{
"type": "URL",
"indicator": "https://scripts.4boas.fhjtimes.com/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://scripts.4boas.fhjtimes.com/",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3777740047,
"indicator": "https://scripts.4boas.fhjtimes.com/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 18,
"pulses": [
{
"id": "69bf8e2663d5480917ddb699",
"name": "Pegasus - https://house.mo.gov/ | Brian Sabey HallRender [i cloned OctoSeek] T8",
"description": "",
"modified": "2026-03-22T08:35:26.266000",
"created": "2026-03-22T06:37:26.233000",
"tags": [
"united",
"as393601 state",
"a domains",
"passive dns",
"as397241",
"certificate",
"urls",
"search",
"showing",
"entries",
"algorithm",
"full name",
"data",
"v3 serial",
"number",
"cus cndigicert",
"global g2",
"tls rsa",
"sha256",
"ca1 odigicert",
"info",
"record type",
"ttl value",
"all txt",
"ssl certificate",
"whois record",
"contacted",
"referrer",
"resolutions",
"historical ssl",
"communicating",
"problems",
"parent domain",
"njrat",
"ransomware",
"startpage",
"historical",
"malware",
"execution",
"threat roundup",
"april",
"september",
"remcos rat",
"august",
"june",
"qakbot",
"push",
"service",
"privateloader",
"amadey",
"powershell",
"qbot",
"cobalt strike",
"core",
"hacktool",
"november",
"october",
"roundup",
"threat network",
"cellbrite",
"february",
"emotet",
"maze",
"metro",
"dark",
"malicious",
"team",
"critical",
"copy",
"awful",
"parallax rat",
"banker",
"keylogger",
"dns replication",
"date",
"csc corporate",
"domains",
"code",
"server",
"registrar abuse",
"registrar iana",
"registry domain",
"registrar url",
"registrar",
"contact phone",
"apple ios",
"quasar",
"remcos",
"ursnif",
"chaos",
"ransomexx",
"azorult",
"agent tesla",
"evilnum",
"asyncrat",
"win32 exe",
"wininit",
"beta version",
"cmstp",
"taskscheduler",
"ieudinit",
"nat32",
"certsentry",
"type name",
"wc3 rpg",
"pegasus",
"unknown",
"domain",
"servers",
"germany unknown",
"name servers",
"status",
"next",
"as29066 host",
"as133618",
"cname",
"as47846",
"scan endpoints",
"all octoseek",
"pulse pulses",
"encrypt",
"china unknown",
"as38365 beijing",
"as134175 unit",
"707713",
"hong kong",
"virgin islands",
"as6461 zayo",
"ransom",
"exploit",
"ipv4",
"pulse submit",
"url analysis",
"trojan",
"body",
"click",
"creation date",
"emails",
"expiration date",
"domain privacy",
"hostname",
"dynamicloader",
"state",
"medium",
"msie",
"windows nt",
"wow64",
"show",
"slcc2",
"media center",
"error",
"delphi",
"guard",
"write",
"win32",
"target",
"redir",
"facebook",
"dcom",
"local",
"delete",
"utf8",
"unicode text",
"crlf line",
"rgba",
"yara detections",
"default",
"asnone",
"get na",
"dns lookup",
"probe ms17010",
"eternalblue",
"playgame",
"high",
"related pulses",
"yara rule",
"anomalous file",
"dynamic",
"malware infection",
"cnc",
"procmem_yara",
"antivm_generic_disk",
"modify_proxy infostealer_cookies",
"network_http",
"anomalous_deletefile",
"antidebug_guardpages",
"powershell_request",
"powershell_download",
"as63949 linode",
"mtb feb",
"open ports",
"backdoor",
"gmt content",
"trojandropper",
"simda",
"lockbit",
"win.trojan",
"midia-4",
"floxif",
"cryptowall",
"brontok",
"check in",
"record value",
"files",
"location united",
"america asn",
"as16509",
"download",
"threat",
"paste",
"iocs",
"analyze",
"hostnames",
"urls http",
"samples",
"tsara brashears",
"2nd corintnthians 4:8-9",
"injection_inter_process",
"injection_create_remote_thread",
"persistence_autorun",
"bypass_firewall",
"disables_windowsupdate",
"dynamic_function_loading",
"http_request",
"query",
"delete c",
"activity dns",
"components",
"file execution",
"observed dns",
"as4837 china",
"nxdomain",
"a nxdomain",
"wannacry",
"missouri",
"safebae",
"hallrender",
"house.mo.gov",
"typosquatting",
"tactics",
"google",
"win64",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"dalles",
"cookie",
"urls https",
"xpcegvo2adsnq",
"mhkz",
"mvi2",
"keepaliveyes",
"fexp24007246",
"nsyt",
"eva reimer",
"daisy coleman",
"brian sabey",
"https://lawlink.com/documents/10935/blackbag-technologies-announ"
],
"references": [
"https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov",
"dns.msftncsi.com",
"NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184",
"Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"23.216.147.64",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]",
"http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]",
"alohatube.xyz [BotNetwork]",
"facebooksunglassshop.com",
"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4",
"oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev",
"http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/",
"government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org",
"https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html",
"remote.utorrent.com [remote router logins]",
"Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com",
"http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online",
"http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com",
"http://tvm77.fashiongup.in/tracking/track-open",
"https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov",
"https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg",
"http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png",
"https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&",
"https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/",
"hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com",
"http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208",
"https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com",
"safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/",
"https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com",
"https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4",
"Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js",
"Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]",
"Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store",
"https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]",
"http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt",
"sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php",
"https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software"
],
"public": 1,
"adversary": "NSO Group",
"targeted_countries": [
"United States of America",
"China",
"Australia",
"Hong Kong"
],
"malware_families": [
{
"id": "Agent Tesla",
"display_name": "Agent Tesla",
"target": null
},
{
"id": "Amadey",
"display_name": "Amadey",
"target": null
},
{
"id": "AsyncRAT",
"display_name": "AsyncRAT",
"target": null
},
{
"id": "AZORult",
"display_name": "AZORult",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "EVILNUM",
"display_name": "EVILNUM",
"target": null
},
{
"id": "Dark",
"display_name": "Dark",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Keylogger",
"display_name": "Keylogger",
"target": null
},
{
"id": "Maze",
"display_name": "Maze",
"target": null
},
{
"id": "NjRAT",
"display_name": "NjRAT",
"target": null
},
{
"id": "Parallax RAT",
"display_name": "Parallax RAT",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "QBot",
"display_name": "QBot",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Remcos RAT",
"display_name": "Remcos RAT",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Win.Trojan.Agent-336074",
"display_name": "Win.Trojan.Agent-336074",
"target": null
},
{
"id": "Arid.Viper_CnC",
"display_name": "Arid.Viper_CnC",
"target": null
},
{
"id": "WininiCrypt",
"display_name": "WininiCrypt",
"target": null
},
{
"id": "PWS:Win32/QQpass.CI",
"display_name": "PWS:Win32/QQpass.CI",
"target": "/malware/PWS:Win32/QQpass.CI"
},
{
"id": "Win.Trojan.Midia-4",
"display_name": "Win.Trojan.Midia-4",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "Win32/SocStealer!rfn",
"display_name": "Win32/SocStealer!rfn",
"target": null
},
{
"id": "Backdoor.Win32.Shiz.ufj",
"display_name": "Backdoor.Win32.Shiz.ufj",
"target": null
},
{
"id": "Email-Worm.Win32.Brontok.n",
"display_name": "Email-Worm.Win32.Brontok.n",
"target": null
},
{
"id": "ETERNALBLUE",
"display_name": "ETERNALBLUE",
"target": null
},
{
"id": "WannaCry",
"display_name": "WannaCry",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65c91f2b7c03b480379ae4d1",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2668,
"FileHash-SHA1": 2469,
"FileHash-SHA256": 8054,
"URL": 6185,
"domain": 2421,
"hostname": 3042,
"CVE": 5,
"email": 15,
"CIDR": 1,
"IPv4": 18
},
"indicator_count": 24878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "29 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6962b68da732abc66a0c2caf",
"name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus",
"description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else",
"modified": "2026-02-09T19:00:09.890000",
"created": "2026-01-10T20:29:01.675000",
"tags": [
"ip address",
"status code",
"kb body",
"iocs",
"deny age",
"cloudfront",
"utc google",
"tag manager",
"g8t6ln06z40",
"utc na",
"google tag",
"injection",
"t1055 malware",
"tree",
"help v",
"defense evasion",
"injection t1055",
"resolved ips",
"get http",
"dns resolutions",
"v memory",
"pattern domains",
"full reports",
"v help",
"memory pattern",
"urls https",
"hashes",
"tiktok",
"microsoft",
"dashboard falcon",
"request",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"appleid",
"united",
"name servers",
"aaaa",
"servers",
"moved",
"script urls",
"passive dns",
"urls",
"data upload",
"extraction",
"failed",
"jsvendor",
"jsapp",
"script script",
"cssapp",
"jsfirebase",
"pegasus",
"encrypt",
"title error",
"ipv4",
"files",
"reverse dns",
"united states",
"malware",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"execution att",
"t1204 user",
"script",
"beginstring",
"bad traffic",
"et info",
"null",
"title",
"refresh",
"span",
"strings",
"error",
"tools",
"meta",
"look",
"verify",
"restart",
"mitre att",
"ascii text",
"pattern match",
"ck matrix",
"tls handshake",
"hybrid",
"general",
"local",
"path",
"click",
"ck techniques",
"access att",
"div div",
"a li",
"ul div",
"record value",
"emails",
"accept",
"referen https",
"microsoft-falcon.net",
"proxy",
"status",
"certificate",
"updated date",
"whois server",
"zipcode",
"entries http",
"scans show",
"search",
"matches x",
"type",
"gmt cache",
"all ipv4",
"america flag",
"america asn",
"sameorigin",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results jan",
"ipv4 add",
"win32mydoom jan",
"trojan",
"worm",
"expiration date",
"files show",
"date hash",
"avast avg",
"win32mydoom",
"backdoor",
"found",
"gmt connection",
"control",
"content type",
"twitter",
"dynamicloader",
"medium",
"high",
"msie",
"wow64",
"slcc2",
"media center",
"write",
"global",
"domain name",
"hostname",
"apple",
"racebook",
"mouse movement",
"remote mouse",
"domain",
"hostname add",
"url analysis",
"crlf line",
"ff d5",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"f0 ff",
"ff bb",
"music",
"push",
"autorun",
"unknown",
"present sep",
"present may",
"present jan",
"present aug",
"cname",
"present nov",
"present jun",
"apache",
"body",
"pragma",
"found registry",
"able",
"model",
"indicator",
"source",
"show technique",
"file",
"internet",
"errore",
"erreur",
"download",
"service",
"crypto",
"compiler",
"installer",
"yang",
"updater",
"shutdown",
"thunk",
"este",
"install",
"reboot",
"code",
"downloader",
"sigur",
"kanna",
"der zugriff",
"google",
"chrome",
"Pahamify Pegasus",
"christoper p. ahmann",
"law enforcement",
"retaliation",
"phone",
"espionage",
"united states",
"m brian sabey",
"quasi government",
"target",
"monitored targeting",
"aig",
"therahand (old name)",
"target: tsara brashears",
"douglas county, co",
"sheriff",
"industry and commerce",
"worker\u2019s compensation",
"crime",
"financial crime",
"danger",
"nem tih",
"amazon",
"aws",
"amazon aws",
"deal",
"deal with it lawfully",
"pay victim",
"protecting reimer"
],
"references": [
"https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur",
"Pahamify Pegasus",
"Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
"https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
"https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
"tv.apple.com",
"dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
"Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A",
"IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
"IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
"IDS: TLS Handshake Failure",
"Yara Detections BackdoorWin32Simda",
"Google_Chrome_64bit_v136.0.7103.49.exe",
"https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Pariham.A",
"display_name": "Trojan:Win32/Pariham.A",
"target": "/malware/Trojan:Win32/Pariham.A"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Virus:Win95/Cerebrus",
"display_name": "Virus:Win95/Cerebrus",
"target": "/malware/Virus:Win95/Cerebrus"
},
{
"id": "AutoRunIt",
"display_name": "AutoRunIt",
"target": null
},
{
"id": "Sigur",
"display_name": "Sigur",
"target": null
},
{
"id": "Kanna",
"display_name": "Kanna",
"target": null
},
{
"id": "Der Zugriff",
"display_name": "Der Zugriff",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1029",
"name": "Scheduled Transfer",
"display_name": "T1029 - Scheduled Transfer"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1124",
"name": "System Time Discovery",
"display_name": "T1124 - System Time Discovery"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1213",
"name": "Data from Information Repositories",
"display_name": "T1213 - Data from Information Repositories"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1489",
"name": "Service Stop",
"display_name": "T1489 - Service Stop"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1529",
"name": "System Shutdown/Reboot",
"display_name": "T1529 - System Shutdown/Reboot"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1559",
"name": "Inter-Process Communication",
"display_name": "T1559 - Inter-Process Communication"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1569",
"name": "System Services",
"display_name": "T1569 - System Services"
},
{
"id": "T1570",
"name": "Lateral Tool Transfer",
"display_name": "T1570 - Lateral Tool Transfer"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1569.002",
"name": "Service Execution",
"display_name": "T1569.002 - Service Execution"
},
{
"id": "T1543.003",
"name": "Windows Service",
"display_name": "T1543.003 - Windows Service"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1134.001",
"name": "Token Impersonation/Theft",
"display_name": "T1134.001 - Token Impersonation/Theft"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1134.002",
"name": "Create Process with Token",
"display_name": "T1134.002 - Create Process with Token"
},
{
"id": "T1070.006",
"name": "Timestomp",
"display_name": "T1070.006 - Timestomp"
},
{
"id": "T1564.003",
"name": "Hidden Window",
"display_name": "T1564.003 - Hidden Window"
},
{
"id": "T1497.003",
"name": "Time Based Evasion",
"display_name": "T1497.003 - Time Based Evasion"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1497.002",
"name": "User Activity Based Checks",
"display_name": "T1497.002 - User Activity Based Checks"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1074.001",
"name": "Local Data Staging",
"display_name": "T1074.001 - Local Data Staging"
},
{
"id": "T1560.002",
"name": "Archive via Library",
"display_name": "T1560.002 - Archive via Library"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
}
],
"industries": [
"Civil Society",
"Legal",
"Government",
"Technology",
"Telecommunications",
"Financial"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6094,
"domain": 1195,
"hostname": 2001,
"FileHash-SHA256": 2598,
"FileHash-MD5": 546,
"FileHash-SHA1": 403,
"email": 16,
"CVE": 2,
"SSLCertFingerprint": 3
},
"indicator_count": 12858,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "69 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692cb6dc24da17618e3d9da6",
"name": "Mirai Botnet | HackTool Powershell targets LinkedIn User | 192.168.1.1 \u2022 Remote Inbound Outbound Connection",
"description": "Linux Malware - LinkedIn- True Mirai Botnet (192.168.1.1) (Never Connect) Incredibly powerful attack targeting LinkedIn users. In this instance the target is an ex husband of a target. |\nNDO Group relationships seen. This is a Botnet. \n\nMay be \u2018framing\u2019 attack that was launched in 2014. Attackers sent a clear message to target that she + husband would be arrested and charged with possession of 1000\u2019s of \u2018child pornography\u2019 pictures. \n\nAttack 10/10 malicious. Worked from separate system in separate location. Hackers unlocked a device, zero clicks, removed PSW. Tulach malware seen a profile \u2018Michael Robert\u2019s of Rexxfield\u2019 may be entity (NSA) with a face like Tulach. Uses the most WILD compromises. Government contractors? \n\nSame attackers brought down Prudentials \u2018Assurance\u2019 Medicare system forever.\n ESET hackers only allowing \u2018bad traffic\u2019 .",
"modified": "2025-12-30T19:04:40.430000",
"created": "2025-11-30T21:27:56.239000",
"tags": [
"enter",
"extract",
"enter source",
"urls",
"address",
"remote connect",
"private ip",
"sql",
"inject",
"montserrat",
"script urls",
"germany unknown",
"xml title",
"wiesinger",
"style",
"ip address",
"script domains",
"body doctype",
"encrypt",
"botnet",
"dropper",
"unix",
"resolverror",
"et exploit",
"outbound",
"mirai variant",
"useragent",
"inbound",
"et trojan",
"et webserver",
"scan mirai",
"hello",
"execution",
"mirai",
"malware",
"shell",
"nids",
"ids detections",
"wget command",
"http headers",
"dlink devices",
"home network",
"mvpower dvr",
"shell uce",
"mirai elf",
"linux malware",
"is__elf",
"cnc",
"meta http",
"content",
"gmt server",
"files",
"reverse dns",
"germany",
"ismaning",
"germany asn",
"as5539 spacenet",
"germany https",
"auto generated security (?)",
"redacted for",
"name servers",
"aaaa",
"search",
"for privacy",
"title",
"intel",
"ms windows",
"pe32",
"process32nextw",
"write c",
"mssql port",
"hash",
"beapy",
"bit32bit",
"agent",
"write",
"hacktool",
"win32",
"next",
"suspicious user",
"pybeapy cnc",
"checkin",
"w32beapy cnc",
"beacon",
"module load",
"external ip",
"lookup",
"home assistant",
"intptr",
"uint32",
"type",
"parameter",
"oldprotectflag",
"mandatory",
"throw",
"position",
"lkshkdandl",
"success",
"info",
"powershell",
"null",
"error",
"date hash",
"next yara",
"detections name",
"medium",
"graph tree",
"sample",
"sample hash",
"exec bypass",
"c ipconfig",
"world",
"jaws webserver",
"chmod usage",
"strings",
"extraction",
"data upload",
"extre",
"include data",
"hos hos",
"y se",
"sugges",
"find s",
"typ hos",
"hos data",
"hos hostname",
"hos host",
"extr data",
"tethering",
"tulach",
"114.114.114.114",
"passive dns",
"pulse pulses",
"http",
"related nids",
"files location",
"united",
"flag united",
"files domain",
"next associated",
"ipv4 add",
"delphi",
"read c",
"packing t1045",
"t1045",
"worm",
"code",
"june",
"irc nick command",
"irc",
"meta",
"status",
"record value",
"unknown aaaa",
"expiration",
"url http",
"indicator role",
"pulses url",
"no expiration",
"url https",
"url url",
"o url",
"request review",
"hosting",
"unknown",
"medium security",
"extra data",
"failed",
"linkedin",
"url add",
"ireland flag",
"ireland",
"dublin",
"ireland asn",
"as16509",
"spyware",
"nso",
"nso group",
"pegasus related",
"nso related",
"framing",
"porn",
"python",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"apple",
"192.168.1.1",
"law",
"attorney"
],
"references": [
"192.168.1.1 - WOW! Use your old equipment in a non - residential environment",
"http://xn.com/ \u2022 www.xn--linkedinxn-6u6e.com \u2022 http://www.linkedin-xn.com/ \u2022 www.linkedin-xn.com",
"Powerful Exploit: https://otx.alienvault.com/indicator/file/ba32802bdd1f0b91cf8c667b94426d73ee654ba0",
"Mirai Botnet - *Inbound & Outbound connection",
"IDS Detections: *WGET Command Specifying Output in HTTP Headers",
"IDS Detections: *D-Link Devices Home Network Administration Protocol Command Execution",
"IDS Detections: *JAWS Webserver Unauthenticated Shell Command Execution",
"IDS Detections: *MVPower DVR Shell UCE *Mirai Variant User-Agent (Outbound)",
"Yara : Yara Detections : SUSP_XORed_Mozilla , Linux_MiningSoftware , is__elf",
"Alerts : dead_host nids_exploit_alert nids_malware_alert persistency_initd network_icmp",
"Alerts : tcp_syn_scan nolookup_communication network_cnc_http network_http",
"Alerts : network_http_post nids_alert chmod_syscall writes_to_stdout",
"Other Mitre ATT&CK T1480 T1553.00 T1027.013 T1057 T1069.002 T1071\tT1071.004",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"pornokind.vgt.pl \u2022 https://pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl/",
"pornlynx.com \u2022 www.pornhub.com \u2022 www.anyxxxtube.com",
"https://frostty12ice.info/ \u2022 https://lawhubh.info",
"Needs researching: http://lib.jerusalem.muni.il.il \u2022 https://lib.jerusalem.muni.il.il"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Unix.Dropper.Botnet-6566040-0",
"display_name": "Unix.Dropper.Botnet-6566040-0",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Montserrat",
"display_name": "Montserrat",
"target": null
},
{
"id": "Beapy",
"display_name": "Beapy",
"target": null
},
{
"id": "HackTool:Win32/PowerSploit!rfn",
"display_name": "HackTool:Win32/PowerSploit!rfn",
"target": "/malware/HackTool:Win32/PowerSploit!rfn"
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "Worm:Win32/Mydoom.PB!MTB",
"display_name": "Worm:Win32/Mydoom.PB!MTB",
"target": "/malware/Worm:Win32/Mydoom.PB!MTB"
}
],
"attack_ids": [
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "TA0036",
"name": "Exfiltration",
"display_name": "TA0036 - Exfiltration"
},
{
"id": "TA0039",
"name": "Remote Service Effects",
"display_name": "TA0039 - Remote Service Effects"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1016.001",
"name": "Internet Connection Discovery",
"display_name": "T1016.001 - Internet Connection Discovery"
},
{
"id": "T1583.004",
"name": "Server",
"display_name": "T1583.004 - Server"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553.001",
"name": "Gatekeeper Bypass",
"display_name": "T1553.001 - Gatekeeper Bypass"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1027.002",
"name": "Software Packing",
"display_name": "T1027.002 - Software Packing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1609",
"name": "Container Administration Command",
"display_name": "T1609 - Container Administration Command"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1059.006",
"name": "Python",
"display_name": "T1059.006 - Python"
}
],
"industries": [
"Government",
"Legal",
"Healthcare",
"Insurance",
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4147,
"domain": 871,
"hostname": 2194,
"FileHash-MD5": 279,
"FileHash-SHA1": 257,
"FileHash-SHA256": 2183,
"CVE": 6,
"email": 3,
"SSLCertFingerprint": 1
},
"indicator_count": 9941,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "110 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66015551faca20cb510f9121",
"name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ",
"description": "",
"modified": "2024-04-23T11:04:58.191000",
"created": "2024-03-25T10:43:29.149000",
"tags": [
"referrer",
"communicating",
"contacted",
"siblings domain",
"parent domain",
"subdomains",
"execution",
"bundled",
"threat",
"paste",
"iocs",
"e4609l",
"urls http",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"html",
"million",
"team",
"alexa top",
"script",
"malicious url",
"outbreak",
"downer",
"shell",
"mediamagnet",
"swrort",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"riskware",
"unsafe",
"webshell",
"exploit",
"crack",
"malware",
"phishing",
"union",
"bank",
"generic malware",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist",
"site top",
"malware site",
"site safe",
"deepscan",
"genpack",
"zbot",
"united",
"proxy",
"firehol mail",
"spammer",
"anonymizer",
"team proxy",
"firehol",
"noname057",
"alexa safe",
"maltiverse safe",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"orgabusehandle",
"route",
"appli22",
"address",
"orgtechhandle",
"appliedi abuse",
"orgnochandle",
"peter heather",
"appliedi",
"general info",
"geo united",
"as14519",
"us note",
"registrar arin",
"ptr record",
"command decode",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"traffic et",
"policy windows",
"update p2p",
"activity",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"contacted urls",
"cert valid",
"malicious",
"phone",
"text",
"microsoft",
"uk telco",
"js tel",
"metro",
"redacted for",
"record value",
"emails abuse",
"name redacted",
"for privacy",
"name servers",
"privacy address",
"privacy city",
"privacy country",
"resolutions",
"a domains",
"canada unknown",
"div div",
"format a",
"a ul",
"models a",
"gmt path",
"search",
"unknown",
"passive dns",
"title",
"all scoreblue",
"ipv4",
"url analysis",
"body",
"next",
"port",
"destination",
"forbidden",
"high",
"tcp syn",
"telnet root",
"suspicious path",
"busybox",
"bad login",
"telnet login",
"copy",
"mirai",
"domain",
"hostname",
"script script",
"link",
"app themesskin",
"status",
"content type",
"lakeside tool",
"meta",
"find",
"tools",
"cookie",
"front",
"li ul",
"mower shop",
"creation date",
"showing",
"pragma",
"this",
"span",
"open ports",
"body doctype",
"privacy admin",
"privacy tech",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"script urls",
"aaaa",
"as8068",
"cname",
"as20446",
"encrypt",
"falcon",
"name verdict",
"abuse",
"as55081",
"dnssec",
"dynamicloader",
"alerts",
"pulses",
"java",
"windows",
"guard",
"medium",
"dynamic",
"servers",
"certificate",
"as54113",
"trojan",
"neue",
"trojanspy",
"alexa",
"team google",
"maltiverse top",
"ccleaner",
"xrat",
"downldr",
"tsara brashears",
"entries",
"transactional"
],
"references": [
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"HOSTEDBYAPPLIEDI.NET - Enom",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"nr-data.net [Apple Private Data Collection]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1504",
"name": "PowerShell Profile",
"display_name": "T1504 - PowerShell Profile"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "660021cdfd20f6237e3892c0",
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2979,
"FileHash-SHA1": 406,
"FileHash-SHA256": 2293,
"URL": 1804,
"domain": 814,
"hostname": 1025,
"email": 9,
"CVE": 12,
"CIDR": 2
},
"indicator_count": 9344,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "727 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6603369ad0e38e313883c4fa",
"name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root HELP! RETALIATION HAS OCCURRED ",
"description": "",
"modified": "2024-04-23T11:04:58.191000",
"created": "2024-03-26T20:56:58.037000",
"tags": [
"referrer",
"communicating",
"contacted",
"siblings domain",
"parent domain",
"subdomains",
"execution",
"bundled",
"threat",
"paste",
"iocs",
"e4609l",
"urls http",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"html",
"million",
"team",
"alexa top",
"script",
"malicious url",
"outbreak",
"downer",
"shell",
"mediamagnet",
"swrort",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"riskware",
"unsafe",
"webshell",
"exploit",
"crack",
"malware",
"phishing",
"union",
"bank",
"generic malware",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist",
"site top",
"malware site",
"site safe",
"deepscan",
"genpack",
"zbot",
"united",
"proxy",
"firehol mail",
"spammer",
"anonymizer",
"team proxy",
"firehol",
"noname057",
"alexa safe",
"maltiverse safe",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"orgabusehandle",
"route",
"appli22",
"address",
"orgtechhandle",
"appliedi abuse",
"orgnochandle",
"peter heather",
"appliedi",
"general info",
"geo united",
"as14519",
"us note",
"registrar arin",
"ptr record",
"command decode",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"traffic et",
"policy windows",
"update p2p",
"activity",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"contacted urls",
"cert valid",
"malicious",
"phone",
"text",
"microsoft",
"uk telco",
"js tel",
"metro",
"redacted for",
"record value",
"emails abuse",
"name redacted",
"for privacy",
"name servers",
"privacy address",
"privacy city",
"privacy country",
"resolutions",
"a domains",
"canada unknown",
"div div",
"format a",
"a ul",
"models a",
"gmt path",
"search",
"unknown",
"passive dns",
"title",
"all scoreblue",
"ipv4",
"url analysis",
"body",
"next",
"port",
"destination",
"forbidden",
"high",
"tcp syn",
"telnet root",
"suspicious path",
"busybox",
"bad login",
"telnet login",
"copy",
"mirai",
"domain",
"hostname",
"script script",
"link",
"app themesskin",
"status",
"content type",
"lakeside tool",
"meta",
"find",
"tools",
"cookie",
"front",
"li ul",
"mower shop",
"creation date",
"showing",
"pragma",
"this",
"span",
"open ports",
"body doctype",
"privacy admin",
"privacy tech",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"script urls",
"aaaa",
"as8068",
"cname",
"as20446",
"encrypt",
"falcon",
"name verdict",
"abuse",
"as55081",
"dnssec",
"dynamicloader",
"alerts",
"pulses",
"java",
"windows",
"guard",
"medium",
"dynamic",
"servers",
"certificate",
"as54113",
"trojan",
"neue",
"trojanspy",
"alexa",
"team google",
"maltiverse top",
"ccleaner",
"xrat",
"downldr",
"tsara brashears",
"entries",
"transactional"
],
"references": [
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"HOSTEDBYAPPLIEDI.NET - Enom",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"nr-data.net [Apple Private Data Collection]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1504",
"name": "PowerShell Profile",
"display_name": "T1504 - PowerShell Profile"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "660021cdfd20f6237e3892c0",
"export_count": 4468,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2979,
"FileHash-SHA1": 406,
"FileHash-SHA256": 2293,
"URL": 1804,
"domain": 814,
"hostname": 1025,
"email": 9,
"CVE": 12,
"CIDR": 2
},
"indicator_count": 9344,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "727 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6603360b48908ae9b9835563",
"name": "IoT Dark Nexus + Mirai BotNet HELP HER PLEASE!!- Enom | TELNET Root |",
"description": "",
"modified": "2024-04-23T11:04:58.191000",
"created": "2024-03-26T20:54:35.118000",
"tags": [
"referrer",
"communicating",
"contacted",
"siblings domain",
"parent domain",
"subdomains",
"execution",
"bundled",
"threat",
"paste",
"iocs",
"e4609l",
"urls http",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"html",
"million",
"team",
"alexa top",
"script",
"malicious url",
"outbreak",
"downer",
"shell",
"mediamagnet",
"swrort",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"riskware",
"unsafe",
"webshell",
"exploit",
"crack",
"malware",
"phishing",
"union",
"bank",
"generic malware",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist",
"site top",
"malware site",
"site safe",
"deepscan",
"genpack",
"zbot",
"united",
"proxy",
"firehol mail",
"spammer",
"anonymizer",
"team proxy",
"firehol",
"noname057",
"alexa safe",
"maltiverse safe",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"orgabusehandle",
"route",
"appli22",
"address",
"orgtechhandle",
"appliedi abuse",
"orgnochandle",
"peter heather",
"appliedi",
"general info",
"geo united",
"as14519",
"us note",
"registrar arin",
"ptr record",
"command decode",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"traffic et",
"policy windows",
"update p2p",
"activity",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"contacted urls",
"cert valid",
"malicious",
"phone",
"text",
"microsoft",
"uk telco",
"js tel",
"metro",
"redacted for",
"record value",
"emails abuse",
"name redacted",
"for privacy",
"name servers",
"privacy address",
"privacy city",
"privacy country",
"resolutions",
"a domains",
"canada unknown",
"div div",
"format a",
"a ul",
"models a",
"gmt path",
"search",
"unknown",
"passive dns",
"title",
"all scoreblue",
"ipv4",
"url analysis",
"body",
"next",
"port",
"destination",
"forbidden",
"high",
"tcp syn",
"telnet root",
"suspicious path",
"busybox",
"bad login",
"telnet login",
"copy",
"mirai",
"domain",
"hostname",
"script script",
"link",
"app themesskin",
"status",
"content type",
"lakeside tool",
"meta",
"find",
"tools",
"cookie",
"front",
"li ul",
"mower shop",
"creation date",
"showing",
"pragma",
"this",
"span",
"open ports",
"body doctype",
"privacy admin",
"privacy tech",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"script urls",
"aaaa",
"as8068",
"cname",
"as20446",
"encrypt",
"falcon",
"name verdict",
"abuse",
"as55081",
"dnssec",
"dynamicloader",
"alerts",
"pulses",
"java",
"windows",
"guard",
"medium",
"dynamic",
"servers",
"certificate",
"as54113",
"trojan",
"neue",
"trojanspy",
"alexa",
"team google",
"maltiverse top",
"ccleaner",
"xrat",
"downldr",
"tsara brashears",
"entries",
"transactional"
],
"references": [
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"HOSTEDBYAPPLIEDI.NET - Enom",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"nr-data.net [Apple Private Data Collection]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1504",
"name": "PowerShell Profile",
"display_name": "T1504 - PowerShell Profile"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "660021cdfd20f6237e3892c0",
"export_count": 38,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2979,
"FileHash-SHA1": 406,
"FileHash-SHA256": 2293,
"URL": 1804,
"domain": 814,
"hostname": 1025,
"email": 9,
"CVE": 12,
"CIDR": 2
},
"indicator_count": 9344,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "727 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66015553ad4633eb85c66817",
"name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ",
"description": "",
"modified": "2024-04-23T11:04:58.191000",
"created": "2024-03-25T10:43:31.072000",
"tags": [
"referrer",
"communicating",
"contacted",
"siblings domain",
"parent domain",
"subdomains",
"execution",
"bundled",
"threat",
"paste",
"iocs",
"e4609l",
"urls http",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"html",
"million",
"team",
"alexa top",
"script",
"malicious url",
"outbreak",
"downer",
"shell",
"mediamagnet",
"swrort",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"riskware",
"unsafe",
"webshell",
"exploit",
"crack",
"malware",
"phishing",
"union",
"bank",
"generic malware",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist",
"site top",
"malware site",
"site safe",
"deepscan",
"genpack",
"zbot",
"united",
"proxy",
"firehol mail",
"spammer",
"anonymizer",
"team proxy",
"firehol",
"noname057",
"alexa safe",
"maltiverse safe",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"orgabusehandle",
"route",
"appli22",
"address",
"orgtechhandle",
"appliedi abuse",
"orgnochandle",
"peter heather",
"appliedi",
"general info",
"geo united",
"as14519",
"us note",
"registrar arin",
"ptr record",
"command decode",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"traffic et",
"policy windows",
"update p2p",
"activity",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"contacted urls",
"cert valid",
"malicious",
"phone",
"text",
"microsoft",
"uk telco",
"js tel",
"metro",
"redacted for",
"record value",
"emails abuse",
"name redacted",
"for privacy",
"name servers",
"privacy address",
"privacy city",
"privacy country",
"resolutions",
"a domains",
"canada unknown",
"div div",
"format a",
"a ul",
"models a",
"gmt path",
"search",
"unknown",
"passive dns",
"title",
"all scoreblue",
"ipv4",
"url analysis",
"body",
"next",
"port",
"destination",
"forbidden",
"high",
"tcp syn",
"telnet root",
"suspicious path",
"busybox",
"bad login",
"telnet login",
"copy",
"mirai",
"domain",
"hostname",
"script script",
"link",
"app themesskin",
"status",
"content type",
"lakeside tool",
"meta",
"find",
"tools",
"cookie",
"front",
"li ul",
"mower shop",
"creation date",
"showing",
"pragma",
"this",
"span",
"open ports",
"body doctype",
"privacy admin",
"privacy tech",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"script urls",
"aaaa",
"as8068",
"cname",
"as20446",
"encrypt",
"falcon",
"name verdict",
"abuse",
"as55081",
"dnssec",
"dynamicloader",
"alerts",
"pulses",
"java",
"windows",
"guard",
"medium",
"dynamic",
"servers",
"certificate",
"as54113",
"trojan",
"neue",
"trojanspy",
"alexa",
"team google",
"maltiverse top",
"ccleaner",
"xrat",
"downldr",
"tsara brashears",
"entries",
"transactional"
],
"references": [
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"HOSTEDBYAPPLIEDI.NET - Enom",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"nr-data.net [Apple Private Data Collection]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1504",
"name": "PowerShell Profile",
"display_name": "T1504 - PowerShell Profile"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "660021cdfd20f6237e3892c0",
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2979,
"FileHash-SHA1": 406,
"FileHash-SHA256": 2293,
"URL": 1804,
"domain": 814,
"hostname": 1025,
"email": 9,
"CVE": 12,
"CIDR": 2
},
"indicator_count": 9344,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "727 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "660021cdfd20f6237e3892c0",
"name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services",
"description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.",
"modified": "2024-04-23T11:04:58.191000",
"created": "2024-03-24T12:51:25.910000",
"tags": [
"referrer",
"communicating",
"contacted",
"siblings domain",
"parent domain",
"subdomains",
"execution",
"bundled",
"threat",
"paste",
"iocs",
"e4609l",
"urls http",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"html",
"million",
"team",
"alexa top",
"script",
"malicious url",
"outbreak",
"downer",
"shell",
"mediamagnet",
"swrort",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"riskware",
"unsafe",
"webshell",
"exploit",
"crack",
"malware",
"phishing",
"union",
"bank",
"generic malware",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist",
"site top",
"malware site",
"site safe",
"deepscan",
"genpack",
"zbot",
"united",
"proxy",
"firehol mail",
"spammer",
"anonymizer",
"team proxy",
"firehol",
"noname057",
"alexa safe",
"maltiverse safe",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"orgabusehandle",
"route",
"appli22",
"address",
"orgtechhandle",
"appliedi abuse",
"orgnochandle",
"peter heather",
"appliedi",
"general info",
"geo united",
"as14519",
"us note",
"registrar arin",
"ptr record",
"command decode",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"traffic et",
"policy windows",
"update p2p",
"activity",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"contacted urls",
"cert valid",
"malicious",
"phone",
"text",
"microsoft",
"uk telco",
"js tel",
"metro",
"redacted for",
"record value",
"emails abuse",
"name redacted",
"for privacy",
"name servers",
"privacy address",
"privacy city",
"privacy country",
"resolutions",
"a domains",
"canada unknown",
"div div",
"format a",
"a ul",
"models a",
"gmt path",
"search",
"unknown",
"passive dns",
"title",
"all scoreblue",
"ipv4",
"url analysis",
"body",
"next",
"port",
"destination",
"forbidden",
"high",
"tcp syn",
"telnet root",
"suspicious path",
"busybox",
"bad login",
"telnet login",
"copy",
"mirai",
"domain",
"hostname",
"script script",
"link",
"app themesskin",
"status",
"content type",
"lakeside tool",
"meta",
"find",
"tools",
"cookie",
"front",
"li ul",
"mower shop",
"creation date",
"showing",
"pragma",
"this",
"span",
"open ports",
"body doctype",
"privacy admin",
"privacy tech",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"script urls",
"aaaa",
"as8068",
"cname",
"as20446",
"encrypt",
"falcon",
"name verdict",
"abuse",
"as55081",
"dnssec",
"dynamicloader",
"alerts",
"pulses",
"java",
"windows",
"guard",
"medium",
"dynamic",
"servers",
"certificate",
"as54113",
"trojan",
"neue",
"trojanspy",
"alexa",
"team google",
"maltiverse top",
"ccleaner",
"xrat",
"downldr",
"tsara brashears",
"entries",
"transactional"
],
"references": [
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"HOSTEDBYAPPLIEDI.NET - Enom",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"nr-data.net [Apple Private Data Collection]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1504",
"name": "PowerShell Profile",
"display_name": "T1504 - PowerShell Profile"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 41,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2979,
"FileHash-SHA1": 406,
"FileHash-SHA256": 2293,
"URL": 1804,
"domain": 814,
"hostname": 1025,
"email": 9,
"CVE": 12,
"CIDR": 2
},
"indicator_count": 9344,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "727 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "660021cc958e062575a9a160",
"name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services",
"description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.",
"modified": "2024-04-23T11:04:58.191000",
"created": "2024-03-24T12:51:24.154000",
"tags": [
"referrer",
"communicating",
"contacted",
"siblings domain",
"parent domain",
"subdomains",
"execution",
"bundled",
"threat",
"paste",
"iocs",
"e4609l",
"urls http",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"html",
"million",
"team",
"alexa top",
"script",
"malicious url",
"outbreak",
"downer",
"shell",
"mediamagnet",
"swrort",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"riskware",
"unsafe",
"webshell",
"exploit",
"crack",
"malware",
"phishing",
"union",
"bank",
"generic malware",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist",
"site top",
"malware site",
"site safe",
"deepscan",
"genpack",
"zbot",
"united",
"proxy",
"firehol mail",
"spammer",
"anonymizer",
"team proxy",
"firehol",
"noname057",
"alexa safe",
"maltiverse safe",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"orgabusehandle",
"route",
"appli22",
"address",
"orgtechhandle",
"appliedi abuse",
"orgnochandle",
"peter heather",
"appliedi",
"general info",
"geo united",
"as14519",
"us note",
"registrar arin",
"ptr record",
"command decode",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"traffic et",
"policy windows",
"update p2p",
"activity",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"contacted urls",
"cert valid",
"malicious",
"phone",
"text",
"microsoft",
"uk telco",
"js tel",
"metro",
"redacted for",
"record value",
"emails abuse",
"name redacted",
"for privacy",
"name servers",
"privacy address",
"privacy city",
"privacy country",
"resolutions",
"a domains",
"canada unknown",
"div div",
"format a",
"a ul",
"models a",
"gmt path",
"search",
"unknown",
"passive dns",
"title",
"all scoreblue",
"ipv4",
"url analysis",
"body",
"next",
"port",
"destination",
"forbidden",
"high",
"tcp syn",
"telnet root",
"suspicious path",
"busybox",
"bad login",
"telnet login",
"copy",
"mirai",
"domain",
"hostname",
"script script",
"link",
"app themesskin",
"status",
"content type",
"lakeside tool",
"meta",
"find",
"tools",
"cookie",
"front",
"li ul",
"mower shop",
"creation date",
"showing",
"pragma",
"this",
"span",
"open ports",
"body doctype",
"privacy admin",
"privacy tech",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"script urls",
"aaaa",
"as8068",
"cname",
"as20446",
"encrypt",
"falcon",
"name verdict",
"abuse",
"as55081",
"dnssec",
"dynamicloader",
"alerts",
"pulses",
"java",
"windows",
"guard",
"medium",
"dynamic",
"servers",
"certificate",
"as54113",
"trojan",
"neue",
"trojanspy",
"alexa",
"team google",
"maltiverse top",
"ccleaner",
"xrat",
"downldr",
"tsara brashears",
"entries",
"transactional"
],
"references": [
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"HOSTEDBYAPPLIEDI.NET - Enom",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"nr-data.net [Apple Private Data Collection]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1504",
"name": "PowerShell Profile",
"display_name": "T1504 - PowerShell Profile"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 35,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2979,
"FileHash-SHA1": 406,
"FileHash-SHA256": 2293,
"URL": 1804,
"domain": 814,
"hostname": 1025,
"email": 9,
"CVE": 12,
"CIDR": 2
},
"indicator_count": 9344,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "727 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65c91f2b7c03b480379ae4d1",
"name": "Pegasus - https://house.mo.gov/ | Brian Sabey HallRender",
"description": "1st time researching https://house.mo.gov/ & house.mo.gov. False arrest records of a target originated from Missouri. A glitch delete pulses & references in bulk.\nPegasus is the should be illegal. Destroying evidence of a truth that would be believed if heard. Spying for dirt to discredit. Target heavily deterred by cyber warfare, healthcare fraud, injuries, financial difficulties due to hacked away businesses, strange shadowy government abused, in person stalking, threats and physical attacks, denied disability with a spinal cord injury?\nhttps://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software",
"modified": "2024-03-12T15:03:06.954000",
"created": "2024-02-11T19:25:31.451000",
"tags": [
"united",
"as393601 state",
"a domains",
"passive dns",
"as397241",
"certificate",
"urls",
"search",
"showing",
"entries",
"algorithm",
"full name",
"data",
"v3 serial",
"number",
"cus cndigicert",
"global g2",
"tls rsa",
"sha256",
"ca1 odigicert",
"info",
"record type",
"ttl value",
"all txt",
"ssl certificate",
"whois record",
"contacted",
"referrer",
"resolutions",
"historical ssl",
"communicating",
"problems",
"parent domain",
"njrat",
"ransomware",
"startpage",
"historical",
"malware",
"execution",
"threat roundup",
"april",
"september",
"remcos rat",
"august",
"june",
"qakbot",
"push",
"service",
"privateloader",
"amadey",
"powershell",
"qbot",
"cobalt strike",
"core",
"hacktool",
"november",
"october",
"roundup",
"threat network",
"cellbrite",
"february",
"emotet",
"maze",
"metro",
"dark",
"malicious",
"team",
"critical",
"copy",
"awful",
"parallax rat",
"banker",
"keylogger",
"dns replication",
"date",
"csc corporate",
"domains",
"code",
"server",
"registrar abuse",
"registrar iana",
"registry domain",
"registrar url",
"registrar",
"contact phone",
"apple ios",
"quasar",
"remcos",
"ursnif",
"chaos",
"ransomexx",
"azorult",
"agent tesla",
"evilnum",
"asyncrat",
"win32 exe",
"wininit",
"beta version",
"cmstp",
"taskscheduler",
"ieudinit",
"nat32",
"certsentry",
"type name",
"wc3 rpg",
"pegasus",
"unknown",
"domain",
"servers",
"germany unknown",
"name servers",
"status",
"next",
"as29066 host",
"as133618",
"cname",
"as47846",
"scan endpoints",
"all octoseek",
"pulse pulses",
"encrypt",
"china unknown",
"as38365 beijing",
"as134175 unit",
"707713",
"hong kong",
"virgin islands",
"as6461 zayo",
"ransom",
"exploit",
"ipv4",
"pulse submit",
"url analysis",
"trojan",
"body",
"click",
"creation date",
"emails",
"expiration date",
"domain privacy",
"hostname",
"dynamicloader",
"state",
"medium",
"msie",
"windows nt",
"wow64",
"show",
"slcc2",
"media center",
"error",
"delphi",
"guard",
"write",
"win32",
"target",
"redir",
"facebook",
"dcom",
"local",
"delete",
"utf8",
"unicode text",
"crlf line",
"rgba",
"yara detections",
"default",
"asnone",
"get na",
"dns lookup",
"probe ms17010",
"eternalblue",
"playgame",
"high",
"related pulses",
"yara rule",
"anomalous file",
"dynamic",
"malware infection",
"cnc",
"procmem_yara",
"antivm_generic_disk",
"modify_proxy infostealer_cookies",
"network_http",
"anomalous_deletefile",
"antidebug_guardpages",
"powershell_request",
"powershell_download",
"as63949 linode",
"mtb feb",
"open ports",
"backdoor",
"gmt content",
"trojandropper",
"simda",
"lockbit",
"win.trojan",
"midia-4",
"floxif",
"cryptowall",
"brontok",
"check in",
"record value",
"files",
"location united",
"america asn",
"as16509",
"download",
"threat",
"paste",
"iocs",
"analyze",
"hostnames",
"urls http",
"samples",
"tsara brashears",
"2nd corintnthians 4:8-9",
"injection_inter_process",
"injection_create_remote_thread",
"persistence_autorun",
"bypass_firewall",
"disables_windowsupdate",
"dynamic_function_loading",
"http_request",
"query",
"delete c",
"activity dns",
"components",
"file execution",
"observed dns",
"as4837 china",
"nxdomain",
"a nxdomain",
"wannacry",
"missouri",
"safebae",
"hallrender",
"house.mo.gov",
"typosquatting",
"tactics",
"google",
"win64",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"dalles",
"cookie",
"urls https",
"xpcegvo2adsnq",
"mhkz",
"mvi2",
"keepaliveyes",
"fexp24007246",
"nsyt",
"eva reimer",
"daisy coleman",
"brian sabey",
"https://lawlink.com/documents/10935/blackbag-technologies-announ"
],
"references": [
"https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov",
"dns.msftncsi.com",
"NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184",
"Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"23.216.147.64",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]",
"http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]",
"alohatube.xyz [BotNetwork]",
"facebooksunglassshop.com",
"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4",
"oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev",
"http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/",
"government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org",
"https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html",
"remote.utorrent.com [remote router logins]",
"Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com",
"http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online",
"http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com",
"http://tvm77.fashiongup.in/tracking/track-open",
"https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov",
"https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg",
"http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png",
"https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&",
"https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/",
"hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com",
"http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208",
"https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com",
"safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/",
"https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com",
"https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4",
"Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js",
"Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]",
"Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store",
"https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]",
"http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt",
"sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php",
"https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software"
],
"public": 1,
"adversary": "NSO Group",
"targeted_countries": [
"United States of America",
"China",
"Australia",
"Hong Kong"
],
"malware_families": [
{
"id": "Agent Tesla",
"display_name": "Agent Tesla",
"target": null
},
{
"id": "Amadey",
"display_name": "Amadey",
"target": null
},
{
"id": "AsyncRAT",
"display_name": "AsyncRAT",
"target": null
},
{
"id": "AZORult",
"display_name": "AZORult",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "EVILNUM",
"display_name": "EVILNUM",
"target": null
},
{
"id": "Dark",
"display_name": "Dark",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Keylogger",
"display_name": "Keylogger",
"target": null
},
{
"id": "Maze",
"display_name": "Maze",
"target": null
},
{
"id": "NjRAT",
"display_name": "NjRAT",
"target": null
},
{
"id": "Parallax RAT",
"display_name": "Parallax RAT",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "QBot",
"display_name": "QBot",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Remcos RAT",
"display_name": "Remcos RAT",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Win.Trojan.Agent-336074",
"display_name": "Win.Trojan.Agent-336074",
"target": null
},
{
"id": "Arid.Viper_CnC",
"display_name": "Arid.Viper_CnC",
"target": null
},
{
"id": "WininiCrypt",
"display_name": "WininiCrypt",
"target": null
},
{
"id": "PWS:Win32/QQpass.CI",
"display_name": "PWS:Win32/QQpass.CI",
"target": "/malware/PWS:Win32/QQpass.CI"
},
{
"id": "Win.Trojan.Midia-4",
"display_name": "Win.Trojan.Midia-4",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "Win32/SocStealer!rfn",
"display_name": "Win32/SocStealer!rfn",
"target": null
},
{
"id": "Backdoor.Win32.Shiz.ufj",
"display_name": "Backdoor.Win32.Shiz.ufj",
"target": null
},
{
"id": "Email-Worm.Win32.Brontok.n",
"display_name": "Email-Worm.Win32.Brontok.n",
"target": null
},
{
"id": "ETERNALBLUE",
"display_name": "ETERNALBLUE",
"target": null
},
{
"id": "WannaCry",
"display_name": "WannaCry",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 148,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1373,
"FileHash-SHA1": 1174,
"FileHash-SHA256": 6417,
"URL": 4264,
"domain": 2304,
"hostname": 2413,
"CVE": 4,
"email": 15,
"CIDR": 1
},
"indicator_count": 17965,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "769 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65944a8149f2479b2fbc6cd1",
"name": "Relic",
"description": "Malicious redirect to BotNet malvertizing of a business affecting both .command YouTube distribution. YouTube encoded logins. Hacker attack, geo tracking, passwords crack, decryption, C2. Retaliation. Found in referenced Twitter link shared with me.",
"modified": "2024-02-01T14:01:46.735000",
"created": "2024-01-02T17:40:17.890000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls https",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers nel",
"maxage5184000",
"name verdict",
"falcon sandbox",
"whois record",
"ssl certificate",
"tsara brashears",
"whois whois",
"historical ssl",
"contacted",
"highly targeted",
"hackers",
"botnet",
"apple ios",
"malicious",
"hacktool",
"quasar",
"download",
"malware",
"relic",
"monitoring",
"installer",
"tofsee",
"getprocaddress",
"indicator",
"prefetch8",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"united",
"file",
"pattern match",
"path",
"date",
"win64",
"factory",
"model",
"comspec",
"hybrid",
"general",
"click",
"strings",
"patch",
"song culture",
"tulach"
],
"references": [
"rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker",
"https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d",
"https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,",
"https://twitter.com/sheriffspurlock?lang=en",
"https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8",
"http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru",
"nr-data.net [Apple Private Data Collection]",
"init.ess.apple.com [backdoor, malicious script, access via media]",
"https://stackabuse.com/assets/images/apple",
"https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err",
"location-icloud.com",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]",
"mailtrack.io [tracking VirusTotal graphs, link trace back]",
"http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes",
"https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=",
"https://pin.it/ [faux Pinterest for TB]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [",
"114.114.114.114 [ Tulach Malware IP]",
"13.107.136.8 [ Tulach Malware IP redirect]",
"http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]",
"http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]",
"http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_",
"http://114.114.114.114/ipw.ps1",
"194.245.148.189 [CnC]",
"https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/",
"http://109.206.241.129/666bins/666.mpsl",
"http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2",
"143.244.50.213 |169.150.249.162 [malware_hosting]",
"http://watchhers.net/index.php [malware spreader]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"xred.mooo.com [pornhub trojan]",
"https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]",
"http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george",
"https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "Comspec",
"display_name": "Comspec",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8049,
"FileHash-MD5": 388,
"FileHash-SHA1": 212,
"FileHash-SHA256": 7062,
"domain": 4401,
"hostname": 2653,
"CVE": 2,
"SSLCertFingerprint": 2
},
"indicator_count": 22769,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "809 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "654136b5eb9bdd21070ff9d7",
"name": "Cyber Espionage",
"description": "Cyber warfare. Extravagant attack that includes, phishing, monitoring, spyware, tracking, remote vehicle tracking, API calls after identification of anything computerized; car, phone, mobile phone, mail, ups, television. Apple private data services nr-data.net. This may be a Honeypot. Interesting. Attacker alleging to be a government contractor actively attacks and porn smears alleged SA victim assaulted by someone with his last name. Coincidence or Honeypot?\nTarget still at risk.\nTarget again is Tsara Brashears. \nSevere privacy invasion.\nShhhh....Active Silencing",
"modified": "2023-11-30T07:01:37.424000",
"created": "2023-10-31T17:17:41.263000",
"tags": [
"contacted",
"resolutions",
"origin1",
"ip address",
"list",
"communicating",
"cyber threat",
"united",
"phishing",
"phishing site",
"covid19",
"threat report",
"ip summary",
"url summary",
"summary",
"detection list",
"installcore",
"nymaim",
"suppobox",
"malicious",
"cisco umbrella",
"site",
"alexa top",
"million",
"safe site",
"malware",
"malware site",
"malicious site",
"heur",
"exploit",
"alexa",
"riskware",
"team",
"blacklist https",
"blacklist",
"facebook",
"engineering",
"iframe",
"downloader",
"unsafe",
"artemis",
"trojanx",
"agent",
"unruy",
"win64",
"fakealert",
"fusioncore",
"redirector",
"killav",
"trojan",
"lokibot",
"emotet",
"redline stealer",
"cobalt strike",
"citadel",
"vawtrak",
"qakbot",
"qbot",
"bankerx",
"dropper",
"nimda",
"formbook",
"swrort",
"adwind",
"crack",
"generic",
"wacatac",
"opencandy",
"nircmd",
"downldr",
"filetour",
"cleaner",
"conduit",
"tiggre",
"presenoker",
"zpevdo",
"webcompanion",
"seraph",
"tofsee",
"xrat",
"xtrat",
"patcher",
"adload",
"stealer",
"vidar",
"raccoon",
"bank",
"urls",
"generic malware",
"noname057",
"reimer",
"agency",
"charles",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"name verdict",
"date",
"root ca",
"markmonitor",
"name server",
"windir",
"unknown",
"swisscom root",
"post root",
"trust",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"defence",
"fraud",
"logistics",
"ipv4",
"scan endpoints",
"all search",
"otx octoseek",
"report spam",
"author",
"cyber warfare",
"created",
"months ago",
"modified",
"next",
"url https",
"url http",
"all octoseek",
"month ago",
"utmsourcemailer",
"ck id",
"t1140",
"filehashsha256",
"tsara brashears",
"adult content",
"pornography",
"malvertizing",
"privacy invasion",
"privilege escalation",
"packed",
"aig.com",
"aig.rastreator.mx",
"apple",
"ios",
"tracking",
"monitoring",
"nr-data.net",
"asp.net"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
}
],
"industries": [
"Defense",
"Government"
],
"TLP": "green",
"cloned_from": null,
"export_count": 70,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 166,
"FileHash-SHA1": 125,
"FileHash-SHA256": 5806,
"URL": 16475,
"domain": 3302,
"hostname": 5135,
"CVE": 16,
"email": 8
},
"indicator_count": 31033,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6545be6e02e0f9f82cb1febf",
"name": "Vawtrak credential stealer | CNC",
"description": "",
"modified": "2023-11-30T07:01:37.424000",
"created": "2023-11-04T03:45:50.234000",
"tags": [
"contacted",
"resolutions",
"origin1",
"ip address",
"list",
"communicating",
"cyber threat",
"united",
"phishing",
"phishing site",
"covid19",
"threat report",
"ip summary",
"url summary",
"summary",
"detection list",
"installcore",
"nymaim",
"suppobox",
"malicious",
"cisco umbrella",
"site",
"alexa top",
"million",
"safe site",
"malware",
"malware site",
"malicious site",
"heur",
"exploit",
"alexa",
"riskware",
"team",
"blacklist https",
"blacklist",
"facebook",
"engineering",
"iframe",
"downloader",
"unsafe",
"artemis",
"trojanx",
"agent",
"unruy",
"win64",
"fakealert",
"fusioncore",
"redirector",
"killav",
"trojan",
"lokibot",
"emotet",
"redline stealer",
"cobalt strike",
"citadel",
"vawtrak",
"qakbot",
"qbot",
"bankerx",
"dropper",
"nimda",
"formbook",
"swrort",
"adwind",
"crack",
"generic",
"wacatac",
"opencandy",
"nircmd",
"downldr",
"filetour",
"cleaner",
"conduit",
"tiggre",
"presenoker",
"zpevdo",
"webcompanion",
"seraph",
"tofsee",
"xrat",
"xtrat",
"patcher",
"adload",
"stealer",
"vidar",
"raccoon",
"bank",
"urls",
"generic malware",
"noname057",
"reimer",
"agency",
"charles",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"name verdict",
"date",
"root ca",
"markmonitor",
"name server",
"windir",
"unknown",
"swisscom root",
"post root",
"trust",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"defence",
"fraud",
"logistics",
"ipv4",
"scan endpoints",
"all search",
"otx octoseek",
"report spam",
"author",
"cyber warfare",
"created",
"months ago",
"modified",
"next",
"url https",
"url http",
"all octoseek",
"month ago",
"utmsourcemailer",
"ck id",
"t1140",
"filehashsha256",
"keylogger",
"sample path",
"Miles IT"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65413ea960cc79abf6d446fb",
"export_count": 86,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 166,
"FileHash-SHA1": 125,
"FileHash-SHA256": 5688,
"URL": 15015,
"domain": 3262,
"hostname": 4687,
"CVE": 16,
"email": 8
},
"indicator_count": 28967,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65413ea960cc79abf6d446fb",
"name": "Vawtrak credential stealer | CNC",
"description": "Cyber warfare\nTracking\nMonitoring\nMalvertizing\nCNC\nKeylogging\nBotNet\nSever Privacy Invasion",
"modified": "2023-11-30T07:01:37.424000",
"created": "2023-10-31T17:51:37.016000",
"tags": [
"contacted",
"resolutions",
"origin1",
"ip address",
"list",
"communicating",
"cyber threat",
"united",
"phishing",
"phishing site",
"covid19",
"threat report",
"ip summary",
"url summary",
"summary",
"detection list",
"installcore",
"nymaim",
"suppobox",
"malicious",
"cisco umbrella",
"site",
"alexa top",
"million",
"safe site",
"malware",
"malware site",
"malicious site",
"heur",
"exploit",
"alexa",
"riskware",
"team",
"blacklist https",
"blacklist",
"facebook",
"engineering",
"iframe",
"downloader",
"unsafe",
"artemis",
"trojanx",
"agent",
"unruy",
"win64",
"fakealert",
"fusioncore",
"redirector",
"killav",
"trojan",
"lokibot",
"emotet",
"redline stealer",
"cobalt strike",
"citadel",
"vawtrak",
"qakbot",
"qbot",
"bankerx",
"dropper",
"nimda",
"formbook",
"swrort",
"adwind",
"crack",
"generic",
"wacatac",
"opencandy",
"nircmd",
"downldr",
"filetour",
"cleaner",
"conduit",
"tiggre",
"presenoker",
"zpevdo",
"webcompanion",
"seraph",
"tofsee",
"xrat",
"xtrat",
"patcher",
"adload",
"stealer",
"vidar",
"raccoon",
"bank",
"urls",
"generic malware",
"noname057",
"reimer",
"agency",
"charles",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"name verdict",
"date",
"root ca",
"markmonitor",
"name server",
"windir",
"unknown",
"swisscom root",
"post root",
"trust",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"defence",
"fraud",
"logistics",
"ipv4",
"scan endpoints",
"all search",
"otx octoseek",
"report spam",
"author",
"cyber warfare",
"created",
"months ago",
"modified",
"next",
"url https",
"url http",
"all octoseek",
"month ago",
"utmsourcemailer",
"ck id",
"t1140",
"filehashsha256",
"keylogger",
"sample path",
"Miles IT"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 74,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 166,
"FileHash-SHA1": 125,
"FileHash-SHA256": 5688,
"URL": 15015,
"domain": 3262,
"hostname": 4687,
"CVE": 16,
"email": 8
},
"indicator_count": 28967,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "654136c8e530066ae793dc64",
"name": "Cyber Espionage",
"description": "Cyber warfare. Extravagant attack that includes, phishing, monitoring, spyware, tracking, remote vehicle tracking, API calls after identification of anything computerized; car, phone, mobile phone, mail, ups, television. Apple private data services nr-data.net. This may be a Honeypot. Interesting. Attacker alleging to be a government contractor actively attacks and porn smears alleged SA victim assaulted by someone with his last name. Coincidence or Honeypot?\nTarget still at risk.\nTarget again is Tsara Brashears. \nSevere privacy invasion.\nShhhh....Active Silencing",
"modified": "2023-11-30T07:01:37.424000",
"created": "2023-10-31T17:18:00.623000",
"tags": [
"contacted",
"resolutions",
"origin1",
"ip address",
"list",
"communicating",
"cyber threat",
"united",
"phishing",
"phishing site",
"covid19",
"threat report",
"ip summary",
"url summary",
"summary",
"detection list",
"installcore",
"nymaim",
"suppobox",
"malicious",
"cisco umbrella",
"site",
"alexa top",
"million",
"safe site",
"malware",
"malware site",
"malicious site",
"heur",
"exploit",
"alexa",
"riskware",
"team",
"blacklist https",
"blacklist",
"facebook",
"engineering",
"iframe",
"downloader",
"unsafe",
"artemis",
"trojanx",
"agent",
"unruy",
"win64",
"fakealert",
"fusioncore",
"redirector",
"killav",
"trojan",
"lokibot",
"emotet",
"redline stealer",
"cobalt strike",
"citadel",
"vawtrak",
"qakbot",
"qbot",
"bankerx",
"dropper",
"nimda",
"formbook",
"swrort",
"adwind",
"crack",
"generic",
"wacatac",
"opencandy",
"nircmd",
"downldr",
"filetour",
"cleaner",
"conduit",
"tiggre",
"presenoker",
"zpevdo",
"webcompanion",
"seraph",
"tofsee",
"xrat",
"xtrat",
"patcher",
"adload",
"stealer",
"vidar",
"raccoon",
"bank",
"urls",
"generic malware",
"noname057",
"reimer",
"agency",
"charles",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"name verdict",
"date",
"root ca",
"markmonitor",
"name server",
"windir",
"unknown",
"swisscom root",
"post root",
"trust",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"defence",
"fraud",
"logistics",
"ipv4",
"scan endpoints",
"all search",
"otx octoseek",
"report spam",
"author",
"cyber warfare",
"created",
"months ago",
"modified",
"next",
"url https",
"url http",
"all octoseek",
"month ago",
"utmsourcemailer",
"ck id",
"t1140",
"filehashsha256",
"tsara brashears",
"adult content",
"pornography",
"malvertizing",
"privacy invasion",
"privilege escalation",
"packed",
"aig.com",
"aig.rastreator.mx",
"apple",
"ios",
"tracking",
"monitoring",
"nr-data.net",
"asp.net"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
}
],
"industries": [
"Defense",
"Government"
],
"TLP": "green",
"cloned_from": null,
"export_count": 69,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 166,
"FileHash-SHA1": 125,
"FileHash-SHA256": 5806,
"URL": 16475,
"domain": 3302,
"hostname": 5135,
"CVE": 16,
"email": 8
},
"indicator_count": 31033,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "654136c1ac991f85328604d2",
"name": "Cyber Espionage",
"description": "Cyber warfare. Extravagant attack that includes, phishing, monitoring, spyware, tracking, remote vehicle tracking, API calls after identification of anything computerized; car, phone, mobile phone, mail, ups, television. Apple private data services nr-data.net. This may be a Honeypot. Interesting. Attacker alleging to be a government contractor actively attacks and porn smears alleged SA victim assaulted by someone with his last name. Coincidence or Honeypot?\nTarget still at risk.\nTarget again is Tsara Brashears. \nSevere privacy invasion.\nShhhh....Active Silencing",
"modified": "2023-11-30T07:01:37.424000",
"created": "2023-10-31T17:17:52.382000",
"tags": [
"contacted",
"resolutions",
"origin1",
"ip address",
"list",
"communicating",
"cyber threat",
"united",
"phishing",
"phishing site",
"covid19",
"threat report",
"ip summary",
"url summary",
"summary",
"detection list",
"installcore",
"nymaim",
"suppobox",
"malicious",
"cisco umbrella",
"site",
"alexa top",
"million",
"safe site",
"malware",
"malware site",
"malicious site",
"heur",
"exploit",
"alexa",
"riskware",
"team",
"blacklist https",
"blacklist",
"facebook",
"engineering",
"iframe",
"downloader",
"unsafe",
"artemis",
"trojanx",
"agent",
"unruy",
"win64",
"fakealert",
"fusioncore",
"redirector",
"killav",
"trojan",
"lokibot",
"emotet",
"redline stealer",
"cobalt strike",
"citadel",
"vawtrak",
"qakbot",
"qbot",
"bankerx",
"dropper",
"nimda",
"formbook",
"swrort",
"adwind",
"crack",
"generic",
"wacatac",
"opencandy",
"nircmd",
"downldr",
"filetour",
"cleaner",
"conduit",
"tiggre",
"presenoker",
"zpevdo",
"webcompanion",
"seraph",
"tofsee",
"xrat",
"xtrat",
"patcher",
"adload",
"stealer",
"vidar",
"raccoon",
"bank",
"urls",
"generic malware",
"noname057",
"reimer",
"agency",
"charles",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"name verdict",
"date",
"root ca",
"markmonitor",
"name server",
"windir",
"unknown",
"swisscom root",
"post root",
"trust",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"defence",
"fraud",
"logistics",
"ipv4",
"scan endpoints",
"all search",
"otx octoseek",
"report spam",
"author",
"cyber warfare",
"created",
"months ago",
"modified",
"next",
"url https",
"url http",
"all octoseek",
"month ago",
"utmsourcemailer",
"ck id",
"t1140",
"filehashsha256",
"tsara brashears",
"adult content",
"pornography",
"malvertizing",
"privacy invasion",
"privilege escalation",
"packed",
"aig.com",
"aig.rastreator.mx",
"apple",
"ios",
"tracking",
"monitoring",
"nr-data.net",
"asp.net"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
}
],
"industries": [
"Defense",
"Government"
],
"TLP": "green",
"cloned_from": null,
"export_count": 69,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 166,
"FileHash-SHA1": 125,
"FileHash-SHA256": 5806,
"URL": 16475,
"domain": 3302,
"hostname": 5135,
"CVE": 16,
"email": 8
},
"indicator_count": 31033,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"https://pin.it/ [faux Pinterest for TB]",
"http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt",
"location-icloud.com",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community",
"143.244.50.213 |169.150.249.162 [malware_hosting]",
"Alerts : tcp_syn_scan nolookup_communication network_cnc_http network_http",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/",
"http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept",
"pornlynx.com \u2022 www.pornhub.com \u2022 www.anyxxxtube.com",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
"Alerts : dead_host nids_exploit_alert nids_malware_alert persistency_initd network_icmp",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
"IDS Detections: *MVPower DVR Shell UCE *Mirai Variant User-Agent (Outbound)",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"Yara : Yara Detections : SUSP_XORed_Mozilla , Linux_MiningSoftware , is__elf",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Target agreed and complied with all lie detector measures.",
"government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org",
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [",
"https://es.pornhat.com/models/the-sex-creator/",
"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4",
"https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"IDS Detections: *JAWS Webserver Unauthenticated Shell Command Execution",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/",
"Needs researching: http://lib.jerusalem.muni.il.il \u2022 https://lib.jerusalem.muni.il.il",
"http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Can the DoD no questions asked target a SA victim",
"IDS Detections: *WGET Command Specifying Output in HTTP Headers",
"Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store",
"http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/",
"https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]",
"Alerts : network_http_post nids_alert chmod_syscall writes_to_stdout",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"facebooksunglassshop.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]",
"https://stackabuse.com/assets/images/apple",
"https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
"Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]",
"http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"192.168.1.1 - WOW! Use your old equipment in a non - residential environment",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]",
"https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com",
"https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
"oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev",
"Yara Detections BackdoorWin32Simda",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"remote.utorrent.com [remote router logins]",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
"Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"http://tvm77.fashiongup.in/tracking/track-open",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"Pahamify Pegasus",
"13.107.136.8 [ Tulach Malware IP redirect]",
"sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png",
"https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/",
"dns.msftncsi.com",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"https://twitter.com/sheriffspurlock?lang=en",
"https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"alohatube.xyz [BotNetwork]",
"https://meumundogay-com.sexogratis.page/locker",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"IDS: TLS Handshake Failure",
"http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"http://watchhers.net/index.php [malware spreader]",
"There is fear in silence or speaking out",
"http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george",
"iamrobert.com Y.A.S.",
"https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov",
"https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8",
"Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur",
"http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]",
"HOSTEDBYAPPLIEDI.NET - Enom",
"xred.mooo.com [pornhub trojan]",
"If someone is believed to be a threat they have right to due process.",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online",
"https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
"IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
"https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"http://109.206.241.129/666bins/666.mpsl",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Other Mitre ATT&CK T1480 T1553.00 T1027.013 T1057 T1069.002 T1071\tT1071.004",
"mailtrack.io [tracking VirusTotal graphs, link trace back]",
"194.245.148.189 [CnC]",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com",
"http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"23.216.147.64",
"https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&",
"Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Mirai Botnet - *Inbound & Outbound connection",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL",
"I am very upset. Whoever is doing this is sick.",
"nr-data.net [Apple Private Data Collection]",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"https://frostty12ice.info/ \u2022 https://lawhubh.info",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"tv.apple.com",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"http://xn.com/ \u2022 www.xn--linkedinxn-6u6e.com \u2022 http://www.linkedin-xn.com/ \u2022 www.linkedin-xn.com",
"safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/",
"https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err",
"Powerful Exploit: https://otx.alienvault.com/indicator/file/ba32802bdd1f0b91cf8c667b94426d73ee654ba0",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"114.114.114.114 [ Tulach Malware IP]",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"init.ess.apple.com [backdoor, malicious script, access via media]",
"NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184",
"http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru",
"IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"http://114.114.114.114/ipw.ps1",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"IDS Detections: *D-Link Devices Home Network Administration Protocol Command Execution",
"Google_Chrome_64bit_v136.0.7103.49.exe",
"rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"pornokind.vgt.pl \u2022 https://pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl/",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"NSO Group"
],
"malware_families": [
"Kanna",
"Unix.dropper.botnet-6566040-0",
"Email-worm.win32.brontok.n",
"Qbot",
"Parallax rat",
"Autorunit",
"Der zugriff",
"Alf:heraklezeval:trojan:win32/ymacco.aa47",
"Hacktool",
"Hacktool:win32/powersploit!rfn",
"Trojan:win32/pariham.a",
"Dark",
"Pegasus",
"Win.trojan.midia-4",
"Emotet",
"Chaos",
"Njrat",
"Ransomexx",
"Maze",
"Win.trojan.agent-336074",
"Pws:win32/qqpass.ci",
"Unix.trojan.darknexus-7679166-0",
"Agent tesla",
"Mydoom",
"Ransomware",
"Win32/socstealer!rfn",
"Wininicrypt",
"Cobalt strike",
"Evilnum",
"Apnic",
"Tofsee",
"Backdoor.win32.shiz.ufj",
"Quasar rat",
"Ursnif",
"Amadey",
"Remcos rat",
"Sigur",
"Relic",
"Mirai",
"Qakbot",
"Lockbit",
"Virus:win95/cerebrus",
"Azorult",
"Worm:win32/mydoom.pb!mtb",
"Ransom",
"Tulach",
"Wannacry",
"Montserrat",
"Comspec",
"Malware",
"Keylogger",
"Nids",
"Eternalblue",
"Elf:mirai-gh\\ [trj]",
"Asyncrat",
"Arid.viper_cnc",
"Beapy"
],
"industries": [
"Financial",
"Technology",
"Legal",
"Civil society",
"Defense",
"Telecommunications",
"Healthcare",
"Insurance",
"Government"
],
"unique_indicators": 120880
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/fhjtimes.com",
"whois": "http://whois.domaintools.com/fhjtimes.com",
"domain": "fhjtimes.com",
"hostname": "scripts.4boas.fhjtimes.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 18,
"pulses": [
{
"id": "69bf8e2663d5480917ddb699",
"name": "Pegasus - https://house.mo.gov/ | Brian Sabey HallRender [i cloned OctoSeek] T8",
"description": "",
"modified": "2026-03-22T08:35:26.266000",
"created": "2026-03-22T06:37:26.233000",
"tags": [
"united",
"as393601 state",
"a domains",
"passive dns",
"as397241",
"certificate",
"urls",
"search",
"showing",
"entries",
"algorithm",
"full name",
"data",
"v3 serial",
"number",
"cus cndigicert",
"global g2",
"tls rsa",
"sha256",
"ca1 odigicert",
"info",
"record type",
"ttl value",
"all txt",
"ssl certificate",
"whois record",
"contacted",
"referrer",
"resolutions",
"historical ssl",
"communicating",
"problems",
"parent domain",
"njrat",
"ransomware",
"startpage",
"historical",
"malware",
"execution",
"threat roundup",
"april",
"september",
"remcos rat",
"august",
"june",
"qakbot",
"push",
"service",
"privateloader",
"amadey",
"powershell",
"qbot",
"cobalt strike",
"core",
"hacktool",
"november",
"october",
"roundup",
"threat network",
"cellbrite",
"february",
"emotet",
"maze",
"metro",
"dark",
"malicious",
"team",
"critical",
"copy",
"awful",
"parallax rat",
"banker",
"keylogger",
"dns replication",
"date",
"csc corporate",
"domains",
"code",
"server",
"registrar abuse",
"registrar iana",
"registry domain",
"registrar url",
"registrar",
"contact phone",
"apple ios",
"quasar",
"remcos",
"ursnif",
"chaos",
"ransomexx",
"azorult",
"agent tesla",
"evilnum",
"asyncrat",
"win32 exe",
"wininit",
"beta version",
"cmstp",
"taskscheduler",
"ieudinit",
"nat32",
"certsentry",
"type name",
"wc3 rpg",
"pegasus",
"unknown",
"domain",
"servers",
"germany unknown",
"name servers",
"status",
"next",
"as29066 host",
"as133618",
"cname",
"as47846",
"scan endpoints",
"all octoseek",
"pulse pulses",
"encrypt",
"china unknown",
"as38365 beijing",
"as134175 unit",
"707713",
"hong kong",
"virgin islands",
"as6461 zayo",
"ransom",
"exploit",
"ipv4",
"pulse submit",
"url analysis",
"trojan",
"body",
"click",
"creation date",
"emails",
"expiration date",
"domain privacy",
"hostname",
"dynamicloader",
"state",
"medium",
"msie",
"windows nt",
"wow64",
"show",
"slcc2",
"media center",
"error",
"delphi",
"guard",
"write",
"win32",
"target",
"redir",
"facebook",
"dcom",
"local",
"delete",
"utf8",
"unicode text",
"crlf line",
"rgba",
"yara detections",
"default",
"asnone",
"get na",
"dns lookup",
"probe ms17010",
"eternalblue",
"playgame",
"high",
"related pulses",
"yara rule",
"anomalous file",
"dynamic",
"malware infection",
"cnc",
"procmem_yara",
"antivm_generic_disk",
"modify_proxy infostealer_cookies",
"network_http",
"anomalous_deletefile",
"antidebug_guardpages",
"powershell_request",
"powershell_download",
"as63949 linode",
"mtb feb",
"open ports",
"backdoor",
"gmt content",
"trojandropper",
"simda",
"lockbit",
"win.trojan",
"midia-4",
"floxif",
"cryptowall",
"brontok",
"check in",
"record value",
"files",
"location united",
"america asn",
"as16509",
"download",
"threat",
"paste",
"iocs",
"analyze",
"hostnames",
"urls http",
"samples",
"tsara brashears",
"2nd corintnthians 4:8-9",
"injection_inter_process",
"injection_create_remote_thread",
"persistence_autorun",
"bypass_firewall",
"disables_windowsupdate",
"dynamic_function_loading",
"http_request",
"query",
"delete c",
"activity dns",
"components",
"file execution",
"observed dns",
"as4837 china",
"nxdomain",
"a nxdomain",
"wannacry",
"missouri",
"safebae",
"hallrender",
"house.mo.gov",
"typosquatting",
"tactics",
"google",
"win64",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"dalles",
"cookie",
"urls https",
"xpcegvo2adsnq",
"mhkz",
"mvi2",
"keepaliveyes",
"fexp24007246",
"nsyt",
"eva reimer",
"daisy coleman",
"brian sabey",
"https://lawlink.com/documents/10935/blackbag-technologies-announ"
],
"references": [
"https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov",
"dns.msftncsi.com",
"NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184",
"Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"23.216.147.64",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]",
"http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]",
"alohatube.xyz [BotNetwork]",
"facebooksunglassshop.com",
"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4",
"oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev",
"http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/",
"government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org",
"https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html",
"remote.utorrent.com [remote router logins]",
"Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com",
"http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online",
"http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com",
"http://tvm77.fashiongup.in/tracking/track-open",
"https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov",
"https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg",
"http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png",
"https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&",
"https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/",
"hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com",
"http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208",
"https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com",
"safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/",
"https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com",
"https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4",
"Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js",
"Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]",
"Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store",
"https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]",
"http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt",
"sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php",
"https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software"
],
"public": 1,
"adversary": "NSO Group",
"targeted_countries": [
"United States of America",
"China",
"Australia",
"Hong Kong"
],
"malware_families": [
{
"id": "Agent Tesla",
"display_name": "Agent Tesla",
"target": null
},
{
"id": "Amadey",
"display_name": "Amadey",
"target": null
},
{
"id": "AsyncRAT",
"display_name": "AsyncRAT",
"target": null
},
{
"id": "AZORult",
"display_name": "AZORult",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "EVILNUM",
"display_name": "EVILNUM",
"target": null
},
{
"id": "Dark",
"display_name": "Dark",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Keylogger",
"display_name": "Keylogger",
"target": null
},
{
"id": "Maze",
"display_name": "Maze",
"target": null
},
{
"id": "NjRAT",
"display_name": "NjRAT",
"target": null
},
{
"id": "Parallax RAT",
"display_name": "Parallax RAT",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "QBot",
"display_name": "QBot",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Remcos RAT",
"display_name": "Remcos RAT",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Win.Trojan.Agent-336074",
"display_name": "Win.Trojan.Agent-336074",
"target": null
},
{
"id": "Arid.Viper_CnC",
"display_name": "Arid.Viper_CnC",
"target": null
},
{
"id": "WininiCrypt",
"display_name": "WininiCrypt",
"target": null
},
{
"id": "PWS:Win32/QQpass.CI",
"display_name": "PWS:Win32/QQpass.CI",
"target": "/malware/PWS:Win32/QQpass.CI"
},
{
"id": "Win.Trojan.Midia-4",
"display_name": "Win.Trojan.Midia-4",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "Win32/SocStealer!rfn",
"display_name": "Win32/SocStealer!rfn",
"target": null
},
{
"id": "Backdoor.Win32.Shiz.ufj",
"display_name": "Backdoor.Win32.Shiz.ufj",
"target": null
},
{
"id": "Email-Worm.Win32.Brontok.n",
"display_name": "Email-Worm.Win32.Brontok.n",
"target": null
},
{
"id": "ETERNALBLUE",
"display_name": "ETERNALBLUE",
"target": null
},
{
"id": "WannaCry",
"display_name": "WannaCry",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65c91f2b7c03b480379ae4d1",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2668,
"FileHash-SHA1": 2469,
"FileHash-SHA256": 8054,
"URL": 6185,
"domain": 2421,
"hostname": 3042,
"CVE": 5,
"email": 15,
"CIDR": 1,
"IPv4": 18
},
"indicator_count": 24878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "29 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6962b68da732abc66a0c2caf",
"name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus",
"description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else",
"modified": "2026-02-09T19:00:09.890000",
"created": "2026-01-10T20:29:01.675000",
"tags": [
"ip address",
"status code",
"kb body",
"iocs",
"deny age",
"cloudfront",
"utc google",
"tag manager",
"g8t6ln06z40",
"utc na",
"google tag",
"injection",
"t1055 malware",
"tree",
"help v",
"defense evasion",
"injection t1055",
"resolved ips",
"get http",
"dns resolutions",
"v memory",
"pattern domains",
"full reports",
"v help",
"memory pattern",
"urls https",
"hashes",
"tiktok",
"microsoft",
"dashboard falcon",
"request",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"appleid",
"united",
"name servers",
"aaaa",
"servers",
"moved",
"script urls",
"passive dns",
"urls",
"data upload",
"extraction",
"failed",
"jsvendor",
"jsapp",
"script script",
"cssapp",
"jsfirebase",
"pegasus",
"encrypt",
"title error",
"ipv4",
"files",
"reverse dns",
"united states",
"malware",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"execution att",
"t1204 user",
"script",
"beginstring",
"bad traffic",
"et info",
"null",
"title",
"refresh",
"span",
"strings",
"error",
"tools",
"meta",
"look",
"verify",
"restart",
"mitre att",
"ascii text",
"pattern match",
"ck matrix",
"tls handshake",
"hybrid",
"general",
"local",
"path",
"click",
"ck techniques",
"access att",
"div div",
"a li",
"ul div",
"record value",
"emails",
"accept",
"referen https",
"microsoft-falcon.net",
"proxy",
"status",
"certificate",
"updated date",
"whois server",
"zipcode",
"entries http",
"scans show",
"search",
"matches x",
"type",
"gmt cache",
"all ipv4",
"america flag",
"america asn",
"sameorigin",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results jan",
"ipv4 add",
"win32mydoom jan",
"trojan",
"worm",
"expiration date",
"files show",
"date hash",
"avast avg",
"win32mydoom",
"backdoor",
"found",
"gmt connection",
"control",
"content type",
"twitter",
"dynamicloader",
"medium",
"high",
"msie",
"wow64",
"slcc2",
"media center",
"write",
"global",
"domain name",
"hostname",
"apple",
"racebook",
"mouse movement",
"remote mouse",
"domain",
"hostname add",
"url analysis",
"crlf line",
"ff d5",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"f0 ff",
"ff bb",
"music",
"push",
"autorun",
"unknown",
"present sep",
"present may",
"present jan",
"present aug",
"cname",
"present nov",
"present jun",
"apache",
"body",
"pragma",
"found registry",
"able",
"model",
"indicator",
"source",
"show technique",
"file",
"internet",
"errore",
"erreur",
"download",
"service",
"crypto",
"compiler",
"installer",
"yang",
"updater",
"shutdown",
"thunk",
"este",
"install",
"reboot",
"code",
"downloader",
"sigur",
"kanna",
"der zugriff",
"google",
"chrome",
"Pahamify Pegasus",
"christoper p. ahmann",
"law enforcement",
"retaliation",
"phone",
"espionage",
"united states",
"m brian sabey",
"quasi government",
"target",
"monitored targeting",
"aig",
"therahand (old name)",
"target: tsara brashears",
"douglas county, co",
"sheriff",
"industry and commerce",
"worker\u2019s compensation",
"crime",
"financial crime",
"danger",
"nem tih",
"amazon",
"aws",
"amazon aws",
"deal",
"deal with it lawfully",
"pay victim",
"protecting reimer"
],
"references": [
"https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur",
"Pahamify Pegasus",
"Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
"https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
"https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
"tv.apple.com",
"dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
"Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A",
"IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
"IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
"IDS: TLS Handshake Failure",
"Yara Detections BackdoorWin32Simda",
"Google_Chrome_64bit_v136.0.7103.49.exe",
"https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Pariham.A",
"display_name": "Trojan:Win32/Pariham.A",
"target": "/malware/Trojan:Win32/Pariham.A"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Virus:Win95/Cerebrus",
"display_name": "Virus:Win95/Cerebrus",
"target": "/malware/Virus:Win95/Cerebrus"
},
{
"id": "AutoRunIt",
"display_name": "AutoRunIt",
"target": null
},
{
"id": "Sigur",
"display_name": "Sigur",
"target": null
},
{
"id": "Kanna",
"display_name": "Kanna",
"target": null
},
{
"id": "Der Zugriff",
"display_name": "Der Zugriff",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1029",
"name": "Scheduled Transfer",
"display_name": "T1029 - Scheduled Transfer"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1124",
"name": "System Time Discovery",
"display_name": "T1124 - System Time Discovery"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1213",
"name": "Data from Information Repositories",
"display_name": "T1213 - Data from Information Repositories"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1489",
"name": "Service Stop",
"display_name": "T1489 - Service Stop"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1529",
"name": "System Shutdown/Reboot",
"display_name": "T1529 - System Shutdown/Reboot"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1559",
"name": "Inter-Process Communication",
"display_name": "T1559 - Inter-Process Communication"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1569",
"name": "System Services",
"display_name": "T1569 - System Services"
},
{
"id": "T1570",
"name": "Lateral Tool Transfer",
"display_name": "T1570 - Lateral Tool Transfer"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1569.002",
"name": "Service Execution",
"display_name": "T1569.002 - Service Execution"
},
{
"id": "T1543.003",
"name": "Windows Service",
"display_name": "T1543.003 - Windows Service"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1134.001",
"name": "Token Impersonation/Theft",
"display_name": "T1134.001 - Token Impersonation/Theft"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1134.002",
"name": "Create Process with Token",
"display_name": "T1134.002 - Create Process with Token"
},
{
"id": "T1070.006",
"name": "Timestomp",
"display_name": "T1070.006 - Timestomp"
},
{
"id": "T1564.003",
"name": "Hidden Window",
"display_name": "T1564.003 - Hidden Window"
},
{
"id": "T1497.003",
"name": "Time Based Evasion",
"display_name": "T1497.003 - Time Based Evasion"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1497.002",
"name": "User Activity Based Checks",
"display_name": "T1497.002 - User Activity Based Checks"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1074.001",
"name": "Local Data Staging",
"display_name": "T1074.001 - Local Data Staging"
},
{
"id": "T1560.002",
"name": "Archive via Library",
"display_name": "T1560.002 - Archive via Library"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
}
],
"industries": [
"Civil Society",
"Legal",
"Government",
"Technology",
"Telecommunications",
"Financial"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6094,
"domain": 1195,
"hostname": 2001,
"FileHash-SHA256": 2598,
"FileHash-MD5": 546,
"FileHash-SHA1": 403,
"email": 16,
"CVE": 2,
"SSLCertFingerprint": 3
},
"indicator_count": 12858,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "69 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692cb6dc24da17618e3d9da6",
"name": "Mirai Botnet | HackTool Powershell targets LinkedIn User | 192.168.1.1 \u2022 Remote Inbound Outbound Connection",
"description": "Linux Malware - LinkedIn- True Mirai Botnet (192.168.1.1) (Never Connect) Incredibly powerful attack targeting LinkedIn users. In this instance the target is an ex husband of a target. |\nNDO Group relationships seen. This is a Botnet. \n\nMay be \u2018framing\u2019 attack that was launched in 2014. Attackers sent a clear message to target that she + husband would be arrested and charged with possession of 1000\u2019s of \u2018child pornography\u2019 pictures. \n\nAttack 10/10 malicious. Worked from separate system in separate location. Hackers unlocked a device, zero clicks, removed PSW. Tulach malware seen a profile \u2018Michael Robert\u2019s of Rexxfield\u2019 may be entity (NSA) with a face like Tulach. Uses the most WILD compromises. Government contractors? \n\nSame attackers brought down Prudentials \u2018Assurance\u2019 Medicare system forever.\n ESET hackers only allowing \u2018bad traffic\u2019 .",
"modified": "2025-12-30T19:04:40.430000",
"created": "2025-11-30T21:27:56.239000",
"tags": [
"enter",
"extract",
"enter source",
"urls",
"address",
"remote connect",
"private ip",
"sql",
"inject",
"montserrat",
"script urls",
"germany unknown",
"xml title",
"wiesinger",
"style",
"ip address",
"script domains",
"body doctype",
"encrypt",
"botnet",
"dropper",
"unix",
"resolverror",
"et exploit",
"outbound",
"mirai variant",
"useragent",
"inbound",
"et trojan",
"et webserver",
"scan mirai",
"hello",
"execution",
"mirai",
"malware",
"shell",
"nids",
"ids detections",
"wget command",
"http headers",
"dlink devices",
"home network",
"mvpower dvr",
"shell uce",
"mirai elf",
"linux malware",
"is__elf",
"cnc",
"meta http",
"content",
"gmt server",
"files",
"reverse dns",
"germany",
"ismaning",
"germany asn",
"as5539 spacenet",
"germany https",
"auto generated security (?)",
"redacted for",
"name servers",
"aaaa",
"search",
"for privacy",
"title",
"intel",
"ms windows",
"pe32",
"process32nextw",
"write c",
"mssql port",
"hash",
"beapy",
"bit32bit",
"agent",
"write",
"hacktool",
"win32",
"next",
"suspicious user",
"pybeapy cnc",
"checkin",
"w32beapy cnc",
"beacon",
"module load",
"external ip",
"lookup",
"home assistant",
"intptr",
"uint32",
"type",
"parameter",
"oldprotectflag",
"mandatory",
"throw",
"position",
"lkshkdandl",
"success",
"info",
"powershell",
"null",
"error",
"date hash",
"next yara",
"detections name",
"medium",
"graph tree",
"sample",
"sample hash",
"exec bypass",
"c ipconfig",
"world",
"jaws webserver",
"chmod usage",
"strings",
"extraction",
"data upload",
"extre",
"include data",
"hos hos",
"y se",
"sugges",
"find s",
"typ hos",
"hos data",
"hos hostname",
"hos host",
"extr data",
"tethering",
"tulach",
"114.114.114.114",
"passive dns",
"pulse pulses",
"http",
"related nids",
"files location",
"united",
"flag united",
"files domain",
"next associated",
"ipv4 add",
"delphi",
"read c",
"packing t1045",
"t1045",
"worm",
"code",
"june",
"irc nick command",
"irc",
"meta",
"status",
"record value",
"unknown aaaa",
"expiration",
"url http",
"indicator role",
"pulses url",
"no expiration",
"url https",
"url url",
"o url",
"request review",
"hosting",
"unknown",
"medium security",
"extra data",
"failed",
"linkedin",
"url add",
"ireland flag",
"ireland",
"dublin",
"ireland asn",
"as16509",
"spyware",
"nso",
"nso group",
"pegasus related",
"nso related",
"framing",
"porn",
"python",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"apple",
"192.168.1.1",
"law",
"attorney"
],
"references": [
"192.168.1.1 - WOW! Use your old equipment in a non - residential environment",
"http://xn.com/ \u2022 www.xn--linkedinxn-6u6e.com \u2022 http://www.linkedin-xn.com/ \u2022 www.linkedin-xn.com",
"Powerful Exploit: https://otx.alienvault.com/indicator/file/ba32802bdd1f0b91cf8c667b94426d73ee654ba0",
"Mirai Botnet - *Inbound & Outbound connection",
"IDS Detections: *WGET Command Specifying Output in HTTP Headers",
"IDS Detections: *D-Link Devices Home Network Administration Protocol Command Execution",
"IDS Detections: *JAWS Webserver Unauthenticated Shell Command Execution",
"IDS Detections: *MVPower DVR Shell UCE *Mirai Variant User-Agent (Outbound)",
"Yara : Yara Detections : SUSP_XORed_Mozilla , Linux_MiningSoftware , is__elf",
"Alerts : dead_host nids_exploit_alert nids_malware_alert persistency_initd network_icmp",
"Alerts : tcp_syn_scan nolookup_communication network_cnc_http network_http",
"Alerts : network_http_post nids_alert chmod_syscall writes_to_stdout",
"Other Mitre ATT&CK T1480 T1553.00 T1027.013 T1057 T1069.002 T1071\tT1071.004",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"pornokind.vgt.pl \u2022 https://pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl/",
"pornlynx.com \u2022 www.pornhub.com \u2022 www.anyxxxtube.com",
"https://frostty12ice.info/ \u2022 https://lawhubh.info",
"Needs researching: http://lib.jerusalem.muni.il.il \u2022 https://lib.jerusalem.muni.il.il"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Unix.Dropper.Botnet-6566040-0",
"display_name": "Unix.Dropper.Botnet-6566040-0",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Montserrat",
"display_name": "Montserrat",
"target": null
},
{
"id": "Beapy",
"display_name": "Beapy",
"target": null
},
{
"id": "HackTool:Win32/PowerSploit!rfn",
"display_name": "HackTool:Win32/PowerSploit!rfn",
"target": "/malware/HackTool:Win32/PowerSploit!rfn"
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "Worm:Win32/Mydoom.PB!MTB",
"display_name": "Worm:Win32/Mydoom.PB!MTB",
"target": "/malware/Worm:Win32/Mydoom.PB!MTB"
}
],
"attack_ids": [
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "TA0036",
"name": "Exfiltration",
"display_name": "TA0036 - Exfiltration"
},
{
"id": "TA0039",
"name": "Remote Service Effects",
"display_name": "TA0039 - Remote Service Effects"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1016.001",
"name": "Internet Connection Discovery",
"display_name": "T1016.001 - Internet Connection Discovery"
},
{
"id": "T1583.004",
"name": "Server",
"display_name": "T1583.004 - Server"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553.001",
"name": "Gatekeeper Bypass",
"display_name": "T1553.001 - Gatekeeper Bypass"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1027.002",
"name": "Software Packing",
"display_name": "T1027.002 - Software Packing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1609",
"name": "Container Administration Command",
"display_name": "T1609 - Container Administration Command"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1059.006",
"name": "Python",
"display_name": "T1059.006 - Python"
}
],
"industries": [
"Government",
"Legal",
"Healthcare",
"Insurance",
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4147,
"domain": 871,
"hostname": 2194,
"FileHash-MD5": 279,
"FileHash-SHA1": 257,
"FileHash-SHA256": 2183,
"CVE": 6,
"email": 3,
"SSLCertFingerprint": 1
},
"indicator_count": 9941,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "110 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66015551faca20cb510f9121",
"name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ",
"description": "",
"modified": "2024-04-23T11:04:58.191000",
"created": "2024-03-25T10:43:29.149000",
"tags": [
"referrer",
"communicating",
"contacted",
"siblings domain",
"parent domain",
"subdomains",
"execution",
"bundled",
"threat",
"paste",
"iocs",
"e4609l",
"urls http",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"html",
"million",
"team",
"alexa top",
"script",
"malicious url",
"outbreak",
"downer",
"shell",
"mediamagnet",
"swrort",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"riskware",
"unsafe",
"webshell",
"exploit",
"crack",
"malware",
"phishing",
"union",
"bank",
"generic malware",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist",
"site top",
"malware site",
"site safe",
"deepscan",
"genpack",
"zbot",
"united",
"proxy",
"firehol mail",
"spammer",
"anonymizer",
"team proxy",
"firehol",
"noname057",
"alexa safe",
"maltiverse safe",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"orgabusehandle",
"route",
"appli22",
"address",
"orgtechhandle",
"appliedi abuse",
"orgnochandle",
"peter heather",
"appliedi",
"general info",
"geo united",
"as14519",
"us note",
"registrar arin",
"ptr record",
"command decode",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"traffic et",
"policy windows",
"update p2p",
"activity",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"contacted urls",
"cert valid",
"malicious",
"phone",
"text",
"microsoft",
"uk telco",
"js tel",
"metro",
"redacted for",
"record value",
"emails abuse",
"name redacted",
"for privacy",
"name servers",
"privacy address",
"privacy city",
"privacy country",
"resolutions",
"a domains",
"canada unknown",
"div div",
"format a",
"a ul",
"models a",
"gmt path",
"search",
"unknown",
"passive dns",
"title",
"all scoreblue",
"ipv4",
"url analysis",
"body",
"next",
"port",
"destination",
"forbidden",
"high",
"tcp syn",
"telnet root",
"suspicious path",
"busybox",
"bad login",
"telnet login",
"copy",
"mirai",
"domain",
"hostname",
"script script",
"link",
"app themesskin",
"status",
"content type",
"lakeside tool",
"meta",
"find",
"tools",
"cookie",
"front",
"li ul",
"mower shop",
"creation date",
"showing",
"pragma",
"this",
"span",
"open ports",
"body doctype",
"privacy admin",
"privacy tech",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"script urls",
"aaaa",
"as8068",
"cname",
"as20446",
"encrypt",
"falcon",
"name verdict",
"abuse",
"as55081",
"dnssec",
"dynamicloader",
"alerts",
"pulses",
"java",
"windows",
"guard",
"medium",
"dynamic",
"servers",
"certificate",
"as54113",
"trojan",
"neue",
"trojanspy",
"alexa",
"team google",
"maltiverse top",
"ccleaner",
"xrat",
"downldr",
"tsara brashears",
"entries",
"transactional"
],
"references": [
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"HOSTEDBYAPPLIEDI.NET - Enom",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"nr-data.net [Apple Private Data Collection]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1504",
"name": "PowerShell Profile",
"display_name": "T1504 - PowerShell Profile"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "660021cdfd20f6237e3892c0",
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2979,
"FileHash-SHA1": 406,
"FileHash-SHA256": 2293,
"URL": 1804,
"domain": 814,
"hostname": 1025,
"email": 9,
"CVE": 12,
"CIDR": 2
},
"indicator_count": 9344,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "727 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6603369ad0e38e313883c4fa",
"name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root HELP! RETALIATION HAS OCCURRED ",
"description": "",
"modified": "2024-04-23T11:04:58.191000",
"created": "2024-03-26T20:56:58.037000",
"tags": [
"referrer",
"communicating",
"contacted",
"siblings domain",
"parent domain",
"subdomains",
"execution",
"bundled",
"threat",
"paste",
"iocs",
"e4609l",
"urls http",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"html",
"million",
"team",
"alexa top",
"script",
"malicious url",
"outbreak",
"downer",
"shell",
"mediamagnet",
"swrort",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"riskware",
"unsafe",
"webshell",
"exploit",
"crack",
"malware",
"phishing",
"union",
"bank",
"generic malware",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist",
"site top",
"malware site",
"site safe",
"deepscan",
"genpack",
"zbot",
"united",
"proxy",
"firehol mail",
"spammer",
"anonymizer",
"team proxy",
"firehol",
"noname057",
"alexa safe",
"maltiverse safe",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"orgabusehandle",
"route",
"appli22",
"address",
"orgtechhandle",
"appliedi abuse",
"orgnochandle",
"peter heather",
"appliedi",
"general info",
"geo united",
"as14519",
"us note",
"registrar arin",
"ptr record",
"command decode",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"traffic et",
"policy windows",
"update p2p",
"activity",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"contacted urls",
"cert valid",
"malicious",
"phone",
"text",
"microsoft",
"uk telco",
"js tel",
"metro",
"redacted for",
"record value",
"emails abuse",
"name redacted",
"for privacy",
"name servers",
"privacy address",
"privacy city",
"privacy country",
"resolutions",
"a domains",
"canada unknown",
"div div",
"format a",
"a ul",
"models a",
"gmt path",
"search",
"unknown",
"passive dns",
"title",
"all scoreblue",
"ipv4",
"url analysis",
"body",
"next",
"port",
"destination",
"forbidden",
"high",
"tcp syn",
"telnet root",
"suspicious path",
"busybox",
"bad login",
"telnet login",
"copy",
"mirai",
"domain",
"hostname",
"script script",
"link",
"app themesskin",
"status",
"content type",
"lakeside tool",
"meta",
"find",
"tools",
"cookie",
"front",
"li ul",
"mower shop",
"creation date",
"showing",
"pragma",
"this",
"span",
"open ports",
"body doctype",
"privacy admin",
"privacy tech",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"script urls",
"aaaa",
"as8068",
"cname",
"as20446",
"encrypt",
"falcon",
"name verdict",
"abuse",
"as55081",
"dnssec",
"dynamicloader",
"alerts",
"pulses",
"java",
"windows",
"guard",
"medium",
"dynamic",
"servers",
"certificate",
"as54113",
"trojan",
"neue",
"trojanspy",
"alexa",
"team google",
"maltiverse top",
"ccleaner",
"xrat",
"downldr",
"tsara brashears",
"entries",
"transactional"
],
"references": [
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"HOSTEDBYAPPLIEDI.NET - Enom",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"nr-data.net [Apple Private Data Collection]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1504",
"name": "PowerShell Profile",
"display_name": "T1504 - PowerShell Profile"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "660021cdfd20f6237e3892c0",
"export_count": 4468,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2979,
"FileHash-SHA1": 406,
"FileHash-SHA256": 2293,
"URL": 1804,
"domain": 814,
"hostname": 1025,
"email": 9,
"CVE": 12,
"CIDR": 2
},
"indicator_count": 9344,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "727 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6603360b48908ae9b9835563",
"name": "IoT Dark Nexus + Mirai BotNet HELP HER PLEASE!!- Enom | TELNET Root |",
"description": "",
"modified": "2024-04-23T11:04:58.191000",
"created": "2024-03-26T20:54:35.118000",
"tags": [
"referrer",
"communicating",
"contacted",
"siblings domain",
"parent domain",
"subdomains",
"execution",
"bundled",
"threat",
"paste",
"iocs",
"e4609l",
"urls http",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"html",
"million",
"team",
"alexa top",
"script",
"malicious url",
"outbreak",
"downer",
"shell",
"mediamagnet",
"swrort",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"riskware",
"unsafe",
"webshell",
"exploit",
"crack",
"malware",
"phishing",
"union",
"bank",
"generic malware",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist",
"site top",
"malware site",
"site safe",
"deepscan",
"genpack",
"zbot",
"united",
"proxy",
"firehol mail",
"spammer",
"anonymizer",
"team proxy",
"firehol",
"noname057",
"alexa safe",
"maltiverse safe",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"orgabusehandle",
"route",
"appli22",
"address",
"orgtechhandle",
"appliedi abuse",
"orgnochandle",
"peter heather",
"appliedi",
"general info",
"geo united",
"as14519",
"us note",
"registrar arin",
"ptr record",
"command decode",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"traffic et",
"policy windows",
"update p2p",
"activity",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"contacted urls",
"cert valid",
"malicious",
"phone",
"text",
"microsoft",
"uk telco",
"js tel",
"metro",
"redacted for",
"record value",
"emails abuse",
"name redacted",
"for privacy",
"name servers",
"privacy address",
"privacy city",
"privacy country",
"resolutions",
"a domains",
"canada unknown",
"div div",
"format a",
"a ul",
"models a",
"gmt path",
"search",
"unknown",
"passive dns",
"title",
"all scoreblue",
"ipv4",
"url analysis",
"body",
"next",
"port",
"destination",
"forbidden",
"high",
"tcp syn",
"telnet root",
"suspicious path",
"busybox",
"bad login",
"telnet login",
"copy",
"mirai",
"domain",
"hostname",
"script script",
"link",
"app themesskin",
"status",
"content type",
"lakeside tool",
"meta",
"find",
"tools",
"cookie",
"front",
"li ul",
"mower shop",
"creation date",
"showing",
"pragma",
"this",
"span",
"open ports",
"body doctype",
"privacy admin",
"privacy tech",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"script urls",
"aaaa",
"as8068",
"cname",
"as20446",
"encrypt",
"falcon",
"name verdict",
"abuse",
"as55081",
"dnssec",
"dynamicloader",
"alerts",
"pulses",
"java",
"windows",
"guard",
"medium",
"dynamic",
"servers",
"certificate",
"as54113",
"trojan",
"neue",
"trojanspy",
"alexa",
"team google",
"maltiverse top",
"ccleaner",
"xrat",
"downldr",
"tsara brashears",
"entries",
"transactional"
],
"references": [
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"HOSTEDBYAPPLIEDI.NET - Enom",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"nr-data.net [Apple Private Data Collection]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1504",
"name": "PowerShell Profile",
"display_name": "T1504 - PowerShell Profile"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "660021cdfd20f6237e3892c0",
"export_count": 38,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2979,
"FileHash-SHA1": 406,
"FileHash-SHA256": 2293,
"URL": 1804,
"domain": 814,
"hostname": 1025,
"email": 9,
"CVE": 12,
"CIDR": 2
},
"indicator_count": 9344,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "727 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66015553ad4633eb85c66817",
"name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ",
"description": "",
"modified": "2024-04-23T11:04:58.191000",
"created": "2024-03-25T10:43:31.072000",
"tags": [
"referrer",
"communicating",
"contacted",
"siblings domain",
"parent domain",
"subdomains",
"execution",
"bundled",
"threat",
"paste",
"iocs",
"e4609l",
"urls http",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"html",
"million",
"team",
"alexa top",
"script",
"malicious url",
"outbreak",
"downer",
"shell",
"mediamagnet",
"swrort",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"riskware",
"unsafe",
"webshell",
"exploit",
"crack",
"malware",
"phishing",
"union",
"bank",
"generic malware",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist",
"site top",
"malware site",
"site safe",
"deepscan",
"genpack",
"zbot",
"united",
"proxy",
"firehol mail",
"spammer",
"anonymizer",
"team proxy",
"firehol",
"noname057",
"alexa safe",
"maltiverse safe",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"orgabusehandle",
"route",
"appli22",
"address",
"orgtechhandle",
"appliedi abuse",
"orgnochandle",
"peter heather",
"appliedi",
"general info",
"geo united",
"as14519",
"us note",
"registrar arin",
"ptr record",
"command decode",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"traffic et",
"policy windows",
"update p2p",
"activity",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"contacted urls",
"cert valid",
"malicious",
"phone",
"text",
"microsoft",
"uk telco",
"js tel",
"metro",
"redacted for",
"record value",
"emails abuse",
"name redacted",
"for privacy",
"name servers",
"privacy address",
"privacy city",
"privacy country",
"resolutions",
"a domains",
"canada unknown",
"div div",
"format a",
"a ul",
"models a",
"gmt path",
"search",
"unknown",
"passive dns",
"title",
"all scoreblue",
"ipv4",
"url analysis",
"body",
"next",
"port",
"destination",
"forbidden",
"high",
"tcp syn",
"telnet root",
"suspicious path",
"busybox",
"bad login",
"telnet login",
"copy",
"mirai",
"domain",
"hostname",
"script script",
"link",
"app themesskin",
"status",
"content type",
"lakeside tool",
"meta",
"find",
"tools",
"cookie",
"front",
"li ul",
"mower shop",
"creation date",
"showing",
"pragma",
"this",
"span",
"open ports",
"body doctype",
"privacy admin",
"privacy tech",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"script urls",
"aaaa",
"as8068",
"cname",
"as20446",
"encrypt",
"falcon",
"name verdict",
"abuse",
"as55081",
"dnssec",
"dynamicloader",
"alerts",
"pulses",
"java",
"windows",
"guard",
"medium",
"dynamic",
"servers",
"certificate",
"as54113",
"trojan",
"neue",
"trojanspy",
"alexa",
"team google",
"maltiverse top",
"ccleaner",
"xrat",
"downldr",
"tsara brashears",
"entries",
"transactional"
],
"references": [
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"HOSTEDBYAPPLIEDI.NET - Enom",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"nr-data.net [Apple Private Data Collection]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1504",
"name": "PowerShell Profile",
"display_name": "T1504 - PowerShell Profile"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "660021cdfd20f6237e3892c0",
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2979,
"FileHash-SHA1": 406,
"FileHash-SHA256": 2293,
"URL": 1804,
"domain": 814,
"hostname": 1025,
"email": 9,
"CVE": 12,
"CIDR": 2
},
"indicator_count": 9344,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "727 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "660021cdfd20f6237e3892c0",
"name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services",
"description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.",
"modified": "2024-04-23T11:04:58.191000",
"created": "2024-03-24T12:51:25.910000",
"tags": [
"referrer",
"communicating",
"contacted",
"siblings domain",
"parent domain",
"subdomains",
"execution",
"bundled",
"threat",
"paste",
"iocs",
"e4609l",
"urls http",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"html",
"million",
"team",
"alexa top",
"script",
"malicious url",
"outbreak",
"downer",
"shell",
"mediamagnet",
"swrort",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"riskware",
"unsafe",
"webshell",
"exploit",
"crack",
"malware",
"phishing",
"union",
"bank",
"generic malware",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist",
"site top",
"malware site",
"site safe",
"deepscan",
"genpack",
"zbot",
"united",
"proxy",
"firehol mail",
"spammer",
"anonymizer",
"team proxy",
"firehol",
"noname057",
"alexa safe",
"maltiverse safe",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"orgabusehandle",
"route",
"appli22",
"address",
"orgtechhandle",
"appliedi abuse",
"orgnochandle",
"peter heather",
"appliedi",
"general info",
"geo united",
"as14519",
"us note",
"registrar arin",
"ptr record",
"command decode",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"traffic et",
"policy windows",
"update p2p",
"activity",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"contacted urls",
"cert valid",
"malicious",
"phone",
"text",
"microsoft",
"uk telco",
"js tel",
"metro",
"redacted for",
"record value",
"emails abuse",
"name redacted",
"for privacy",
"name servers",
"privacy address",
"privacy city",
"privacy country",
"resolutions",
"a domains",
"canada unknown",
"div div",
"format a",
"a ul",
"models a",
"gmt path",
"search",
"unknown",
"passive dns",
"title",
"all scoreblue",
"ipv4",
"url analysis",
"body",
"next",
"port",
"destination",
"forbidden",
"high",
"tcp syn",
"telnet root",
"suspicious path",
"busybox",
"bad login",
"telnet login",
"copy",
"mirai",
"domain",
"hostname",
"script script",
"link",
"app themesskin",
"status",
"content type",
"lakeside tool",
"meta",
"find",
"tools",
"cookie",
"front",
"li ul",
"mower shop",
"creation date",
"showing",
"pragma",
"this",
"span",
"open ports",
"body doctype",
"privacy admin",
"privacy tech",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"script urls",
"aaaa",
"as8068",
"cname",
"as20446",
"encrypt",
"falcon",
"name verdict",
"abuse",
"as55081",
"dnssec",
"dynamicloader",
"alerts",
"pulses",
"java",
"windows",
"guard",
"medium",
"dynamic",
"servers",
"certificate",
"as54113",
"trojan",
"neue",
"trojanspy",
"alexa",
"team google",
"maltiverse top",
"ccleaner",
"xrat",
"downldr",
"tsara brashears",
"entries",
"transactional"
],
"references": [
"174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US",
"HOSTEDBYAPPLIEDI.NET - Enom",
"www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188",
"Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e",
"Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664",
"Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7",
"Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb",
"Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c",
"Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598",
"[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below",
"Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections",
"IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)",
"Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e",
"Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida",
"Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |",
"Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"nr-data.net [Apple Private Data Collection]",
"Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a",
"Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT",
"smartertrack.appliedi.net, http://analytics.com/track?id=55",
"Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf",
"Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1504",
"name": "PowerShell Profile",
"display_name": "T1504 - PowerShell Profile"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 41,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2979,
"FileHash-SHA1": 406,
"FileHash-SHA256": 2293,
"URL": 1804,
"domain": 814,
"hostname": 1025,
"email": 9,
"CVE": 12,
"CIDR": 2
},
"indicator_count": 9344,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "727 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://scripts.4boas.fhjtimes.com/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://scripts.4boas.fhjtimes.com/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776698731.4749827
}