": "Win32/Virut",
"display_name": "Win32/Virut",
"target": null
},
{
"id": "Win32/Ramnit.A",
"display_name": "Win32/Ramnit.A",
"target": null
},
{
"id": "Worm.Autorun-6180",
"display_name": "Worm.Autorun-6180",
"target": null
},
{
"id": "Hider.BIY",
"display_name": "Hider.BIY",
"target": null
},
{
"id": "Win.Trojan.Rootkit-4532",
"display_name": "Win.Trojan.Rootkit-4532",
"target": null
},
{
"id": "Win32/Blacked",
"display_name": "Win32/Blacked",
"target": null
},
{
"id": "Win32.Injector",
"display_name": "Win32.Injector",
"target": null
},
{
"id": "TrendMicro",
"display_name": "TrendMicro",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 71,
"FileHash-SHA256": 853,
"URL": 1639,
"domain": 288,
"FileHash-MD5": 78,
"hostname": 545
},
"indicator_count": 3474,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "54 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69754a5dd138f73f5cfdf78c",
"name": "EternalRocks (SHADOW BROKERS) MicroBotMassiveNet - NSA Exploits",
"description": "Exploited | Active | Continuous \n\u201cEternalRocks\u201d (also known as MicroBotMassiveNet) is a sophisticated computer worm discovered in May 2017 that targets Windows machines, utilizing seven different NSA-leaked exploits\u2014far more than the two used by the infamous WannaCry ransomware. Trend Micro and other security researchers highlighted the danger of this malware because, unlike WannaCry, it does not have a \"kill switch\" and is designed to create a backdoor for future, more severe, and adaptable attacks * While initially, it appeared to only act as a downloader for other tools, the danger lay in its potential to be weaponized for launching ransomware, Remote Access Trojans (RATs), or other malware at a later date. \nThank you Winston & Vogt",
"modified": "2026-02-23T19:02:00.548000",
"created": "2026-01-24T22:40:29.680000",
"tags": [
"regsetvalueexa",
"default",
"regdword",
"regbinary",
"module download",
"tls handshake",
"high",
"regsetvalueexw",
"malware",
"write",
"win32",
"ids detections",
"download tls",
"eternalrocks",
"nsa exploits",
"worm",
"cryptojackers",
"shadow brokers",
"ransom",
"ingress tool",
"channel",
"udp a83f8110",
"get http",
"get https",
"dns resolutions",
"root path",
"encrypted",
"native",
"required.exe",
"stolen toolset",
"cyber weapons",
"cyber warfare",
"autonomous",
"tor",
"dark web",
"black paper",
"nsa weapons",
"2017",
"tao?",
"targeting",
"breach",
"equation group tools",
"installer",
"stealer",
"apt",
"empty",
"not an exit node",
"empty file",
"tor relay router",
"traffic groups",
"traffic group 815",
"el tor",
"tor relay",
"traffic group 778",
"traffic group 238",
"traffic group 333",
"traffic group 333",
"node",
"traffic group 252",
"open_source_tool",
"confuserex",
"susp_net_name_confuserex",
"eternalrocks",
"svchost",
"eternalrocks_svchost_fr",
"obfuscated",
"susp_confuserex_obfuscated",
"encryption",
"module",
"msil",
"net",
"bing",
"android",
"libre",
"mcsf",
"microsoft",
"active attack",
"financial crimes",
"EternalBlue",
"EternalChampion",
"EternalRocks",
"Stealth",
"EternalSynergy",
"EternalRomance",
"checks-network-adapters",
"checks-user-input",
"crypto",
"detect-deb",
"environment",
"direct-cpu-clock-access",
"long-sleeps",
"runtime-modules"
],
"references": [
"EternalRocks MALWARE RANSOM TROJAN EVADER",
"The 2017 timeline accurately fits victim\u2019s major financial and other continuous First attacks began in 10/2013. Upgraded",
"With so many \u2018officials\u2019 involved, it\u2019s hard to believe \u2018 The Shadow Brokers\u2019 isnt a government entity.",
"Strangely NSO Group The Lazarus Group The Shadow Brokers and others attack an individual",
"Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,TrojanDownloader:Win32/Eterock.A",
"IDS Detections: Possible ETERNALROCKS .Net Module Download TLS Handshake Failure",
"Yara Detections: SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost ,",
"Yara Detections: EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Alerts: network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_i",
"NSA Exploits Used: The malware uses seven Shadow Brokers-leaked tools, including EternalBlue, EternalChampion,",
"EternalRomance, and EternalSynergy. Stealth",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Yara Matches",
"Matches rule EternalRocks_svchost from ruleset crime_eternalrocks by Florian Roth (Nextron Systems)",
"Matches rule SUSP_NET_NAME_ConfuserEx from ruleset gen_github_net_redteam_tools_names by Arnim Rupp",
"Matches rule INDICATOR_EXE_Packed_ConfuserEx from ruleset indicator_packed",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Sigma Matches",
"Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Uncommon Svchost Command Line Parameter by Liran Ravich",
"Matches rule Uncommon Schost Parent Process by Florian Roth (Nextron Systems)",
"Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Shelton, Nasreddine Bencherchali (Nextron stems",
"Matches rule Windows Processes Suspicious Parent Directory by vburov",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced IDS rules",
"Matches rule DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt",
"Matches rule MALWARE-CNC DNS Fast Flux attempt",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 778",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 815",
"Matches rule ET POLICY TLS possible TOR SSL traffic",
"Matches rule ET JA3 Hash - Possible Malwar RigEK/Cryptowall/Dridex",
"Matches rule ET JA3 Hash - [Abuse.ch] Possible Ransomware",
"Matches rule SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware)",
"Matches rule POLICY-OTHER TOR Project domain request",
"Dynamic sandbox CZAE flags this file as: STEALER",
"https://github.com/stamparm/EternalRocks",
"(The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION,",
"ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.",
"REFERENCE: https://twitter.com/stamparm/status/864865144748298242 RULE_AUTHOR: Florian Roth",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/EternalRocks_svchost_FR",
"DESCRIPTION: Detects EternalRocks Malware - file taskhost.exe",
"TNULL: unknown empty EMPTY FILEHASH-MD5 d41d8cd98f00b204e9800998ecf8427e",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Matches rule Suspicious History File Operat Mikhail Larin, oscd.community",
"Matches rule SURICATA STREAM Packet with invalid timestamp"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "EternalRocks",
"display_name": "EternalRocks",
"target": null
},
{
"id": "CVE-2017-0148",
"display_name": "CVE-2017-0148",
"target": null
},
{
"id": "Exploit:PowerShell/CVE-2017-0143",
"display_name": "Exploit:PowerShell/CVE-2017-0143",
"target": "/malware/Exploit:PowerShell/CVE-2017-0143"
},
{
"id": "trojan.eternalrocks/shadowbrokers",
"display_name": "trojan.eternalrocks/shadowbrokers",
"target": null
}
],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
}
],
"industries": [
"Finance",
"Government",
"Insurance",
"Civilians",
"Health"
],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 82,
"FileHash-SHA1": 76,
"FileHash-SHA256": 700,
"URL": 280,
"domain": 46,
"hostname": 233,
"CVE": 2
},
"indicator_count": 1419,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "54 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "697488f095f69d392afd00fb",
"name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes",
"description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.",
"modified": "2026-02-23T07:04:04.285000",
"created": "2026-01-24T08:55:12.845000",
"tags": [
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"ck techniques",
"evasion att",
"t1480 execution",
"href",
"ascii text",
"pattern match",
"mitre att",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"form",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"active related",
"url https",
"related pulses",
"url http",
"united",
"czechia",
"hong kong",
"ipv4",
"indicators hong",
"kong",
"south korea",
"netherlands",
"germany",
"ireland",
"denmark",
"sweden",
"active",
"government",
"finance",
"security",
"type indicator",
"yara detections",
"av detections",
"ids detections",
"alerts",
"analysis date",
"mcsf",
"microsoft",
"yara",
"insurance",
"fidelity investments",
"description",
"fidelity international",
"ms windows",
"pe32",
"writeconsolew",
"read c",
"pe32 executable",
"t1045",
"susp",
"write",
"win64",
"malware",
"modified",
"ck ids",
"t1040",
"sniffing",
"packing",
"t1112",
"packing t1045",
"icmp traffic",
"memcommit",
"pe section",
"low software",
"pe resource",
"win32",
"trojan",
"april",
"sara ligorria",
"tramp advert",
"black paper",
"createdate",
"subject laser",
"title laser",
"format",
"types of",
"japan",
"regsetvalueexa",
"regdword",
"regbinary",
"module download",
"tls handshake",
"high",
"defense evasion",
"discovery att",
"adversaries",
"title",
"role",
"flag",
"name server",
"server",
"domain address",
"markmonitor",
"clicktale ltd",
"enom",
"whoisguard",
"medium",
"unicode",
"rgba",
"delete",
"crlf line",
"next",
"dock",
"execution",
"date",
"users",
"tls sni",
"total",
"cnc domain",
"search",
"oamazon",
"cnamazon rsa",
"push",
"failure yara",
"contacted",
"hours ago",
"created",
"cia",
"fbi",
"telegram",
"tulach",
"sabey",
"state",
"gov",
"ahmann",
"financial fraud",
"t-mobile",
"walmartmobile",
"life insurance",
"fidelity life",
"guarantee",
"team",
"role title",
"added active",
"scan",
"iocs",
"learn more",
"filehashsha1",
"filehashmd5",
"kw3recepten",
"domainname0",
"searchbox0",
"kw1brinta",
"kw2muesli",
"indicator role",
"title added",
"pulses url",
"cve cve20170147",
"apple",
"apple id"
],
"references": [
"https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226",
"https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com",
"http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com",
"https://bhive.nectar.social/rKvoMY",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,",
"TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161",
"Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.",
"EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name",
"Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.",
"Domains Contacted api.nuget.org",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png",
"https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.fidelity.com/ https://www.fidelity.com/",
"cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99",
"cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl",
"https://www.anyxxxtube.net/search-porn/",
"https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears",
"fidelity-account.com e http://fidelity-account.com/fidelity/code.html",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex",
"http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022",
"\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:",
"https://bhive.nectar.social/rKvoMY",
"apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co",
"http://appleid.app",
"https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win64:Trojan-gen",
"display_name": "Win64:Trojan-gen",
"target": null
},
{
"id": "Trojan:MSIL/Ursu.KP",
"display_name": "Trojan:MSIL/Ursu.KP",
"target": "/malware/Trojan:MSIL/Ursu.KP"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F",
"target": null
},
{
"id": "Trojan:PDF/Phish.RR!MTB",
"display_name": "Trojan:PDF/Phish.RR!MTB",
"target": "/malware/Trojan:PDF/Phish.RR!MTB"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": ": ALF:Trojan:MSIL/Azorult.AC!",
"display_name": ": ALF:Trojan:MSIL/Azorult.AC!",
"target": null
},
{
"id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB",
"display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB",
"target": null
},
{
"id": "Trojan:Win32/Conbea!rfn",
"display_name": "Trojan:Win32/Conbea!rfn",
"target": "/malware/Trojan:Win32/Conbea!rfn"
},
{
"id": "Trojan:Win32/Ausiv!rfn",
"display_name": "Trojan:Win32/Ausiv!rfn",
"target": "/malware/Trojan:Win32/Ausiv!rfn"
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat",
"target": null
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "TrojanDropper:Win32/Qhost",
"display_name": "TrojanDropper:Win32/Qhost",
"target": "/malware/TrojanDropper:Win32/Qhost"
},
{
"id": "Trojan:Win32/Miner.KA!MTB",
"display_name": "Trojan:Win32/Miner.KA!MTB",
"target": "/malware/Trojan:Win32/Miner.KA!MTB"
},
{
"id": "DNSTrojan",
"display_name": "DNSTrojan",
"target": null
},
{
"id": "EternalRocks",
"display_name": "EternalRocks",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Government",
"Finance",
"Insurance"
],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2793,
"URL": 6639,
"FileHash-SHA256": 2462,
"domain": 1070,
"FileHash-MD5": 307,
"FileHash-SHA1": 186,
"SSLCertFingerprint": 1,
"email": 1,
"CVE": 3
},
"indicator_count": 13462,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "55 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696f7d467763ed4d4e74d133",
"name": "Federal Government-Cellebrite Attack found actively targeting iOS and other devices | Mirai login attempts | TelNet Login",
"description": "https://cellebrite.com/en/federal-government/ | Found on a crime victims devices. Targets abused by spyware in an unethical manner by andvesarial \u2018governmental\u2019 possibly \u2018contracted\u2019 entities. Waged against targets such as victims of crime , journalists , researchers , students. Target Users: Serves public safety, enterprise, and government sectors, aiding first responders, investigators, prosecutors, and analysts. How it's Used Law enforcement uses it to unlock devices and retrieve evidence like messages, location history, and app data for criminal investigations. It helps uncover critical information from digital devices, even recovering data that users thought was permanently deleted. Controversy & Privacy Concerns While marketed as a tool for lawful investigations, its powerful data extraction capabilities raise significant privacy concerns and ethical debates.",
"modified": "2026-02-19T12:05:47.166000",
"created": "2026-01-20T13:04:06.622000",
"tags": [
"url https",
"url http",
"germany",
"united",
"ukraine",
"japan",
"extraction",
"data upload",
"urls",
"url analysis",
"enter sc",
"extr",
"iocs",
"active",
"france unknown",
"present jan",
"servers",
"homair sweet",
"grabber",
"encrypt",
"ipv4",
"role title",
"divx",
"pitfall",
"internet",
"ip role",
"america asn",
"extraction data",
"leveibielabs",
"all se",
"enter source",
"url or",
"texirag",
"drop",
"present nov",
"united states",
"america",
"levdibidelabs",
"failed",
"idron anv",
"include manualv",
"review data",
"iterng",
"name servers",
"passive dns",
"incapsula",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"script head",
"request",
"cookie",
"indicator",
"msie",
"chrome",
"backdoor",
"gmt content",
"ipv4 add",
"twitter",
"title",
"process32nextw",
"ms windows",
"intel",
"pe32",
"regopenkeyexa",
"read c",
"medium",
"class",
"write",
"template",
"present oct",
"present jul",
"aaaa",
"present sep",
"present aug",
"url add",
"http",
"hostname",
"related tags",
"kx81xdbx0f",
"x86xd3",
"xa7xe28x06",
"x82xd4",
"delete c",
"regsetvalueexa",
"regbinary",
"xa1xf1",
"xe8xc2x14",
"malware",
"stream",
"unknown",
"win32",
"persistence",
"execution",
"push",
"present dec",
"italy",
"present jun",
"embeddedwb",
"whitelisted",
"windows nt",
"dns traffic",
"russia",
"cname",
"accept",
"destination",
"port",
"et smtp",
"message",
"et trojan",
"components",
"suspicious",
"download",
"hostile",
"next",
"logic",
"gather victim",
"et info",
"etpro trojan",
"trojan",
"report spam",
"interesting",
"created",
"pegasus",
"manipulation",
"service",
"capture",
"et",
"etpro",
"host",
"attack",
"mtb description",
"windows",
"shellexecuteexw",
"writeconsolew",
"registry",
"t1031",
"modify existing",
"dock",
"type indicator",
"added active",
"related pulses",
"arcflex",
"filehashsha1",
"types of",
"learn more",
"filehashsha256",
"cellebrite",
"white label",
"search",
"sha1",
"france",
"cmanual jan",
"expiration date",
"domain add",
"pulse submit",
"files",
"ip address",
"gmt cache",
"sameorigin",
"reverse dns",
"unknown ns",
"admin org",
"zipcode",
"gmt server",
"pulse pulses",
"entries",
"hostname add",
"verdict",
"germany unknown",
"status",
"domain",
"xpirat",
"netherlands",
"netherlands asn",
"as35280 acorus",
"dns resolutions",
"error",
"files ip",
"copy",
"telnet login",
"suspicious path",
"busybox",
"login attempt",
"gpl telnet",
"high",
"tcp syn",
"telnet root",
"path",
"mirai",
"emails",
"domain name",
"jlu11q",
"tqbplo",
"hours ago",
"found",
"yahoo",
"gmail",
"yandex",
"https://cellebrite.com/en/federal-government/",
"monitoring",
"monitored target",
"dangerous",
"spyware",
"80211",
"colorado",
"x amz",
"government",
"mirai login attempt",
"emotet",
"c2",
".ru",
".com",
"denver",
"indicator role",
"title added",
"active related",
"pulses hostname",
"dead connect",
"hostile",
"adversarial",
"abuse",
"criminal intent",
"block messages",
"botnet"
],
"references": [
"fastwebnet.it | Cellebrite White Label Spyware Service",
"putrhnwl.exe",
"Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"IP\u2019s Contacted : 54.230.129.165",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"Domains Contacted: pitfall.divx.com www.google.com",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Yara: Detections Tofsee",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"ET TROJAN Suspicious double Server Header",
"ET DNS DNS Query to a .tk domain - Likey",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"Needs to be sorted. Actively being exploited on US",
"162.159.134.42 \u2022 https://cellebrite.com/",
"https://cellebrite.com/en/federal-government/",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Germany",
"Ireland",
"Switzerland",
"Poland",
"Belgium",
"Netherlands",
"Sweden"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
},
{
"id": "Trojan:Win32/Emotet.PC!MTB",
"display_name": "Trojan:Win32/Emotet.PC!MTB",
"target": "/malware/Trojan:Win32/Emotet.PC!MTB"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Trojan:Win32/Danabot",
"display_name": "Trojan:Win32/Danabot",
"target": "/malware/Trojan:Win32/Danabot"
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Trojan:Win32/Aptdrop.RU",
"display_name": "Trojan:Win32/Aptdrop.RU",
"target": "/malware/Trojan:Win32/Aptdrop.RU"
},
{
"id": "Ransomware/Win.Stop.R4529",
"display_name": "Ransomware/Win.Stop.R4529",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32/BackdoorX",
"display_name": "Win32/BackdoorX",
"target": null
},
{
"id": "Win.Trojan.Dialog-9873788-0",
"display_name": "Win.Trojan.Dialog-9873788-0",
"target": null
},
{
"id": "Tsunami-6981155-0",
"display_name": "Tsunami-6981155-0",
"target": null
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1196",
"name": "Control Panel Items",
"display_name": "T1196 - Control Panel Items"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1414",
"name": "Capture Clipboard Data",
"display_name": "T1414 - Capture Clipboard Data"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1556",
"name": "Modify Authentication Process",
"display_name": "T1556 - Modify Authentication Process"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1581",
"name": "Geofencing",
"display_name": "T1581 - Geofencing"
},
{
"id": "T1582",
"name": "SMS Control",
"display_name": "T1582 - SMS Control"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1587",
"name": "Develop Capabilities",
"display_name": "T1587 - Develop Capabilities"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Journalists",
"Government",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4994,
"domain": 2519,
"hostname": 3281,
"FileHash-SHA256": 4467,
"FileHash-MD5": 1118,
"FileHash-SHA1": 1056,
"email": 12,
"SSLCertFingerprint": 1
},
"indicator_count": 17448,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "58 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac416596cd89cf76bce55",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:04:53.997000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac4327b5bc2e8be34f78a",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:22.323000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac438a696c993b672106d",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:28.261000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6953775a0aed71947ca3f90e",
"name": "Ransom WannaCrypt- Hackers masquerade as a law firm | Social Engineering |",
"description": "Hackers , likely Colorado State employees masquerading as legal, entities, social\nengineering, financial exchanges involved. Fraud. Dangerous enterprise. Found in an \u2018alleged \u2018 Plaintiff Law Firms malicious link discovered in old print out, also seen in earlier pulse. [OTX generated description: Adversaries may be able to evade detection and network filtering by blending in with existing traffic, as well as using web protocols, in order to avoid detection/network filtering. and other measures.]",
"modified": "2026-01-29T06:09:08.504000",
"created": "2025-12-30T06:55:22.105000",
"tags": [
"united",
"urls",
"moved",
"files",
"ip address",
"gmt content",
"x adblock",
"encrypt",
"backdoor",
"bq dec",
"virtool",
"ipv4 add",
"ascii text",
"pattern match",
"ck id",
"mitre att",
"meta",
"general",
"local",
"path",
"click",
"strings",
"unknown",
"simplified",
"etpro trojan",
"possible virut",
"dga nxdomain",
"responses",
"virus",
"medium",
"virustotal",
"vipre",
"baidu",
"vitro",
"drweb",
"mcafee",
"panda",
"malware",
"write",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"yara rule",
"simda",
"internal",
"learn",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"defense evasion",
"t1480 execution",
"discovery att",
"ck matrix",
"network traffic",
"t1071",
"t1057",
"hybrid",
"yara detections",
"composite",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"none related",
"passive dns",
"hosting",
"reverse dns",
"location united",
"title",
"ences s",
"data upload",
"extraction",
"status",
"hostname add",
"url analysis",
"push",
"present sep",
"present may",
"present jul",
"present jan",
"win32small dec",
"ransom",
"write c",
"show",
"search",
"high",
"et exploit",
"probe ms17010",
"eternal blue",
"englewood colorado",
"wannacry",
"wannacrypt",
"ransom",
"wanna"
],
"references": [
"https://aws.hirecar.net/",
"w32.virut.cf \u2022 win32.virut.am \u2022 virut.cf \u2022 http://w32.virut.cf \u2022http://w32.virut.cf/ \u2022 https://w32.virut.cf",
"pandacookie2018.xyz",
"Antivirus Detections: Win.Ransomware.Wanna-9769986-0 , Ransom:Win32/WannaCrypt.H",
"IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS",
"DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) Possible ETERNALBLUE Probe MS17-010 (Generic Flags) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic , MS17_010_WanaCry_worm , stack_string More Alerts 25 Alerts suspicious_iocontrol_codes persistence_autorun persistence_autorun_tasks stealth_file suricata_alert antivm_generic_disk anomalous_deletefil",
"Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com \u2022\u2019survey-smiles.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Backdoor:Win32/Small.IR",
"display_name": "Backdoor:Win32/Small.IR",
"target": "/malware/Backdoor:Win32/Small.IR"
},
{
"id": "Win.Trojan.Agent-31853",
"display_name": "Win.Trojan.Agent-31853",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "Win.Ransomware.Wanna-9769986-0",
"display_name": "Win.Ransomware.Wanna-9769986-0",
"target": null
},
{
"id": "Ransom:Win32/WannaCrypt.H",
"display_name": "Ransom:Win32/WannaCrypt.H",
"target": "/malware/Ransom:Win32/WannaCrypt.H"
},
{
"id": "Virtool:Win32/Injector.gen!BQ",
"display_name": "Virtool:Win32/Injector.gen!BQ",
"target": "/malware/Virtool:Win32/Injector.gen!BQ"
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
}
],
"industries": [
"Government",
"Technology",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8605,
"domain": 1228,
"email": 2,
"hostname": 1981,
"FileHash-SHA256": 1617,
"FileHash-SHA1": 184,
"FileHash-MD5": 206,
"SSLCertFingerprint": 2
},
"indicator_count": 13825,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "80 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6946ef0ba069c6b92160f8f6",
"name": "Doomscroller \u2022 BrowserHappy | Part 1",
"description": "Comments reserved for Part 2.\nOTX I extraction keeps timing out for me. Possibly location/signal related.",
"modified": "2026-01-19T17:03:32.999000",
"created": "2025-12-20T18:46:35.660000",
"tags": [
"servers",
"united states",
"united",
"script script",
"cnc beacon",
"x5drh",
"ipv4",
"urls",
"twitter",
"trojandropper",
"ipv4 add",
"reverse dns",
"ransom",
"mtb may",
"backdoor",
"trojanspy",
"loee7oiy",
"trojan",
"win32",
"susp",
"mtb jul",
"virtool",
"mtb aug",
"worm",
"avast avg",
"lowfi",
"multiplug jun",
"urls show",
"url hostname",
"server response",
"ip address",
"google safe",
"results dec",
"k dec",
"read c",
"process32nextw",
"tls handshake",
"search",
"show",
"et info",
"failure",
"unknown",
"service",
"malware",
"tools",
"win64",
"write",
"revil",
"sodinokibi",
"titan",
"mtb trojan",
"mtb alf",
"win32dinwod may"
],
"references": [
"Xpirat = doomscroller.io",
"IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers",
"Win32/Agent.BH PUP/PUA Downloader CnC Checkin",
"Terse HTTP 1.0 Request Possible Nivdort Trojan-Banker.Win32.Agent.ree Checkin Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 4 AlphaCrypt CnC Beacon 3 WS/JS Downloader Mar 07 2017 M1 Koobface HTTP Request (2) Alphacrypt/TeslaCrypt Ransomware CnC Beacon",
"Trojan-Banker.Win32.Agent.ree Checkin Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 4 AlphaCrypt CnC Beacon 3 WS/JS Downloader Mar 07 2017 M1 Koobface HTTP Request (2) Alphacrypt/TeslaCrypt Ransomware CnC Beacon"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanDownloader:Win32/Upatre.AA",
"display_name": "TrojanDownloader:Win32/Upatre.AA",
"target": "/malware/TrojanDownloader:Win32/Upatre.AA"
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Sodinoki",
"display_name": "Sodinoki",
"target": null
},
{
"id": "Ransom:Win32/Revil.A",
"display_name": "Ransom:Win32/Revil.A",
"target": "/malware/Ransom:Win32/Revil.A"
},
{
"id": "Cutwail",
"display_name": "Cutwail",
"target": null
},
{
"id": "!#HSTR:SigGen0136cb6c",
"display_name": "!#HSTR:SigGen0136cb6c",
"target": null
},
{
"id": "Bayrob",
"display_name": "Bayrob",
"target": null
},
{
"id": "Win.Malware",
"display_name": "Win.Malware",
"target": null
},
{
"id": "TrojanSpy:Win32/Nivdort.BG",
"display_name": "TrojanSpy:Win32/Nivdort.BG",
"target": "/malware/TrojanSpy:Win32/Nivdort.BG"
},
{
"id": "#Lowfi:Lua:Mampa:99!ml",
"display_name": "#Lowfi:Lua:Mampa:99!ml",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "#Lowfi:HSTR:Installer:Multiplug",
"display_name": "#Lowfi:HSTR:Installer:Multiplug",
"target": null
},
{
"id": "TrojanDropper:Win32/Dinwod",
"display_name": "TrojanDropper:Win32/Dinwod",
"target": "/malware/TrojanDropper:Win32/Dinwod"
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
},
{
"id": "TrojanSpy:Win32/Nivdort.CB",
"display_name": "TrojanSpy:Win32/Nivdort.CB",
"target": "/malware/TrojanSpy:Win32/Nivdort.CB"
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Trojan:Win32/Zbot.SIBB6!MTB",
"display_name": "Trojan:Win32/Zbot.SIBB6!MTB",
"target": "/malware/Trojan:Win32/Zbot.SIBB6!MTB"
},
{
"id": "Ploprolo",
"display_name": "Ploprolo",
"target": null
},
{
"id": "#Lowfi:HSTR:VirTool:Win32/Obfuscator!Diplugem.F",
"display_name": "#Lowfi:HSTR:VirTool:Win32/Obfuscator!Diplugem.F",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 692,
"URL": 1666,
"FileHash-SHA256": 630,
"hostname": 804,
"FileHash-MD5": 441,
"FileHash-SHA1": 437,
"SSLCertFingerprint": 1,
"CVE": 1
},
"indicator_count": 4672,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "89 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "693adba47b2cce69440c726a",
"name": "TESLA HACKERS | Login Google",
"description": "Attackers target victims Google account, Google browser, Google homepage.\n\nTesla Hackers in the job. Tesla hackers are very young , angry, kids who chased target around mercilessly in their vehicles, photographed target, drive threateningly. Nothing sophisticated about the stalker crewl. This is intentional. Finding troubled individuals who are desperate for power is pretty easy. \n\nThe hit men range from gang members, white , black , Hispanic to the highly educated, Hit man who attempted to take target out was a spoiled, angry , aggressive, sneering POC. He walked in Denver. The next morning , the area target was driven if roadway was closed off and filled with a rather large road crew, work continues to work on this area. (Charlie Kirk like). Alleged traffic officer claims cameras pointed in different directions that night. He was identified as a computer science major by a PI. This feels so dangerous.",
"modified": "2026-01-10T13:01:53.320000",
"created": "2025-12-11T14:56:36.874000",
"tags": [
"tlsv1",
"united",
"oamazon",
"cnamazon rsa",
"jfif",
"ogoogle trust",
"cngts ca",
"exif standard",
"tiff image",
"xresolution74",
"execution",
"dock",
"write",
"persistence",
"malware",
"encrypt",
"ca https",
"no expiration",
"iocs",
"url https",
"enter source",
"url or",
"text drag",
"drop or",
"browse to",
"select file",
"ipv4",
"url http",
"type indicator",
"sec ch",
"ch ua",
"unknown",
"ua full",
"ua platform",
"as44273 host",
"ua bitness",
"msie",
"chrome",
"backdoor",
"trojandropper",
"passive dns",
"forbidden",
"body",
"twitter",
"trojan",
"cookie",
"title",
"windows nt",
"wow64",
"slcc2",
"media center",
"read c",
"port",
"destination",
"local",
"moved",
"integration all",
"urls",
"files",
"reverse dns",
"location united",
"america flag",
"name servers",
"hostname",
"unique",
"expires wed",
"gmt date",
"server",
"date wed",
"connection",
"use linux",
"cybersecurity",
"http",
"ip address",
"files location",
"flag united",
"win32",
"urls show",
"date checked",
"url hostname",
"server response",
"virtool",
"date hash",
"avast avg",
"heur",
"lowfi",
"k sep",
"contacted",
"related tags",
"none file",
"type",
"present dec",
"present nov",
"mtb mar",
"aaaa",
"hacktool",
"indicator role",
"domain",
"url add",
"as20940",
"as16625 akamai",
"present mar",
"present may",
"as54113",
"present apr",
"ipv4 add",
"url analysis",
"servers",
"emails",
"hostname add",
"present aug",
"present sep",
"present oct",
"status",
"present jul",
"data upload",
"extraction",
"as208722 yandex",
"russia unknown",
"a domains",
"expirestue",
"path",
"certificate",
"medium",
"alerts show",
"ck technique",
"technique id",
"installs",
"pe32",
"intel",
"ms windows",
"high",
"icmp traffic",
"dns query",
"packing t1045",
"t1045",
"screenshots",
"file type",
"date february",
"pm size",
"imphash pehash",
"guard",
"syst",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"initial access",
"spawns",
"t1590 gather",
"flag",
"united kingdom",
"command decode",
"belgium belgium",
"federation",
"france france",
"ireland ireland",
"canada canada",
"suricata ipv4",
"click",
"tesla hackers",
"elon musk",
"show",
"richhash",
"external",
"virustotal api",
"comments",
"vendor finding",
"notes clamav",
"ms defender",
"files matching",
"copy",
"found",
"ssl certificate",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"yara rule",
"reads",
"number",
"sample analysis",
"hide samples",
"entries",
"samples show",
"next yara",
"detections name",
"devcv5 ujrb",
"ujrb",
"uja1t",
"show technique",
"mitre att",
"ck matrix",
"ascii text",
"pattern match",
"sha1",
"network traffic",
"show process",
"general"
],
"references": [
"https://www.teslarati.com/spacex",
"https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57",
"https://cdn.teslarati.com \u2022 https://forums.teslarati.com/",
"https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/",
"https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/",
"https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/",
"https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/",
"https://www.teslarati.com/wp-content/themes/teslarati-mag/map/",
"https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/",
"https://www.teslarati.com/",
"https://www.teslarati.com/spacex",
"https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/",
"https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/",
"https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/",
"https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/",
"pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx",
"http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\",
"http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears",
"http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm",
"HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious",
"Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189",
"External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |",
"Source : Binary File ATT&CK ID T1566.002",
"Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .",
"Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes",
"Detected Non-Google domain serving Google homepage details",
"Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers",
"Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.",
"CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.",
"Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True",
"Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true",
"CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany",
"Japan"
],
"malware_families": [
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB",
"display_name": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB",
"target": "/malware/Ms Defender\tTrojan:Win32/Qbot.KVD!MTB"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Malware.Jaik-9940406-0",
"display_name": "Win.Malware.Jaik-9940406-0",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn",
"target": null
},
{
"id": "Win.Malware.Snojan-6775202-0",
"display_name": "Win.Malware.Snojan-6775202-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
},
{
"id": "T1207",
"name": "Rogue Domain Controller",
"display_name": "T1207 - Rogue Domain Controller"
},
{
"id": "T1136.002",
"name": "Domain Account",
"display_name": "T1136.002 - Domain Account"
},
{
"id": "T1003.005",
"name": "Cached Domain Credentials",
"display_name": "T1003.005 - Cached Domain Credentials"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1204.002",
"name": "Malicious File",
"display_name": "T1204.002 - Malicious File"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5894,
"FileHash-MD5": 458,
"FileHash-SHA1": 305,
"FileHash-SHA256": 2481,
"SSLCertFingerprint": 26,
"hostname": 2406,
"domain": 966,
"email": 16,
"CVE": 1
},
"indicator_count": 12553,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "98 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692f04e9fa3d782118e94aac",
"name": "LevelBlue - Open Threat Exchange - Delete AppDeployed",
"description": "I\u2019m not sure what to think. |\ndeploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev | Are these\npulses being sold or attacked? Christopher P. Ahmann of TAM Legal and his other firms has ALWAYS attacked targets phones and networks. Nothing is too outrageous for this maniac.\n\nHe is responsible for the recent attacks on devices , clouds , google accounts and a flurry of threats. Indicators in recently pulsed reports have been removed. I\u2019ve done my best to restore. \n\nI am also concerned about the safety or legitimacy of this platform.\n\nNo one is ever alerted. Simply calling someone and telling them about the compromises can equate to a big pay day for Level Blue and nothing for the victims of attacks. I need my pulses restored. \n\nIt\u2019s plausible to believe OTX was attacked by an external threat actor.\nAnything is possible when it comes to money.",
"modified": "2026-01-01T15:04:20.907000",
"created": "2025-12-02T15:25:29.158000",
"tags": [
"levelblue",
"open threat",
"dynamicloader",
"tlsv1",
"high",
"msie",
"windows nt",
"delete c",
"fwlink",
"stream",
"powershell",
"write",
"malware",
"local",
"united",
"flag",
"date",
"server",
"crazy egg",
"name server",
"gmt flag",
"domain address",
"markmonitor",
"enom",
"sugges",
"onv incude",
"data upload",
"find s",
"extraction",
"types",
"type",
"indicator",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"contacted hosts",
"search",
"entries",
"read c",
"medium",
"memcommit",
"tls handshake",
"failure",
"module load",
"next",
"execution",
"dock",
"capture",
"persistence",
"copy",
"unknown",
"suricata alert",
"et info",
"bad traffic",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"t1480 execution",
"file defense",
"write c",
"x02x82",
"xe6x15c6",
"x16f",
"xc0xc0xc0",
"revengerat",
"guard",
"service",
"encrypt",
"entries yara",
"delphi",
"win32",
"jordan",
"delete app"
],
"references": [
"https://otx.alienvault.com/indicator/domain/Tamlegal.com",
"DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz",
"endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander",
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Vmprotect-9880726-0",
"display_name": "Win.Malware.Vmprotect-9880726-0",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Legal"
],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4624,
"FileHash-SHA256": 2021,
"FileHash-MD5": 51,
"FileHash-SHA1": 20,
"SSLCertFingerprint": 10,
"hostname": 1433,
"domain": 728
},
"indicator_count": 8887,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "107 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"It appears there are 5-7 known affected that I was able to find",
"putrhnwl.exe",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Sigma Matches",
"w32.virut.cf \u2022 win32.virut.am \u2022 virut.cf \u2022 http://w32.virut.cf \u2022http://w32.virut.cf/ \u2022 https://w32.virut.cf",
"search.roi.ros.gov.uk",
"api.optimizer.insitemaxdev.gov2x.com",
"https://bhive.nectar.social/rKvoMY",
"https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 815",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://www.teslarati.com/",
"Win32/Agent.BH PUP/PUA Downloader CnC Checkin",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"Domains Contacted: drive.usercontent.google.com",
"https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d",
"DESCRIPTION: Detects EternalRocks Malware - file taskhost.exe",
"https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears",
"Matches rule POLICY-OTHER TOR Project domain request",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"ET TROJAN W32/Kegotip CnC Beacon",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"http://blackrock.work.gd/",
"IDS Detections: Possible ETERNALROCKS .Net Module Download TLS Handshake Failure",
"https://otx.alienvault.com/indicator/domain/Tamlegal.com",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:",
"Trojan-Banker.Win32.Agent.ree Checkin Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 4 AlphaCrypt CnC Beacon 3 WS/JS Downloader Mar 07 2017 M1 Koobface HTTP Request (2) Alphacrypt/TeslaCrypt Ransomware CnC Beacon",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /",
"https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"https://cellebrite.com/en/federal-government/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"(The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION,",
"EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"Dynamic sandbox CZAE flags this file as: STEALER",
"android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]",
"REFERENCE: https://twitter.com/stamparm/status/864865144748298242 RULE_AUTHOR: Florian Roth",
"http://wonporn.com/top/Pakistani_Sucking",
"Domains Contacted: pitfall.divx.com www.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"Matches rule Uncommon Schost Parent Process by Florian Roth (Nextron Systems)",
"Matches rule ET JA3 Hash - Possible Malwar RigEK/Cryptowall/Dridex",
"https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/",
"iot.insitemaxdev.gov2x.com",
"NSA Exploits Used: The malware uses seven Shadow Brokers-leaked tools, including EternalBlue, EternalChampion,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"https://aws.hirecar.net/",
"http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com",
"Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx",
"DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz",
"http://appleid.app",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download",
"Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"fidelity-account.com e http://fidelity-account.com/fidelity/code.html",
"Scanning Host: 13.107.246.70",
"Xpirat = doomscroller.io",
"IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"Requires further research.",
"Yara Detections: SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost ,",
"Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true",
"Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Shelton, Nasreddine Bencherchali (Nextron stems",
"Matches rule SUSP_NET_NAME_ConfuserEx from ruleset gen_github_net_redteam_tools_names by Arnim Rupp",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252",
"Source : Binary File ATT&CK ID T1566.002",
"https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/",
"CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann",
"verify.gov.tl",
"div>
",
"https://github.com/stamparm/EternalRocks",
"Sprouts Farmers Market",
"https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks",
"Detected Non-Google domain serving Google homepage details",
"https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.",
"Same legal , and quasi governmental pattern identified",
"http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\",
"HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com \u2022\u2019survey-smiles.com",
"ET DNS DNS Query to a .tk domain - Likey",
"http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022",
"https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/",
"http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears",
"Alerts: cape_detected_threat https_ urls",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png",
"CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared",
"IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189",
"IDS Detections ET POLICY Suspicious User-Agent Containing .exe",
"\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.",
"http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html",
"Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,TrojanDownloader:Win32/Eterock.A",
"Pegasus | A targets devices are obviously infiltrated",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"https://www.fidelity.com/ https://www.fidelity.com/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"I apologize for the lack of reference.",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"TNULL: unknown empty EMPTY FILEHASH-MD5 d41d8cd98f00b204e9800998ecf8427e",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/EternalRocks_svchost_FR",
"https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e",
"apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co",
"https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"okta-dev.gov2x.com",
"Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"https://www.anyxxxtube.net/search-porn/",
"https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"Domains Contacted api.nuget.org",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"supplierportal.gov2x.com",
"Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name",
"http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm",
"DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) Possible ETERNALBLUE Probe MS17-010 (Generic Flags) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic , MS17_010_WanaCry_worm , stack_string More Alerts 25 Alerts suspicious_iocontrol_codes persistence_autorun persistence_autorun_tasks stealth_file suricata_alert antivm_generic_disk anomalous_deletefil",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"Matches rule ET JA3 Hash - [Abuse.ch] Possible Ransomware",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"Needs to be sorted. Actively being exploited on US",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex",
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"Alerts: network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_i",
"https://www.teslarati.com/spacex",
"Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"pegasuspartners.followupboss.com",
"Strangely NSO Group The Lazarus Group The Shadow Brokers and others attack an individual",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,",
"ET TROJAN Suspicious double Server Header",
"https://www.teslarati.com/wp-content/themes/teslarati-mag/map/",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"website \u2022 http://oldapps.com/blender.php?old_blender=7584",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238",
"fastwebnet.it | Cellebrite White Label Spyware Service",
"Matches rule SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware)",
"Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.",
"Antivirus Detections: Win.Ransomware.Wanna-9769986-0 , Ransom:Win32/WannaCrypt.H",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Yara Matches",
"Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers",
"https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"With so many \u2018officials\u2019 involved, it\u2019s hard to believe \u2018 The Shadow Brokers\u2019 isnt a government entity.",
"Matches rule Uncommon Svchost Command Line Parameter by Liran Ravich",
"freedns.afraid.org",
"Yara: Detections Tofsee",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 778",
"Terse HTTP 1.0 Request Possible Nivdort Trojan-Banker.Win32.Agent.ree Checkin Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 4 AlphaCrypt CnC Beacon 3 WS/JS Downloader Mar 07 2017 M1 Koobface HTTP Request (2) Alphacrypt/TeslaCrypt Ransomware CnC Beacon",
"Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.",
"Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"162.159.134.42 \u2022 https://cellebrite.com/",
"pandacookie2018.xyz",
"Matches rule Suspicious History File Operat Mikhail Larin, oscd.community",
"Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes",
"Matches rule EternalRocks_svchost from ruleset crime_eternalrocks by Florian Roth (Nextron Systems)",
"Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule MALWARE-CNC DNS Fast Flux attempt",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht",
"https://jviwczq.zc-apple.com/",
"Sabey , Ahmann, Quasi Government, Government",
"Denver, US 80211 http://library.verizon.onereach.ai",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"Matches rule SURICATA STREAM Packet with invalid timestamp",
"endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander",
"https://cdn.teslarati.com \u2022 https://forums.teslarati.com/",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True",
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev",
"https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com",
"https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/",
"supply.qld.gov.au",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"Malware Hosting: 13.107.226.70",
"TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161",
"EternalRomance, and EternalSynergy. Stealth",
"https://l.us-1.a.mimecastprotect.com/l",
"cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf",
"Matches rule ET POLICY TLS possible TOR SSL traffic",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"EternalRocks MALWARE RANSOM TROJAN EVADER",
"ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"IP\u2019s Contacted : 54.230.129.165",
"Matches rule Windows Processes Suspicious Parent Directory by vburov",
"Yara Detections: EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"The 2017 timeline accurately fits victim\u2019s major financial and other continuous First attacks began in 10/2013. Upgraded",
"External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"Matches rule INDICATOR_EXE_Packed_ConfuserEx from ruleset indicator_packed",
"cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"The Blender Foundation",
"Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"Matches rule DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt",
"sprouts@em.sprouts.com?",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced IDS rules",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Trojan:win32/aptdrop.ru",
"Win32:trojano-chf\\ [trj]",
"Icedid",
"Trendmicro",
"Win32/virut",
"Unix.trojan.tsunami-6981155-0",
"Trojan:bat/musecador",
"Trojanspy:win32/nivdort.bg",
"Win.trojan.fareit-82",
"Trojanspy:win32/nivdort.cb",
"#lowfi:hstr:virtool:win32/obfuscator!diplugem.f",
"Alf:heraklezeval:trojan:msil/gravityrat",
"Alf:jasyp:trojan:win32/genmaldown!atmn",
"Win64:trojan-gen",
"#lowfi:lua:mampa:99!ml",
"Alf:trojan:win32/anorocuriv.a",
"Win.malware.snojan-6775202-0",
"Cutwail",
"Slf:win64/cobpipe.a",
"Win.malware.vmprotect-9880726-0",
"Win.malware.jaik-9940406-0",
"Backdoor:linux/demonbot",
"Trojan:win32/ausiv!rfn",
"Trojandownloader:win32/upatre.aa",
"Virtool:win32/ceeinject.gen!ah",
"#lowfi:hstr:installer:multiplug",
"Trojandropper:win32/qhost",
"Zbot",
"Alf:program:win32/webcompanion",
"Trojandownloader:win32/cutwail.bs",
"Trojan.eternalrocks/shadowbrokers",
"Trojan:win32/emotet.pc!mtb",
"Sf:shellcode-au\\ [trj]",
"Trojan:win32/danabot",
"Win32:trojan-gen",
"#lowfienabledtcontinueafterunpacking",
"Alf:trojan:win32/cryptwrapper.rt!mtb",
"Win.trojan.barys-10005825-0",
"#lowfi:lua:dllsuspiciousexport.a",
"Win.trojan.agent-245901",
"Cve-2017-0148",
"Trojan:pdf/phish.rr!mtb",
"Generic36.ajsm",
"Virut",
"Backdoor:win32/tofsee.t",
"W32/kegotip cnc",
"Et",
"Win.malware",
"Win.ransomware.wanna-9769986-0",
"Generic36.adty",
"Tofsee",
"Sf:shellcode-au",
"!#hstr:siggen0136cb6c",
"Trojan:win32/zbot.sibb6!mtb",
"Downloader.generic13.cmtw",
"Crypt3.bxvc",
"Trojan:win32/miner.ka!mtb",
"Ms defender\ttrojan:win32/qbot.kvd!mtb",
"Win.downloader.3867-1",
"Worm:win32/autorun!atmn",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Win.trojan.emotet-9850453-0",
"Downloader.generic13.bobz",
"Bouncycastle",
"Win.trojan.rootkit-4532",
"Hider.biy",
"Mydoom",
"Win32/blacked",
"Backdoor:win32/small.ir",
"Upatre",
"Etpro",
"Exploit:powershell/cve-2017-0143",
"Other malware",
"Tsunami-6981155-0",
"Trojandropper:win32/dinwod",
"Ransomware/win.stop.r4529",
"W32.virut.ci",
"Win.trojan.injector-12138",
"Win.trojan.cobaltstrike-9044898-1",
"Pegasus",
"Trojan:win32/zombie.a",
"Dnstrojan",
"Trojan:win32/smkldr.h!mtb",
"Win.trojan.vbgeneric-6735875-0",
"Trojan:msil/ursu.kp",
"Ransom:win32/revil.a",
"Generic36.aiaa.dropper",
"Win.trojan.dialog-9873788-0",
"Eternalrocks",
"#lowfi:hookwowlow",
"Bayrob",
"Trojan:win32/conbea!rfn",
"Worm.autorun-6180",
"Trojandownloader:win32/cutwail",
"Win.trojan.pushdo-15",
"Win32.injector",
"Win32:trojanx-gen\\ [trj]",
"Win32:evo-gen\\ [susp]",
"Ploprolo",
"Ransom:win32/wannacrypt.h",
"Mirai",
"Virtool:win32/injector.gen!bq",
": alf:trojan:msil/azorult.ac!",
"Win32/backdoorx",
"Alf:heraklezeval:trojan:win32/eqtonex.f",
"Worm:win32/mofksys.rnd!mtb",
"Win.trojan.agent-31853",
"Sodinoki",
"Win32/ramnit.a"
],
"industries": [
"Finance",
"Telecom",
"Health",
"Civilians",
"Technology",
"Legal",
"Government",
"Retail",
"Insurance",
"Journalists",
"Civil society"
],
"unique_indicators": 122011
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/josht.ca",
"whois": "http://whois.domaintools.com/josht.ca",
"domain": "josht.ca",
"hostname": "sa.josht.ca"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 16,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b7cb05b2098c1d2bf20f",
"name": "federal goverment clone cellbrite credit q vashti",
"description": "",
"modified": "2026-03-12T12:55:39.046000",
"created": "2026-03-12T12:55:39.046000",
"tags": [
"url https",
"url http",
"germany",
"united",
"ukraine",
"japan",
"extraction",
"data upload",
"urls",
"url analysis",
"enter sc",
"extr",
"iocs",
"active",
"france unknown",
"present jan",
"servers",
"homair sweet",
"grabber",
"encrypt",
"ipv4",
"role title",
"divx",
"pitfall",
"internet",
"ip role",
"america asn",
"extraction data",
"leveibielabs",
"all se",
"enter source",
"url or",
"texirag",
"drop",
"present nov",
"united states",
"america",
"levdibidelabs",
"failed",
"idron anv",
"include manualv",
"review data",
"iterng",
"name servers",
"passive dns",
"incapsula",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"script head",
"request",
"cookie",
"indicator",
"msie",
"chrome",
"backdoor",
"gmt content",
"ipv4 add",
"twitter",
"title",
"process32nextw",
"ms windows",
"intel",
"pe32",
"regopenkeyexa",
"read c",
"medium",
"class",
"write",
"template",
"present oct",
"present jul",
"aaaa",
"present sep",
"present aug",
"url add",
"http",
"hostname",
"related tags",
"kx81xdbx0f",
"x86xd3",
"xa7xe28x06",
"x82xd4",
"delete c",
"regsetvalueexa",
"regbinary",
"xa1xf1",
"xe8xc2x14",
"malware",
"stream",
"unknown",
"win32",
"persistence",
"execution",
"push",
"present dec",
"italy",
"present jun",
"embeddedwb",
"whitelisted",
"windows nt",
"dns traffic",
"russia",
"cname",
"accept",
"destination",
"port",
"et smtp",
"message",
"et trojan",
"components",
"suspicious",
"download",
"hostile",
"next",
"logic",
"gather victim",
"et info",
"etpro trojan",
"trojan",
"report spam",
"interesting",
"created",
"pegasus",
"manipulation",
"service",
"capture",
"et",
"etpro",
"host",
"attack",
"mtb description",
"windows",
"shellexecuteexw",
"writeconsolew",
"registry",
"t1031",
"modify existing",
"dock",
"type indicator",
"added active",
"related pulses",
"arcflex",
"filehashsha1",
"types of",
"learn more",
"filehashsha256",
"cellebrite",
"white label",
"search",
"sha1",
"france",
"cmanual jan",
"expiration date",
"domain add",
"pulse submit",
"files",
"ip address",
"gmt cache",
"sameorigin",
"reverse dns",
"unknown ns",
"admin org",
"zipcode",
"gmt server",
"pulse pulses",
"entries",
"hostname add",
"verdict",
"germany unknown",
"status",
"domain",
"xpirat",
"netherlands",
"netherlands asn",
"as35280 acorus",
"dns resolutions",
"error",
"files ip",
"copy",
"telnet login",
"suspicious path",
"busybox",
"login attempt",
"gpl telnet",
"high",
"tcp syn",
"telnet root",
"path",
"mirai",
"emails",
"domain name",
"jlu11q",
"tqbplo",
"hours ago",
"found",
"yahoo",
"gmail",
"yandex",
"https://cellebrite.com/en/federal-government/",
"monitoring",
"monitored target",
"dangerous",
"spyware",
"80211",
"colorado",
"x amz",
"government",
"mirai login attempt",
"emotet",
"c2",
".ru",
".com",
"denver",
"indicator role",
"title added",
"active related",
"pulses hostname",
"dead connect",
"hostile",
"adversarial",
"abuse",
"criminal intent",
"block messages",
"botnet"
],
"references": [
"fastwebnet.it | Cellebrite White Label Spyware Service",
"putrhnwl.exe",
"Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"IP\u2019s Contacted : 54.230.129.165",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"Domains Contacted: pitfall.divx.com www.google.com",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Yara: Detections Tofsee",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"ET TROJAN Suspicious double Server Header",
"ET DNS DNS Query to a .tk domain - Likey",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"Needs to be sorted. Actively being exploited on US",
"162.159.134.42 \u2022 https://cellebrite.com/",
"https://cellebrite.com/en/federal-government/",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Germany",
"Ireland",
"Switzerland",
"Poland",
"Belgium",
"Netherlands",
"Sweden"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
},
{
"id": "Trojan:Win32/Emotet.PC!MTB",
"display_name": "Trojan:Win32/Emotet.PC!MTB",
"target": "/malware/Trojan:Win32/Emotet.PC!MTB"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Trojan:Win32/Danabot",
"display_name": "Trojan:Win32/Danabot",
"target": "/malware/Trojan:Win32/Danabot"
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Trojan:Win32/Aptdrop.RU",
"display_name": "Trojan:Win32/Aptdrop.RU",
"target": "/malware/Trojan:Win32/Aptdrop.RU"
},
{
"id": "Ransomware/Win.Stop.R4529",
"display_name": "Ransomware/Win.Stop.R4529",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32/BackdoorX",
"display_name": "Win32/BackdoorX",
"target": null
},
{
"id": "Win.Trojan.Dialog-9873788-0",
"display_name": "Win.Trojan.Dialog-9873788-0",
"target": null
},
{
"id": "Tsunami-6981155-0",
"display_name": "Tsunami-6981155-0",
"target": null
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1196",
"name": "Control Panel Items",
"display_name": "T1196 - Control Panel Items"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1414",
"name": "Capture Clipboard Data",
"display_name": "T1414 - Capture Clipboard Data"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1556",
"name": "Modify Authentication Process",
"display_name": "T1556 - Modify Authentication Process"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1581",
"name": "Geofencing",
"display_name": "T1581 - Geofencing"
},
{
"id": "T1582",
"name": "SMS Control",
"display_name": "T1582 - SMS Control"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1587",
"name": "Develop Capabilities",
"display_name": "T1587 - Develop Capabilities"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Journalists",
"Government",
"Civil Society"
],
"TLP": "green",
"cloned_from": "696f7d467763ed4d4e74d133",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4994,
"domain": 2519,
"hostname": 3281,
"FileHash-SHA256": 4467,
"FileHash-MD5": 1118,
"FileHash-SHA1": 1056,
"email": 12,
"SSLCertFingerprint": 1
},
"indicator_count": 17448,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "37 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d69ecbc0497f97e28618",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:10.502000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6a601f06adcd1ed22fc",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:18.022000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6afd744c55bd596ed6e",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:27.248000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6975c5cd4db6104ea1a3d69b",
"name": "The Blender Foundation BouncyCastle-Virut | Malware /Stealer Empty FileHash | Eternal7 (Shadow Broker) Related",
"description": "Empty FileHash isn\u2019t benign. Interesting relationships to the Eternal 7. Malware, Stealer and Suspicious History File Operation. BouncyCastle-Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys / Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"modified": "2026-02-24T06:02:43.853000",
"created": "2026-01-25T07:27:09.640000",
"tags": [
"empty",
"blender",
"eurostile",
"augustin",
"butterfield",
"cook",
"drummer",
"erickson",
"fjsv",
"flynn",
"gorman",
"holmes",
"easy",
"rada",
"xanadu",
"config",
"reboot",
"screen",
"microsoft",
"commerce server",
"edition",
"draw",
"exchange server",
"tools",
"linux",
"ideal link",
"nsrl test",
"nist",
"file",
"cultureneutral",
"fix pack",
"free download",
"bouncycastle",
"read c",
"search",
"et trojan",
"w32kegotip cnc",
"whitelisted",
"ids detections",
"intel",
"write",
"trojan",
"malware",
"yara detections",
"productversion",
"fileversion",
"av detections",
"alerts",
"analysis date",
"file score",
"united",
"aaaa",
"passive dns",
"ip address",
"present dec",
"body html",
"head meta",
"title",
"urls",
"url https",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"beacon",
"et",
"ipv4",
"files",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"related pulses",
"show",
"win32virut",
"destination",
"port",
"ms windows",
"pe32",
"medium",
"suspicious",
"virustotal",
"startul",
"shadowbrokers",
"total",
"delete",
"artemis",
"win32.injector",
"trendmicro",
"data upload",
"extraction",
"included iocs"
],
"references": [
"The Blender Foundation",
"website \u2022 http://oldapps.com/blender.php?old_blender=7584",
"oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]",
"Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community",
"Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks",
"ET TROJAN W32/Kegotip CnC Beacon",
"IDS Detections ET POLICY Suspicious User-Agent Containing .exe",
"Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit",
"Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /",
"Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "BouncyCastle",
"display_name": "BouncyCastle",
"target": null
},
{
"id": "Sf:ShellCode-AU",
"display_name": "Sf:ShellCode-AU",
"target": null
},
{
"id": "Win.Trojan.Fareit-82",
"display_name": "Win.Trojan.Fareit-82",
"target": null
},
{
"id": "Win.Trojan.Agent-245901",
"display_name": "Win.Trojan.Agent-245901",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "W32/Kegotip CnC",
"display_name": "W32/Kegotip CnC",
"target": null
},
{
"id": "W32.Virut.ci",
"display_name": "W32.Virut.ci",
"target": null
},
{
"id": "Downloader.Generic13.CMTW",
"display_name": "Downloader.Generic13.CMTW",
"target": null
},
{
"id": "Downloader.Generic13.BOBZ",
"display_name": "Downloader.Generic13.BOBZ",
"target": null
},
{
"id": "Win.Trojan.Injector-12138",
"display_name": "Win.Trojan.Injector-12138",
"target": null
},
{
"id": "Generic36.ADTY",
"display_name": "Generic36.ADTY",
"target": null
},
{
"id": "Generic36.AIAA.Dropper",
"display_name": "Generic36.AIAA.Dropper",
"target": null
},
{
"id": "Generic36.AJSM",
"display_name": "Generic36.AJSM",
"target": null
},
{
"id": "Win32/Virut",
"display_name": "Win32/Virut",
"target": null
},
{
"id": "Win32/Ramnit.A",
"display_name": "Win32/Ramnit.A",
"target": null
},
{
"id": "Worm.Autorun-6180",
"display_name": "Worm.Autorun-6180",
"target": null
},
{
"id": "Hider.BIY",
"display_name": "Hider.BIY",
"target": null
},
{
"id": "Win.Trojan.Rootkit-4532",
"display_name": "Win.Trojan.Rootkit-4532",
"target": null
},
{
"id": "Win32/Blacked",
"display_name": "Win32/Blacked",
"target": null
},
{
"id": "Win32.Injector",
"display_name": "Win32.Injector",
"target": null
},
{
"id": "TrendMicro",
"display_name": "TrendMicro",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 71,
"FileHash-SHA256": 853,
"URL": 1639,
"domain": 288,
"FileHash-MD5": 78,
"hostname": 545
},
"indicator_count": 3474,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "54 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69754a5dd138f73f5cfdf78c",
"name": "EternalRocks (SHADOW BROKERS) MicroBotMassiveNet - NSA Exploits",
"description": "Exploited | Active | Continuous \n\u201cEternalRocks\u201d (also known as MicroBotMassiveNet) is a sophisticated computer worm discovered in May 2017 that targets Windows machines, utilizing seven different NSA-leaked exploits\u2014far more than the two used by the infamous WannaCry ransomware. Trend Micro and other security researchers highlighted the danger of this malware because, unlike WannaCry, it does not have a \"kill switch\" and is designed to create a backdoor for future, more severe, and adaptable attacks * While initially, it appeared to only act as a downloader for other tools, the danger lay in its potential to be weaponized for launching ransomware, Remote Access Trojans (RATs), or other malware at a later date. \nThank you Winston & Vogt",
"modified": "2026-02-23T19:02:00.548000",
"created": "2026-01-24T22:40:29.680000",
"tags": [
"regsetvalueexa",
"default",
"regdword",
"regbinary",
"module download",
"tls handshake",
"high",
"regsetvalueexw",
"malware",
"write",
"win32",
"ids detections",
"download tls",
"eternalrocks",
"nsa exploits",
"worm",
"cryptojackers",
"shadow brokers",
"ransom",
"ingress tool",
"channel",
"udp a83f8110",
"get http",
"get https",
"dns resolutions",
"root path",
"encrypted",
"native",
"required.exe",
"stolen toolset",
"cyber weapons",
"cyber warfare",
"autonomous",
"tor",
"dark web",
"black paper",
"nsa weapons",
"2017",
"tao?",
"targeting",
"breach",
"equation group tools",
"installer",
"stealer",
"apt",
"empty",
"not an exit node",
"empty file",
"tor relay router",
"traffic groups",
"traffic group 815",
"el tor",
"tor relay",
"traffic group 778",
"traffic group 238",
"traffic group 333",
"traffic group 333",
"node",
"traffic group 252",
"open_source_tool",
"confuserex",
"susp_net_name_confuserex",
"eternalrocks",
"svchost",
"eternalrocks_svchost_fr",
"obfuscated",
"susp_confuserex_obfuscated",
"encryption",
"module",
"msil",
"net",
"bing",
"android",
"libre",
"mcsf",
"microsoft",
"active attack",
"financial crimes",
"EternalBlue",
"EternalChampion",
"EternalRocks",
"Stealth",
"EternalSynergy",
"EternalRomance",
"checks-network-adapters",
"checks-user-input",
"crypto",
"detect-deb",
"environment",
"direct-cpu-clock-access",
"long-sleeps",
"runtime-modules"
],
"references": [
"EternalRocks MALWARE RANSOM TROJAN EVADER",
"The 2017 timeline accurately fits victim\u2019s major financial and other continuous First attacks began in 10/2013. Upgraded",
"With so many \u2018officials\u2019 involved, it\u2019s hard to believe \u2018 The Shadow Brokers\u2019 isnt a government entity.",
"Strangely NSO Group The Lazarus Group The Shadow Brokers and others attack an individual",
"Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,TrojanDownloader:Win32/Eterock.A",
"IDS Detections: Possible ETERNALROCKS .Net Module Download TLS Handshake Failure",
"Yara Detections: SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost ,",
"Yara Detections: EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Alerts: network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_i",
"NSA Exploits Used: The malware uses seven Shadow Brokers-leaked tools, including EternalBlue, EternalChampion,",
"EternalRomance, and EternalSynergy. Stealth",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Yara Matches",
"Matches rule EternalRocks_svchost from ruleset crime_eternalrocks by Florian Roth (Nextron Systems)",
"Matches rule SUSP_NET_NAME_ConfuserEx from ruleset gen_github_net_redteam_tools_names by Arnim Rupp",
"Matches rule INDICATOR_EXE_Packed_ConfuserEx from ruleset indicator_packed",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Sigma Matches",
"Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Uncommon Svchost Command Line Parameter by Liran Ravich",
"Matches rule Uncommon Schost Parent Process by Florian Roth (Nextron Systems)",
"Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Shelton, Nasreddine Bencherchali (Nextron stems",
"Matches rule Windows Processes Suspicious Parent Directory by vburov",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced IDS rules",
"Matches rule DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt",
"Matches rule MALWARE-CNC DNS Fast Flux attempt",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 778",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 815",
"Matches rule ET POLICY TLS possible TOR SSL traffic",
"Matches rule ET JA3 Hash - Possible Malwar RigEK/Cryptowall/Dridex",
"Matches rule ET JA3 Hash - [Abuse.ch] Possible Ransomware",
"Matches rule SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware)",
"Matches rule POLICY-OTHER TOR Project domain request",
"Dynamic sandbox CZAE flags this file as: STEALER",
"https://github.com/stamparm/EternalRocks",
"(The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION,",
"ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.",
"REFERENCE: https://twitter.com/stamparm/status/864865144748298242 RULE_AUTHOR: Florian Roth",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/EternalRocks_svchost_FR",
"DESCRIPTION: Detects EternalRocks Malware - file taskhost.exe",
"TNULL: unknown empty EMPTY FILEHASH-MD5 d41d8cd98f00b204e9800998ecf8427e",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Matches rule Suspicious History File Operat Mikhail Larin, oscd.community",
"Matches rule SURICATA STREAM Packet with invalid timestamp"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "EternalRocks",
"display_name": "EternalRocks",
"target": null
},
{
"id": "CVE-2017-0148",
"display_name": "CVE-2017-0148",
"target": null
},
{
"id": "Exploit:PowerShell/CVE-2017-0143",
"display_name": "Exploit:PowerShell/CVE-2017-0143",
"target": "/malware/Exploit:PowerShell/CVE-2017-0143"
},
{
"id": "trojan.eternalrocks/shadowbrokers",
"display_name": "trojan.eternalrocks/shadowbrokers",
"target": null
}
],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
}
],
"industries": [
"Finance",
"Government",
"Insurance",
"Civilians",
"Health"
],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 82,
"FileHash-SHA1": 76,
"FileHash-SHA256": 700,
"URL": 280,
"domain": 46,
"hostname": 233,
"CVE": 2
},
"indicator_count": 1419,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "54 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "697488f095f69d392afd00fb",
"name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes",
"description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.",
"modified": "2026-02-23T07:04:04.285000",
"created": "2026-01-24T08:55:12.845000",
"tags": [
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"ck techniques",
"evasion att",
"t1480 execution",
"href",
"ascii text",
"pattern match",
"mitre att",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"form",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"active related",
"url https",
"related pulses",
"url http",
"united",
"czechia",
"hong kong",
"ipv4",
"indicators hong",
"kong",
"south korea",
"netherlands",
"germany",
"ireland",
"denmark",
"sweden",
"active",
"government",
"finance",
"security",
"type indicator",
"yara detections",
"av detections",
"ids detections",
"alerts",
"analysis date",
"mcsf",
"microsoft",
"yara",
"insurance",
"fidelity investments",
"description",
"fidelity international",
"ms windows",
"pe32",
"writeconsolew",
"read c",
"pe32 executable",
"t1045",
"susp",
"write",
"win64",
"malware",
"modified",
"ck ids",
"t1040",
"sniffing",
"packing",
"t1112",
"packing t1045",
"icmp traffic",
"memcommit",
"pe section",
"low software",
"pe resource",
"win32",
"trojan",
"april",
"sara ligorria",
"tramp advert",
"black paper",
"createdate",
"subject laser",
"title laser",
"format",
"types of",
"japan",
"regsetvalueexa",
"regdword",
"regbinary",
"module download",
"tls handshake",
"high",
"defense evasion",
"discovery att",
"adversaries",
"title",
"role",
"flag",
"name server",
"server",
"domain address",
"markmonitor",
"clicktale ltd",
"enom",
"whoisguard",
"medium",
"unicode",
"rgba",
"delete",
"crlf line",
"next",
"dock",
"execution",
"date",
"users",
"tls sni",
"total",
"cnc domain",
"search",
"oamazon",
"cnamazon rsa",
"push",
"failure yara",
"contacted",
"hours ago",
"created",
"cia",
"fbi",
"telegram",
"tulach",
"sabey",
"state",
"gov",
"ahmann",
"financial fraud",
"t-mobile",
"walmartmobile",
"life insurance",
"fidelity life",
"guarantee",
"team",
"role title",
"added active",
"scan",
"iocs",
"learn more",
"filehashsha1",
"filehashmd5",
"kw3recepten",
"domainname0",
"searchbox0",
"kw1brinta",
"kw2muesli",
"indicator role",
"title added",
"pulses url",
"cve cve20170147",
"apple",
"apple id"
],
"references": [
"https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226",
"https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com",
"http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com",
"https://bhive.nectar.social/rKvoMY",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,",
"TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161",
"Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.",
"EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name",
"Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.",
"Domains Contacted api.nuget.org",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png",
"https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.fidelity.com/ https://www.fidelity.com/",
"cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99",
"cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl",
"https://www.anyxxxtube.net/search-porn/",
"https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears",
"fidelity-account.com e http://fidelity-account.com/fidelity/code.html",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex",
"http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022",
"\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:",
"https://bhive.nectar.social/rKvoMY",
"apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co",
"http://appleid.app",
"https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win64:Trojan-gen",
"display_name": "Win64:Trojan-gen",
"target": null
},
{
"id": "Trojan:MSIL/Ursu.KP",
"display_name": "Trojan:MSIL/Ursu.KP",
"target": "/malware/Trojan:MSIL/Ursu.KP"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F",
"target": null
},
{
"id": "Trojan:PDF/Phish.RR!MTB",
"display_name": "Trojan:PDF/Phish.RR!MTB",
"target": "/malware/Trojan:PDF/Phish.RR!MTB"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": ": ALF:Trojan:MSIL/Azorult.AC!",
"display_name": ": ALF:Trojan:MSIL/Azorult.AC!",
"target": null
},
{
"id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB",
"display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB",
"target": null
},
{
"id": "Trojan:Win32/Conbea!rfn",
"display_name": "Trojan:Win32/Conbea!rfn",
"target": "/malware/Trojan:Win32/Conbea!rfn"
},
{
"id": "Trojan:Win32/Ausiv!rfn",
"display_name": "Trojan:Win32/Ausiv!rfn",
"target": "/malware/Trojan:Win32/Ausiv!rfn"
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat",
"target": null
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "TrojanDropper:Win32/Qhost",
"display_name": "TrojanDropper:Win32/Qhost",
"target": "/malware/TrojanDropper:Win32/Qhost"
},
{
"id": "Trojan:Win32/Miner.KA!MTB",
"display_name": "Trojan:Win32/Miner.KA!MTB",
"target": "/malware/Trojan:Win32/Miner.KA!MTB"
},
{
"id": "DNSTrojan",
"display_name": "DNSTrojan",
"target": null
},
{
"id": "EternalRocks",
"display_name": "EternalRocks",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Government",
"Finance",
"Insurance"
],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2793,
"URL": 6639,
"FileHash-SHA256": 2462,
"domain": 1070,
"FileHash-MD5": 307,
"FileHash-SHA1": 186,
"SSLCertFingerprint": 1,
"email": 1,
"CVE": 3
},
"indicator_count": 13462,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "55 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696f7d467763ed4d4e74d133",
"name": "Federal Government-Cellebrite Attack found actively targeting iOS and other devices | Mirai login attempts | TelNet Login",
"description": "https://cellebrite.com/en/federal-government/ | Found on a crime victims devices. Targets abused by spyware in an unethical manner by andvesarial \u2018governmental\u2019 possibly \u2018contracted\u2019 entities. Waged against targets such as victims of crime , journalists , researchers , students. Target Users: Serves public safety, enterprise, and government sectors, aiding first responders, investigators, prosecutors, and analysts. How it's Used Law enforcement uses it to unlock devices and retrieve evidence like messages, location history, and app data for criminal investigations. It helps uncover critical information from digital devices, even recovering data that users thought was permanently deleted. Controversy & Privacy Concerns While marketed as a tool for lawful investigations, its powerful data extraction capabilities raise significant privacy concerns and ethical debates.",
"modified": "2026-02-19T12:05:47.166000",
"created": "2026-01-20T13:04:06.622000",
"tags": [
"url https",
"url http",
"germany",
"united",
"ukraine",
"japan",
"extraction",
"data upload",
"urls",
"url analysis",
"enter sc",
"extr",
"iocs",
"active",
"france unknown",
"present jan",
"servers",
"homair sweet",
"grabber",
"encrypt",
"ipv4",
"role title",
"divx",
"pitfall",
"internet",
"ip role",
"america asn",
"extraction data",
"leveibielabs",
"all se",
"enter source",
"url or",
"texirag",
"drop",
"present nov",
"united states",
"america",
"levdibidelabs",
"failed",
"idron anv",
"include manualv",
"review data",
"iterng",
"name servers",
"passive dns",
"incapsula",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"script head",
"request",
"cookie",
"indicator",
"msie",
"chrome",
"backdoor",
"gmt content",
"ipv4 add",
"twitter",
"title",
"process32nextw",
"ms windows",
"intel",
"pe32",
"regopenkeyexa",
"read c",
"medium",
"class",
"write",
"template",
"present oct",
"present jul",
"aaaa",
"present sep",
"present aug",
"url add",
"http",
"hostname",
"related tags",
"kx81xdbx0f",
"x86xd3",
"xa7xe28x06",
"x82xd4",
"delete c",
"regsetvalueexa",
"regbinary",
"xa1xf1",
"xe8xc2x14",
"malware",
"stream",
"unknown",
"win32",
"persistence",
"execution",
"push",
"present dec",
"italy",
"present jun",
"embeddedwb",
"whitelisted",
"windows nt",
"dns traffic",
"russia",
"cname",
"accept",
"destination",
"port",
"et smtp",
"message",
"et trojan",
"components",
"suspicious",
"download",
"hostile",
"next",
"logic",
"gather victim",
"et info",
"etpro trojan",
"trojan",
"report spam",
"interesting",
"created",
"pegasus",
"manipulation",
"service",
"capture",
"et",
"etpro",
"host",
"attack",
"mtb description",
"windows",
"shellexecuteexw",
"writeconsolew",
"registry",
"t1031",
"modify existing",
"dock",
"type indicator",
"added active",
"related pulses",
"arcflex",
"filehashsha1",
"types of",
"learn more",
"filehashsha256",
"cellebrite",
"white label",
"search",
"sha1",
"france",
"cmanual jan",
"expiration date",
"domain add",
"pulse submit",
"files",
"ip address",
"gmt cache",
"sameorigin",
"reverse dns",
"unknown ns",
"admin org",
"zipcode",
"gmt server",
"pulse pulses",
"entries",
"hostname add",
"verdict",
"germany unknown",
"status",
"domain",
"xpirat",
"netherlands",
"netherlands asn",
"as35280 acorus",
"dns resolutions",
"error",
"files ip",
"copy",
"telnet login",
"suspicious path",
"busybox",
"login attempt",
"gpl telnet",
"high",
"tcp syn",
"telnet root",
"path",
"mirai",
"emails",
"domain name",
"jlu11q",
"tqbplo",
"hours ago",
"found",
"yahoo",
"gmail",
"yandex",
"https://cellebrite.com/en/federal-government/",
"monitoring",
"monitored target",
"dangerous",
"spyware",
"80211",
"colorado",
"x amz",
"government",
"mirai login attempt",
"emotet",
"c2",
".ru",
".com",
"denver",
"indicator role",
"title added",
"active related",
"pulses hostname",
"dead connect",
"hostile",
"adversarial",
"abuse",
"criminal intent",
"block messages",
"botnet"
],
"references": [
"fastwebnet.it | Cellebrite White Label Spyware Service",
"putrhnwl.exe",
"Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"IP\u2019s Contacted : 54.230.129.165",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"Domains Contacted: pitfall.divx.com www.google.com",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Yara: Detections Tofsee",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"ET TROJAN Suspicious double Server Header",
"ET DNS DNS Query to a .tk domain - Likey",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"Needs to be sorted. Actively being exploited on US",
"162.159.134.42 \u2022 https://cellebrite.com/",
"https://cellebrite.com/en/federal-government/",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Germany",
"Ireland",
"Switzerland",
"Poland",
"Belgium",
"Netherlands",
"Sweden"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
},
{
"id": "Trojan:Win32/Emotet.PC!MTB",
"display_name": "Trojan:Win32/Emotet.PC!MTB",
"target": "/malware/Trojan:Win32/Emotet.PC!MTB"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Trojan:Win32/Danabot",
"display_name": "Trojan:Win32/Danabot",
"target": "/malware/Trojan:Win32/Danabot"
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Trojan:Win32/Aptdrop.RU",
"display_name": "Trojan:Win32/Aptdrop.RU",
"target": "/malware/Trojan:Win32/Aptdrop.RU"
},
{
"id": "Ransomware/Win.Stop.R4529",
"display_name": "Ransomware/Win.Stop.R4529",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32/BackdoorX",
"display_name": "Win32/BackdoorX",
"target": null
},
{
"id": "Win.Trojan.Dialog-9873788-0",
"display_name": "Win.Trojan.Dialog-9873788-0",
"target": null
},
{
"id": "Tsunami-6981155-0",
"display_name": "Tsunami-6981155-0",
"target": null
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1196",
"name": "Control Panel Items",
"display_name": "T1196 - Control Panel Items"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1414",
"name": "Capture Clipboard Data",
"display_name": "T1414 - Capture Clipboard Data"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1556",
"name": "Modify Authentication Process",
"display_name": "T1556 - Modify Authentication Process"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1581",
"name": "Geofencing",
"display_name": "T1581 - Geofencing"
},
{
"id": "T1582",
"name": "SMS Control",
"display_name": "T1582 - SMS Control"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1587",
"name": "Develop Capabilities",
"display_name": "T1587 - Develop Capabilities"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Journalists",
"Government",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4994,
"domain": 2519,
"hostname": 3281,
"FileHash-SHA256": 4467,
"FileHash-MD5": 1118,
"FileHash-SHA1": 1056,
"email": 12,
"SSLCertFingerprint": 1
},
"indicator_count": 17448,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "58 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac416596cd89cf76bce55",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:04:53.997000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://sa.josht.ca/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://sa.josht.ca/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776597461.3854609
}