{ "type": "URL", "indicator": "https://secure.comodo.com/CPS", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://secure.comodo.com/CPS", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #3775", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain comodo.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain comodo.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3361365834, "indicator": "https://secure.comodo.com/CPS", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69a9cd444aa144401d0c4988", "name": "Pools Open", "description": "", "modified": "2026-04-15T19:21:28.851000", "created": "2026-03-05T18:36:52.014000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23428, "hostname": 9592, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47103, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "5fa57698ac0f6638b7b9a8ba", "name": "Pool's Closed", "description": "Two paupers from the meadow spring forth an upheaval of nasty sites on the world wide web.", "modified": "2025-12-27T05:02:34.910000", "created": "2020-11-06T16:15:20.139000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23426, "hostname": 9590, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47099, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eedf74b7bdda41057bef3e", "name": "Source Browse- DNS poisoning \u2022 Device CnC", "description": "Smear + Fear campaign. Parked domain schemes. Swatting, social engineering, crime staging/framing. Cyber bully, shocking, false online content, posters, porn dumping, injection, CnC devices, master keys, break & enter. Victim becomes the accused. Framing. Ability to close bank accounts, skim, call, text, email collection, redirect phone calls, create botnets, engineer malware, injection,divert tax refunds, divert funds, royalties, mail erase job history, attack, hospital, CnC event, IRS audits, fake documentaries, stalkers, attackers, death threats. MD articulated outcome after being SA'd by their employee they vowed to protect.", "modified": "2024-04-10T09:00:27.994000", "created": "2024-03-11T10:39:48.949000", "tags": [ "iocs", "all octoseek", "blacklist https", "gmbh version", "legal", "service privacy", "general full", "reverse dns", "san francisco", "asn13335", "cloudflarenet", "cloudflare", "domains", "service privacy", "modernizr", "domainpath name", "migrate", "phishing", "url https", "united", "line", "threat", "paste", "analyze", "value", "z6s3i string", "a7i string", "y3i string", "e0b function", "x8i string", "source level", "threat analyzer", "urls https", "domain", "webzilla", "cloudflar", "system", "hostnames", "sample", "security tls", "ecdheecdsa", "resource", "hash", "windows nt", "win64", "khtml", "gecko", "veryhigh", "limited", "lsalford", "ocomodo ca", "cncomodo ecc", "secure server", "olet", "encrypt", "cnlet", "identity search", "group", "google https", "expired", "comodo", "tls web", "log id", "criteria id", "1663014711", "summary leaf", "timestamp entry", "log operator", "error", "name size", "parent", "directory", "displays", "targets", "smartfolder", "frame", "bookmarks", "splitcount", "nib files", "design", "boundsstr", "rows", "source browser", "ruby logo", "license", "python", "python software", "foundation", "apple inc", "php logo", "visit", "valid", "no na", "no no", "ip security", "ca id", "research group", "cnisrg root", "mozilla", "android", "binrm", "targetdisk", "create", "crlcachedir", "makefile", "dstroot", "keychainssrc", "srcroot", "crl cache", "install", "ev server", "authentication", "subject", "digicert https", "sectigo https", "certificate", "ca limited", "salford", "greater", "key usage", "access", "ca issuers", "ocsp", "x509v3 subject", "lets", "identifier", "411260982", "poison", "search", "status page", "impressum", "protocol h2", "main", "framing", "geoip", "as13335", "centos", "as32244", "liquidweb", "redirect", "as16509", "as133618", "z6s3i y3i", "as62597", "france unknown", "showing", "link", "z6s3i", "date", "unknown", "meta", "sha256", "google safe", "browsing", "hostname", "samples", "td td", "tr tr", "a td", "a domains", "passive dns", "a th", "urls", "as50295 triple", "triple mirrors", "contact", "moved", "show", "accept", "body", "microsoft", "e4609l", "urls http", "yoa https", "url http", "scan endpoints", "report spam", "created", "weeks ago", "pulse", "brashears", "xvideos", "capture", "expiration", "no expiration", "entries", "status", "as58110 ip", "for privacy", "aaaa", "creation date", "domain name", "germany unknown", "bq mar", "ipv4", "pulse pulses", "files", "artro", "files domain", "files related", "pulses otx", "pulses", "tags", "servers", "record value", "body doctype", "html public", "macintosh", "intel mac", "os x", "technology", "dns replication", "email", "server", "registrar abuse", "dnssec", "expiration date", "registrar iana", "admin country", "tech country", "registry admin", "url text", "facebook url", "google url", "google", "software", "asn15169", "ip https", "february", "request chain", "http", "referer", "aes128gcm", "pragma", "frankfurt", "germany", "asn213250", "itpsolutions", "full url", "software caddy", "express", "ubuntu", "as14061", "digitaloceanasn", "address as", "april", "facebook", "march", "hashes", "ip address", "as autonomous", "fastly", "packet", "kb script", "b script", "october", "resource path", "size", "type mimetype", "redirect chain", "kb image", "b image", "cname", "as32244 liquid", "trojan", "high", "yara rule", "sniffs", "windows", "anomalous file", "medium", "guard", "filehash", "js user", "python connection", "brian sabey", "smithtech", "rexxfield", "connect facebook", "open", "emails", "next", "ssl certificate", "contacted", "whois record", "referrer", "historical ssl", "resolutions", "execution", "whois whois", "contacted urls", "linkid69157 url", "formbook", "spyware", "generic malware", "tag count", "sat jul", "threat report", "ip summary", "url summary", "summary", "generic", "alerts", "icmp traffic", "cust exe", "depot tech", "office depot", "tech", "customer client", "june", "copy", "network_icmp", "inject-x64.exe", "tsara brashears", "apple ios", "hacktool", "download", "malware", "relic", "monitoring", "tofsee", "https://otx.alienvault.com/pulse/65acace20c18a7d6c5da2e27", "darklivity", "hijacker", "remote attackers", "cybercrime", "fear factor", "criminal gang", "jeffrey reimer", "miles it", "history killer", "apple", "apple control", "sreredrum", "men", "man", "hit" ], "references": [ "videolal.com [Exploitation for privilege - Turns victim into target then spys, smears, embeds pornography in devices]", "videolal.com was first found hosted : https://rexxfield.com/ | https://crt.sh/?id=410492573 | https://crt.sh/?id=411260982", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/michael.pbxuser.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/project.pbxproj.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/roots/", "https://crt.sh/?q=videolal.com", "https://opensource.apple.com/source/security_certificates/security_certificates-2/Makefile.auto.html", "https://opensource.apple.com/source/security_certificates/", "https://crt.sh/?q=videolal.com", "https://crt.sh/?graph=410492573&opt=nometadata", "https://crt.sh/?spkisha256=2c5ef644a15ed2d591aee707a125b2870da480a0bc16d78022a311c93aca5b15", "Tracey Richter smear included Brashears: http://video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/videos/diabolical-sentencing.html", "Tracey Richter smear: video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/video/fbcwPGTSo5lrA7e/tracey-richter-documentary?cpc=no", "Malware hosting: http://videolan.mirror.triple-it.nl/vlc-android/3.0.4/VLC-Android-3.0.4-ARMv7.apk", "video-lal.com/videos/sandra-richter-video.html", "Denver Attorney Frank Azar Smear: video-lal.com/videos/sherryce-emery-frank-azar-&-associates.html", "Brashears smear: video-lal.com/videos/tsara-brashears-dead-by-daylight.html", "http://tx-p2p-pull.video-voip.com.dorm.com/Accept-Language", "Crazy: video-lal.com/videos/michael-roberts.html", "https://urlscan.io/screenshots/e40cd846-7c34-45a5-9f79-fea139f5b1ee.png", "http://secure.applegiftcard.com \u2022 199.59.243.224: http://tx-p2p-pull.video-voip.com.dorm.com \u2022 199.59.243.224: http://wpad.dorm.com", "notonmytrack.info \u2022 http://notonmytrack.info \u2022 https://pochta-rf.ru/track74157857 \u2022 patch-tracker.gnewsense.org \u2022 mysql.snore.co", "Darren Meade: https://urlscan.io/result/e5f1d6fe-036e-4291-8595-0a33e5dacba5/#behaviour \u2022 alleged partner turned enemy of Michael Roberts", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe | smithsthermopadtool.com", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe \u2022", "Unclear given names authentic. Michael Roberts, Darren Mitchell Meade , M. Brian Sabey could be used interchangeably. Black hats w/pseudonyms.", "Smith tech may refer to Det. Ben Smith. HallRender; a media company, producing nonsensical, albeit convincing evidence of deeply fake content.", "Possibly false names given by individual involved. Brian Sabey Hall Render | Michael Roberts Rexxfield | Darren Meade former partner of Roberts", "Responsible reopening Richter case via alleged Detective Ben Smith | Names Below linked to porn spewing Videolan , Videolal, Video-lal (Honeypots?) |", "http://www.hallrender.com/attorney/brian-sabey |", "Sabey: https://www.google.com/search?q=tsara+brashears&client=ms-android-tmus-us-rvc3&sca_esv=52c806ab62ec5c59&cs=1&prmd=inv&filter=0&biw=347&bih=710&dpr=2.08#ip=1", "https://www.hallrender.com/attorney/brian-sabey", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png | www.hallrender.com | rexxfield.com", "http://usb.smithtech.us \u2022 http://usb.smithtech.us/apps/downloads/NSISPortable.exe \u2022 http://usb.smithtech.us/apps/downloads/xplorer2.lite.portable.exe", "http://usb.smithtech.us/projects/downloads/\u2022 http://usb.smithtech.us/projects/downloads/psu.exe \u2022 smithsthermopadtool.com", "servicer.mgid.com \u2022 http://iv-u15.com/imbd-104-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-\u00e5\u00a4\u008f\u00e5\u00b0\u2018\u00e5\u00a5\u00b3-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-blu-ray \u2022 https://load77.exelator.com/pixel.gif", "brain-portal.net", "303 Status. Ide redirect from: https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/64d018ee4623e8fcd386c2e1", "https://otx.alienvault.com/pulse/65418472eb20b10ee5510fde", "https://otx.alienvault.com/pulse/64d65255c80d866add600bac", "https://otx.alienvault.com/pulse/65204565ac1e8bce4de26df3", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/65a342310ab3d2c69778d608", "Refuses to remove target from adult content \"tagging\"" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Win.Malware.Farfli-6824119-0", "display_name": "Win.Malware.Farfli-6824119-0", "target": null }, { "id": "Win32:TrojanX-Gen[Trj]", "display_name": "Win32:TrojanX-Gen[Trj]", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1602.002", "name": "Network Device Configuration Dump", "display_name": "T1602.002 - Network Device Configuration Dump" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5328, "domain": 2339, "hostname": 2434, "FileHash-MD5": 1210, "FileHash-SHA1": 721, "FileHash-SHA256": 2784, "SSLCertFingerprint": 5, "CVE": 2, "URI": 2, "email": 10, "CIDR": 3 }, "indicator_count": 14838, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a161f0681f4ff3d67feb", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-12-06T16:29:21.844000", "created": "2023-12-06T16:29:21.844000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a145926a5676de0e2a1a", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-12-06T16:28:53.979000", "created": "2023-12-06T16:28:53.979000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707b9630308cb99a817277", "name": "Pool's Closed", "description": "", "modified": "2023-12-06T13:48:06.514000", "created": "2023-12-06T13:48:06.514000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f37719db054ccde25aa9df", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-09-02T17:55:37.269000", "created": "2023-09-02T17:55:37.269000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7851, "URL": 23098, "hostname": 9521, "domain": 4595, "SSLCertFingerprint": 22, "FileHash-MD5": 564, "FileHash-SHA1": 432, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 46120, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "960 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f3771616d9a9891947e4df", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-09-02T17:55:34.095000", "created": "2023-09-02T17:55:34.095000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7851, "URL": 23098, "hostname": 9521, "domain": 4595, "SSLCertFingerprint": 22, "FileHash-MD5": 564, "FileHash-SHA1": 432, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 46120, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "960 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://otx.alienvault.com/pulse/65204565ac1e8bce4de26df3", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/michael.pbxuser.auto.html", "Sabey: https://www.google.com/search?q=tsara+brashears&client=ms-android-tmus-us-rvc3&sca_esv=52c806ab62ec5c59&cs=1&prmd=inv&filter=0&biw=347&bih=710&dpr=2.08#ip=1", "https://crt.sh/?q=videolal.com", "Refuses to remove target from adult content \"tagging\"", "http://usb.smithtech.us \u2022 http://usb.smithtech.us/apps/downloads/NSISPortable.exe \u2022 http://usb.smithtech.us/apps/downloads/xplorer2.lite.portable.exe", "Pool Closed", "http://www.hallrender.com/attorney/brian-sabey |", "http://usb.smithtech.us/projects/downloads/\u2022 http://usb.smithtech.us/projects/downloads/psu.exe \u2022 smithsthermopadtool.com", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/", "Denver Attorney Frank Azar Smear: video-lal.com/videos/sherryce-emery-frank-azar-&-associates.html", "http://tx-p2p-pull.video-voip.com.dorm.com/Accept-Language", "https://otx.alienvault.com/pulse/65418472eb20b10ee5510fde", "Tracey Richter smear included Brashears: http://video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "http://secure.applegiftcard.com \u2022 199.59.243.224: http://tx-p2p-pull.video-voip.com.dorm.com \u2022 199.59.243.224: http://wpad.dorm.com", "brain-portal.net", "303 Status. Ide redirect from: https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "Smith tech may refer to Det. Ben Smith. HallRender; a media company, producing nonsensical, albeit convincing evidence of deeply fake content.", "Crazy: video-lal.com/videos/michael-roberts.html", "videolal.com was first found hosted : https://rexxfield.com/ | https://crt.sh/?id=410492573 | https://crt.sh/?id=411260982", "servicer.mgid.com \u2022 http://iv-u15.com/imbd-104-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-\u00e5\u00a4\u008f\u00e5\u00b0\u2018\u00e5\u00a5\u00b3-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-blu-ray \u2022 https://load77.exelator.com/pixel.gif", "https://crt.sh/?spkisha256=2c5ef644a15ed2d591aee707a125b2870da480a0bc16d78022a311c93aca5b15", "Malware hosting: http://videolan.mirror.triple-it.nl/vlc-android/3.0.4/VLC-Android-3.0.4-ARMv7.apk", "https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png | www.hallrender.com | rexxfield.com", "https://crt.sh/?graph=410492573&opt=nometadata", "https://opensource.apple.com/source/security_certificates/security_certificates-2/Makefile.auto.html", "https://otx.alienvault.com/pulse/64d018ee4623e8fcd386c2e1", "Possibly false names given by individual involved. Brian Sabey Hall Render | Michael Roberts Rexxfield | Darren Meade former partner of Roberts", "https://otx.alienvault.com/pulse/65a342310ab3d2c69778d608", "Pool's Closed", "https://opensource.apple.com/source/security_certificates/", "https://otx.alienvault.com/pulse/64d65255c80d866add600bac", "video-lal.com/videos/sandra-richter-video.html", "notonmytrack.info \u2022 http://notonmytrack.info \u2022 https://pochta-rf.ru/track74157857 \u2022 patch-tracker.gnewsense.org \u2022 mysql.snore.co", "Tracey Richter smear: video-lal.com/video/fbcwPGTSo5lrA7e/tracey-richter-documentary?cpc=no", "Darren Meade: https://urlscan.io/result/e5f1d6fe-036e-4291-8595-0a33e5dacba5/#behaviour \u2022 alleged partner turned enemy of Michael Roberts", "https://opensource.apple.com/source/security_certificates/security_certificates-2/roots/", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe | smithsthermopadtool.com", "Brashears smear: video-lal.com/videos/tsara-brashears-dead-by-daylight.html", "Unclear given names authentic. Michael Roberts, Darren Mitchell Meade , M. Brian Sabey could be used interchangeably. Black hats w/pseudonyms.", "Tracey Richter smear: video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "https://urlscan.io/screenshots/e40cd846-7c34-45a5-9f79-fea139f5b1ee.png", "https://www.hallrender.com/attorney/brian-sabey", "Tracey Richter smear: video-lal.com/videos/diabolical-sentencing.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/project.pbxproj.auto.html", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "Responsible reopening Richter case via alleged Detective Ben Smith | Names Below linked to porn spewing Videolan , Videolal, Video-lal (Honeypots?) |", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe \u2022", "videolal.com [Exploitation for privilege - Turns victim into target then spys, smears, embeds pornography in devices]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "[Unnamed group]" ], "malware_families": [ "Win32:trojanx-gen[trj]", "Win.malware.farfli-6824119-0", "Artro", "Generic" ], "industries": [ "Ad fraud", "Media" ], "unique_indicators": 62002 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/comodo.com", "whois": "http://whois.domaintools.com/comodo.com", "domain": "comodo.com", "hostname": "secure.comodo.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69a9cd444aa144401d0c4988", "name": "Pools Open", "description": "", "modified": "2026-04-15T19:21:28.851000", "created": "2026-03-05T18:36:52.014000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23428, "hostname": 9592, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47103, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "5fa57698ac0f6638b7b9a8ba", "name": "Pool's Closed", "description": "Two paupers from the meadow spring forth an upheaval of nasty sites on the world wide web.", "modified": "2025-12-27T05:02:34.910000", "created": "2020-11-06T16:15:20.139000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23426, "hostname": 9590, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47099, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eedf74b7bdda41057bef3e", "name": "Source Browse- DNS poisoning \u2022 Device CnC", "description": "Smear + Fear campaign. Parked domain schemes. Swatting, social engineering, crime staging/framing. Cyber bully, shocking, false online content, posters, porn dumping, injection, CnC devices, master keys, break & enter. Victim becomes the accused. Framing. Ability to close bank accounts, skim, call, text, email collection, redirect phone calls, create botnets, engineer malware, injection,divert tax refunds, divert funds, royalties, mail erase job history, attack, hospital, CnC event, IRS audits, fake documentaries, stalkers, attackers, death threats. MD articulated outcome after being SA'd by their employee they vowed to protect.", "modified": "2024-04-10T09:00:27.994000", "created": "2024-03-11T10:39:48.949000", "tags": [ "iocs", "all octoseek", "blacklist https", "gmbh version", "legal", "service privacy", "general full", "reverse dns", "san francisco", "asn13335", "cloudflarenet", "cloudflare", "domains", "service privacy", "modernizr", "domainpath name", "migrate", "phishing", "url https", "united", "line", "threat", "paste", "analyze", "value", "z6s3i string", "a7i string", "y3i string", "e0b function", "x8i string", "source level", "threat analyzer", "urls https", "domain", "webzilla", "cloudflar", "system", "hostnames", "sample", "security tls", "ecdheecdsa", "resource", "hash", "windows nt", "win64", "khtml", "gecko", "veryhigh", "limited", "lsalford", "ocomodo ca", "cncomodo ecc", "secure server", "olet", "encrypt", "cnlet", "identity search", "group", "google https", "expired", "comodo", "tls web", "log id", "criteria id", "1663014711", "summary leaf", "timestamp entry", "log operator", "error", "name size", "parent", "directory", "displays", "targets", "smartfolder", "frame", "bookmarks", "splitcount", "nib files", "design", "boundsstr", "rows", "source browser", "ruby logo", "license", "python", "python software", "foundation", "apple inc", "php logo", "visit", "valid", "no na", "no no", "ip security", "ca id", "research group", "cnisrg root", "mozilla", "android", "binrm", "targetdisk", "create", "crlcachedir", "makefile", "dstroot", "keychainssrc", "srcroot", "crl cache", "install", "ev server", "authentication", "subject", "digicert https", "sectigo https", "certificate", "ca limited", "salford", "greater", "key usage", "access", "ca issuers", "ocsp", "x509v3 subject", "lets", "identifier", "411260982", "poison", "search", "status page", "impressum", "protocol h2", "main", "framing", "geoip", "as13335", "centos", "as32244", "liquidweb", "redirect", "as16509", "as133618", "z6s3i y3i", "as62597", "france unknown", "showing", "link", "z6s3i", "date", "unknown", "meta", "sha256", "google safe", "browsing", "hostname", "samples", "td td", "tr tr", "a td", "a domains", "passive dns", "a th", "urls", "as50295 triple", "triple mirrors", "contact", "moved", "show", "accept", "body", "microsoft", "e4609l", "urls http", "yoa https", "url http", "scan endpoints", "report spam", "created", "weeks ago", "pulse", "brashears", "xvideos", "capture", "expiration", "no expiration", "entries", "status", "as58110 ip", "for privacy", "aaaa", "creation date", "domain name", "germany unknown", "bq mar", "ipv4", "pulse pulses", "files", "artro", "files domain", "files related", "pulses otx", "pulses", "tags", "servers", "record value", "body doctype", "html public", "macintosh", "intel mac", "os x", "technology", "dns replication", "email", "server", "registrar abuse", "dnssec", "expiration date", "registrar iana", "admin country", "tech country", "registry admin", "url text", "facebook url", "google url", "google", "software", "asn15169", "ip https", "february", "request chain", "http", "referer", "aes128gcm", "pragma", "frankfurt", "germany", "asn213250", "itpsolutions", "full url", "software caddy", "express", "ubuntu", "as14061", "digitaloceanasn", "address as", "april", "facebook", "march", "hashes", "ip address", "as autonomous", "fastly", "packet", "kb script", "b script", "october", "resource path", "size", "type mimetype", "redirect chain", "kb image", "b image", "cname", "as32244 liquid", "trojan", "high", "yara rule", "sniffs", "windows", "anomalous file", "medium", "guard", "filehash", "js user", "python connection", "brian sabey", "smithtech", "rexxfield", "connect facebook", "open", "emails", "next", "ssl certificate", "contacted", "whois record", "referrer", "historical ssl", "resolutions", "execution", "whois whois", "contacted urls", "linkid69157 url", "formbook", "spyware", "generic malware", "tag count", "sat jul", "threat report", "ip summary", "url summary", "summary", "generic", "alerts", "icmp traffic", "cust exe", "depot tech", "office depot", "tech", "customer client", "june", "copy", "network_icmp", "inject-x64.exe", "tsara brashears", "apple ios", "hacktool", "download", "malware", "relic", "monitoring", "tofsee", "https://otx.alienvault.com/pulse/65acace20c18a7d6c5da2e27", "darklivity", "hijacker", "remote attackers", "cybercrime", "fear factor", "criminal gang", "jeffrey reimer", "miles it", "history killer", "apple", "apple control", "sreredrum", "men", "man", "hit" ], "references": [ "videolal.com [Exploitation for privilege - Turns victim into target then spys, smears, embeds pornography in devices]", "videolal.com was first found hosted : https://rexxfield.com/ | https://crt.sh/?id=410492573 | https://crt.sh/?id=411260982", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/michael.pbxuser.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/project.pbxproj.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/roots/", "https://crt.sh/?q=videolal.com", "https://opensource.apple.com/source/security_certificates/security_certificates-2/Makefile.auto.html", "https://opensource.apple.com/source/security_certificates/", "https://crt.sh/?q=videolal.com", "https://crt.sh/?graph=410492573&opt=nometadata", "https://crt.sh/?spkisha256=2c5ef644a15ed2d591aee707a125b2870da480a0bc16d78022a311c93aca5b15", "Tracey Richter smear included Brashears: http://video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/videos/diabolical-sentencing.html", "Tracey Richter smear: video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/video/fbcwPGTSo5lrA7e/tracey-richter-documentary?cpc=no", "Malware hosting: http://videolan.mirror.triple-it.nl/vlc-android/3.0.4/VLC-Android-3.0.4-ARMv7.apk", "video-lal.com/videos/sandra-richter-video.html", "Denver Attorney Frank Azar Smear: video-lal.com/videos/sherryce-emery-frank-azar-&-associates.html", "Brashears smear: video-lal.com/videos/tsara-brashears-dead-by-daylight.html", "http://tx-p2p-pull.video-voip.com.dorm.com/Accept-Language", "Crazy: video-lal.com/videos/michael-roberts.html", "https://urlscan.io/screenshots/e40cd846-7c34-45a5-9f79-fea139f5b1ee.png", "http://secure.applegiftcard.com \u2022 199.59.243.224: http://tx-p2p-pull.video-voip.com.dorm.com \u2022 199.59.243.224: http://wpad.dorm.com", "notonmytrack.info \u2022 http://notonmytrack.info \u2022 https://pochta-rf.ru/track74157857 \u2022 patch-tracker.gnewsense.org \u2022 mysql.snore.co", "Darren Meade: https://urlscan.io/result/e5f1d6fe-036e-4291-8595-0a33e5dacba5/#behaviour \u2022 alleged partner turned enemy of Michael Roberts", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe | smithsthermopadtool.com", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe \u2022", "Unclear given names authentic. Michael Roberts, Darren Mitchell Meade , M. Brian Sabey could be used interchangeably. Black hats w/pseudonyms.", "Smith tech may refer to Det. Ben Smith. HallRender; a media company, producing nonsensical, albeit convincing evidence of deeply fake content.", "Possibly false names given by individual involved. Brian Sabey Hall Render | Michael Roberts Rexxfield | Darren Meade former partner of Roberts", "Responsible reopening Richter case via alleged Detective Ben Smith | Names Below linked to porn spewing Videolan , Videolal, Video-lal (Honeypots?) |", "http://www.hallrender.com/attorney/brian-sabey |", "Sabey: https://www.google.com/search?q=tsara+brashears&client=ms-android-tmus-us-rvc3&sca_esv=52c806ab62ec5c59&cs=1&prmd=inv&filter=0&biw=347&bih=710&dpr=2.08#ip=1", "https://www.hallrender.com/attorney/brian-sabey", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png | www.hallrender.com | rexxfield.com", "http://usb.smithtech.us \u2022 http://usb.smithtech.us/apps/downloads/NSISPortable.exe \u2022 http://usb.smithtech.us/apps/downloads/xplorer2.lite.portable.exe", "http://usb.smithtech.us/projects/downloads/\u2022 http://usb.smithtech.us/projects/downloads/psu.exe \u2022 smithsthermopadtool.com", "servicer.mgid.com \u2022 http://iv-u15.com/imbd-104-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-\u00e5\u00a4\u008f\u00e5\u00b0\u2018\u00e5\u00a5\u00b3-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-blu-ray \u2022 https://load77.exelator.com/pixel.gif", "brain-portal.net", "303 Status. Ide redirect from: https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/64d018ee4623e8fcd386c2e1", "https://otx.alienvault.com/pulse/65418472eb20b10ee5510fde", "https://otx.alienvault.com/pulse/64d65255c80d866add600bac", "https://otx.alienvault.com/pulse/65204565ac1e8bce4de26df3", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/65a342310ab3d2c69778d608", "Refuses to remove target from adult content \"tagging\"" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Win.Malware.Farfli-6824119-0", "display_name": "Win.Malware.Farfli-6824119-0", "target": null }, { "id": "Win32:TrojanX-Gen[Trj]", "display_name": "Win32:TrojanX-Gen[Trj]", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1602.002", "name": "Network Device Configuration Dump", "display_name": "T1602.002 - Network Device Configuration Dump" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5328, "domain": 2339, "hostname": 2434, "FileHash-MD5": 1210, "FileHash-SHA1": 721, "FileHash-SHA256": 2784, "SSLCertFingerprint": 5, "CVE": 2, "URI": 2, "email": 10, "CIDR": 3 }, "indicator_count": 14838, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a161f0681f4ff3d67feb", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-12-06T16:29:21.844000", "created": "2023-12-06T16:29:21.844000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a145926a5676de0e2a1a", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-12-06T16:28:53.979000", "created": "2023-12-06T16:28:53.979000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707b9630308cb99a817277", "name": "Pool's Closed", "description": "", "modified": "2023-12-06T13:48:06.514000", "created": "2023-12-06T13:48:06.514000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f37719db054ccde25aa9df", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-09-02T17:55:37.269000", "created": "2023-09-02T17:55:37.269000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7851, "URL": 23098, "hostname": 9521, "domain": 4595, "SSLCertFingerprint": 22, "FileHash-MD5": 564, "FileHash-SHA1": 432, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 46120, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "960 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f3771616d9a9891947e4df", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-09-02T17:55:34.095000", "created": "2023-09-02T17:55:34.095000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7851, "URL": 23098, "hostname": 9521, "domain": 4595, "SSLCertFingerprint": 22, "FileHash-MD5": 564, "FileHash-SHA1": 432, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 46120, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "960 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://secure.comodo.com/CPS", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://secure.comodo.com/CPS", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776638721.1114087 }