{
  "type": "URL",
  "indicator": "https://secure.gravatar.com",
  "general": {
    "sections": [
      "general",
      "url_list",
      "http_scans",
      "screenshot"
    ],
    "indicator": "https://secure.gravatar.com",
    "type": "url",
    "type_title": "URL",
    "validation": [
      {
        "source": "akamai",
        "message": "Akamai rank: #1065",
        "name": "Akamai Popular Domain"
      },
      {
        "source": "whitelist",
        "message": "Whitelisted domain gravatar.com",
        "name": "Whitelisted domain"
      },
      {
        "source": "majestic",
        "message": "Whitelisted domain gravatar.com",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 2878764457,
      "indicator": "https://secure.gravatar.com",
      "type": "URL",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 15,
      "pulses": [
        {
          "id": "69c5c7194394ff775d44f7e0",
          "name": "WaypointsStickyChromeCache",
          "description": "A complete analysis of user-created Pulses (AVs) at the University of California, Los Angeles, has been published by the BBC's Newsnight website, along with a series of links.<pretext",
          "modified": "2026-03-27T00:12:08.015000",
          "created": "2026-03-26T23:54:01.493000",
          "tags": [
            "http",
            "urls",
            "unique",
            "pulse pulses",
            "location united",
            "flag united",
            "related",
            "pulses",
            "related tags",
            "x tec",
            "log id",
            "gmtn",
            "tls web",
            "self",
            "encrypt",
            "b2 f6",
            "b0n timestamp",
            "f9401a",
            "timestamp",
            "url add",
            "false"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 121,
            "hostname": 31,
            "domain": 5,
            "FileHash-MD5": 20,
            "FileHash-SHA1": 18,
            "FileHash-SHA256": 98,
            "SSLCertFingerprint": 2,
            "IPv4": 1,
            "CVE": 1
          },
          "indicator_count": 297,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "23 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "68cb233ba91aa1eb958b3f31",
          "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022  OneLouder",
          "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea",
          "modified": "2025-10-17T19:03:15.031000",
          "created": "2025-09-17T21:08:11.518000",
          "tags": [
            "script urls",
            "meta",
            "moved",
            "x tec",
            "passive dns",
            "encrypt",
            "america flag",
            "san francisco",
            "extraction",
            "data upload",
            "type indicatod",
            "united states",
            "a domains",
            "united",
            "gmt server",
            "jose",
            "university",
            "bill",
            "rmhs",
            "information",
            "board",
            "lorin",
            "joseph",
            "all veterans",
            "rocky mountain",
            "mission",
            "vice",
            "april",
            "school",
            "austin",
            "prior",
            "ipv4 add",
            "urls",
            "files",
            "location united",
            "wordpress",
            "rmhs meta",
            "tags viewport",
            "rmhs og",
            "rmhs article",
            "wpbakery page",
            "builder",
            "slider plugin",
            "google tag",
            "mountain human",
            "denver",
            "connecting",
            "denver start",
            "relevance home",
            "providers",
            "contact us",
            "rmhs main",
            "server",
            "redacted tech",
            "redacted admin",
            "registrar abuse",
            "algorithm",
            "key identifier",
            "x509v3 subject",
            "dnssec",
            "country",
            "ttl value",
            "graph summary",
            "resolved ips",
            "ip address",
            "port",
            "data",
            "screenshots no",
            "involved direct",
            "country name",
            "name response",
            "tcp connections",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "command",
            "adversaries",
            "found",
            "spawns",
            "t1590 gather",
            "path",
            "ascii text",
            "exif standard",
            "tiff image",
            "format",
            "stop",
            "false",
            "soldier",
            "model",
            "youth",
            "baby",
            "june",
            "general",
            "local",
            "click",
            "strings",
            "core",
            "warrior",
            "green",
            "emotion",
            "flash",
            "nina",
            "hunk",
            "fono",
            "daam",
            "mitre att",
            "ck techniques",
            "id name",
            "malicious",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "brand",
            "microsoft edge",
            "show process",
            "self",
            "date",
            "comspec",
            "hybrid",
            "form",
            "log id",
            "gmtn",
            "tls web",
            "b2 f6",
            "b0n timestamp",
            "f9401a",
            "record value",
            "x wix",
            "certificate",
            "domain add",
            "pulse submit",
            "body",
            "domain related",
            "blackbox",
            "apple",
            "helix",
            "dvrdns",
            "tracking",
            "remote access",
            "ios",
            "spyware",
            "hoax",
            "dynamicloader",
            "ptls6",
            "medium",
            "flashpix",
            "high",
            "ygjpavclsline",
            "officespace",
            "chartshared",
            "powershell",
            "write",
            "malware",
            "ygjpaulscontext",
            "status",
            "japan unknown",
            "domain",
            "pulses",
            "search",
            "accept",
            "apt10",
            "trojanspy",
            "win32",
            "entries",
            "susp",
            "backdoor",
            "useragent",
            "showing",
            "virtool",
            "twitter",
            "mozilla",
            "trojandropper",
            "trojan",
            "title",
            "onelouder",
            "yara det",
            "maware samoe",
            "genaco x",
            "ids detec",
            "ids terse",
            "win3 data",
            "include review",
            "exclude sugges",
            "targeting",
            "show",
            "copy",
            "reads",
            "dynamic",
            "vendor finding",
            "notes clamav",
            "files matching",
            "number",
            "sample analysis",
            "hide samples",
            "date hash",
            "next yara"
          ],
          "references": [
            "rmhumanservices.org",
            "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
            "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
            "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
            "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
            "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
            "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
            "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
            "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
            "https://www.mlkfoundation.net/ (Foundry DGA)",
            "remotewd.com x 34 devices",
            "South Africa based:  remote.advisoroffice.com",
            "acc.lehigtapp.com - malware",
            "http://watchhers.net/index.php (espionage entity /palantir relationship  - seen before with palantir and Pegasus sometimes simultaneously )",
            "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022  emails.redvue.com \u2022",
            "Active - pointing:  https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
            "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
            "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
            "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
            "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
            "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
            "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
            "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
            "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
            "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
            "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
            "1.organization.api.powerplatform.partner.microsoftonline.cn",
            "chinaeast2.admin.api.powerautomate.cn",
            "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
            "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
            "ssa-gov.authorizeddns",
            "hmmm\u2026http://palander.stjernstrom.se/",
            "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU"
          ],
          "public": 1,
          "adversary": "APT 10",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "APT 10",
              "display_name": "APT 10",
              "target": null
            },
            {
              "id": "OneLouder",
              "display_name": "OneLouder",
              "target": null
            },
            {
              "id": "Andromeda",
              "display_name": "Andromeda",
              "target": null
            },
            {
              "id": "Sality",
              "display_name": "Sality",
              "target": null
            },
            {
              "id": "KoobFace",
              "display_name": "KoobFace",
              "target": null
            },
            {
              "id": "Bayrob",
              "display_name": "Bayrob",
              "target": null
            },
            {
              "id": "Nivdort Checkin",
              "display_name": "Nivdort Checkin",
              "target": null
            },
            {
              "id": "Win.Malware.Installcore-6950365-0",
              "display_name": "Win.Malware.Installcore-6950365-0",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1102",
              "name": "Web Service",
              "display_name": "T1102 - Web Service"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1590",
              "name": "Gather Victim Network Information",
              "display_name": "T1590 - Gather Victim Network Information"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1132",
              "name": "Data Encoding",
              "display_name": "T1132 - Data Encoding"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1574.006",
              "name": "Dynamic Linker Hijacking",
              "display_name": "T1574.006 - Dynamic Linker Hijacking"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            }
          ],
          "industries": [
            "Golfing",
            "Healthcare",
            "Government"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 690,
            "hostname": 1912,
            "URL": 5925,
            "FileHash-SHA1": 273,
            "email": 8,
            "FileHash-SHA256": 3618,
            "CIDR": 3,
            "FileHash-MD5": 254,
            "SSLCertFingerprint": 19,
            "CVE": 2
          },
          "indicator_count": 12704,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 141,
          "modified_text": "184 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "685afb805ba518e374abc735",
          "name": "Home - RMHS - Ransom",
          "description": "I can only  imagine what is going on. This is a real organization, with a building,  ever changing case workers who don\u2019t want to meet with clients in person . I have received several incoming concerns since 2021. It seems that a threat actor may be ringing along or certain people are being handled / investigated / silenced and closely monitored by a very large interconnected Cyber Intelligence entity  \u2022 Trojan:X97M/ShellHide.C |\n\u2022 Trojan:PDF/Phish.RR!MTB |\n\u2022 Win.Trojan.Agent-370485 |\nAntivirus Detections:\n\u2022 Win.Trojan.Agent-370485\nYara: VirusWin32Span |\nAlerts\nransomware_file_modifications\nstealth_file\nDomains Contacted: Unknown\n(efbkfqpcdh.com) [\t\t\t\t2025-07-24T16:00:00\t14\t\n\nURL\nhttp://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel] #phishing #malware #intel? #trojan #infectiin",
          "modified": "2025-07-24T19:04:24.993000",
          "created": "2025-06-24T19:24:48.632000",
          "tags": [
            "wordpress",
            "home",
            "rmhs og",
            "rmhs article",
            "wpbakery page",
            "builder",
            "slider plugin",
            "utc google",
            "tag manager",
            "g5cygkcj7g1",
            "dynamicloader",
            "ms windows",
            "intel",
            "users",
            "medium",
            "pe32",
            "search",
            "show",
            "windows",
            "videos",
            "music",
            "copy",
            "write",
            "next",
            "ford mustang",
            "converter pdf",
            "gt convertible",
            "trim",
            "models ford",
            "mustang coupe",
            "createdate",
            "producer solid",
            "filehash",
            "trojan",
            "format",
            "united",
            "moved",
            "passive dns",
            "ipv4 add",
            "pulse submit",
            "url analysis",
            "urls",
            "files",
            "location united",
            "america flag",
            "encrypt",
            "date",
            "sc onlogon",
            "write c",
            "port",
            "showing",
            "entries",
            "module load",
            "execution",
            "malware",
            "self",
            "reverse dns",
            "url https",
            "resource",
            "general full",
            "name value",
            "security tls",
            "hash",
            "san francisco",
            "june",
            "input",
            "form",
            "dom get",
            "search start",
            "get https",
            "post",
            "value",
            "variables",
            "msgoriginaltext",
            "msgoptions",
            "isns function",
            "setupns",
            "rsiw number",
            "rsih object",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "command",
            "adversaries",
            "found",
            "spawns",
            "ck techniques",
            "flag",
            "markmonitor",
            "name server",
            "server",
            "rocky mountain",
            "human",
            "domain address",
            "enom",
            "copy sha256",
            "path",
            "copy md5",
            "copy sha1",
            "sha256",
            "size",
            "sha1",
            "attrib",
            "rowcycur",
            "hz4urdyi",
            "stop",
            "false",
            "soldier",
            "model",
            "youth",
            "baby",
            "core",
            "warrior",
            "green",
            "emotion",
            "flash",
            "nina",
            "hunk",
            "fono",
            "daam",
            "destination",
            "tlsv1",
            "dyndns domain",
            "irfan skiljan",
            "yara detections",
            "pdf pdf",
            "producer pdftk",
            "title data",
            "pulse pulses",
            "av detections",
            "ids detections",
            "alerts",
            "analysis date",
            "pictures",
            "read",
            "delete",
            "thumbprint",
            "graph summary",
            "url http",
            "gna7hdu",
            "g4 rsa4096",
            "adobe systems",
            "services1",
            "adobe product",
            "creatortool",
            "ascii text",
            "description svg",
            "scalable vector",
            "graphics image"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1158",
              "name": "Hidden Files and Directories",
              "display_name": "T1158 - Hidden Files and Directories"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1590",
              "name": "Gather Victim Network Information",
              "display_name": "T1590 - Gather Victim Network Information"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 34,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 56,
            "URL": 262,
            "hostname": 165,
            "FileHash-SHA256": 2141,
            "FileHash-MD5": 308,
            "FileHash-SHA1": 308,
            "SSLCertFingerprint": 3,
            "email": 1
          },
          "indicator_count": 3244,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 138,
          "modified_text": "269 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "6665d55d941729c5f283b3f7",
          "name": "S0094-Remote Access - Assurance [a Prudential company]",
          "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business;  Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. health insurance agents Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly. Infostealer, malware and unwanted programs  downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966",
          "modified": "2024-07-09T15:02:04.111000",
          "created": "2024-06-09T16:16:29.634000",
          "tags": [
            "falcon sandbox",
            "sha256",
            "sha1",
            "et tor",
            "known tor",
            "relayrouter",
            "exit",
            "node traffic",
            "misc attack",
            "pattern match",
            "ascii text",
            "null",
            "hybrid",
            "refresh",
            "body",
            "span",
            "june",
            "click",
            "date",
            "strings",
            "error",
            "tools",
            "look",
            "verify",
            "restart",
            "contact",
            "historical ssl",
            "referrer",
            "httponly",
            "path",
            "secure",
            "maxage31557600",
            "expiresmon",
            "samesitenone",
            "expireswed",
            "etag w",
            "setcookie dids",
            "maxage864000",
            "http response",
            "final url",
            "serving ip",
            "address",
            "status code",
            "html document",
            "history",
            "utc names",
            "html info",
            "title assurance",
            "meta tags",
            "script tags",
            "anchor hrefs",
            "code",
            "requestid",
            "hostid",
            "xml file",
            "accessdenied",
            "message",
            "signature",
            "expires",
            "awsaccesskeyid",
            "log id",
            "gmtn",
            "passive dns",
            "urls",
            "digicert global",
            "g2 tls",
            "rsa sha256",
            "tls web",
            "full name",
            "self",
            "false",
            "united",
            "as8075",
            "unknown",
            "gmt server",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "pulse submit",
            "url analysis",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "aaaa",
            "meta",
            "link",
            "search",
            "creation date",
            "wheels up",
            "moved",
            "homepage",
            "servers",
            "service",
            "name servers",
            "hostname",
            "next",
            "japan unknown",
            "as2510 fujitsu",
            "status",
            "page",
            "ltd dba",
            "com laude",
            "record value",
            "ireland",
            "germany",
            "australia",
            "as44786 adobe",
            "whitelisted",
            "win32",
            "present may",
            "trojan",
            "karaganye",
            "regsetvalueexa",
            "regdword",
            "default",
            "show",
            "presto",
            "regbinary",
            "medium",
            "create c",
            "query",
            "double",
            "malware",
            "copy",
            "karagany",
            "write",
            "showing",
            "as35908 krypt",
            "as45102 alibaba",
            "hong kong",
            "data service",
            "script script",
            "div div",
            "title",
            "entries",
            "files",
            "japan asn",
            "dns resolutions",
            "memory pattern",
            "ip traffic",
            "domains",
            "urls https",
            "files c",
            "filesgoogle c",
            "written c",
            "extensions",
            "as20446",
            "as14061",
            "emails",
            "threat roundup",
            "bashlite",
            "jupyter rising",
            "vmware",
            "security blog",
            "april",
            "september",
            "december",
            "january",
            "enemybot",
            "core"
          ],
          "references": [
            "Assurance",
            "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2",
            "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)",
            "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger",
            "Domains Contacted: simplesausages.cx.cc adobe.com",
            "https://test2.ditproducts.com/dat/wannacry1.html",
            "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F",
            "https://www.anyxxxtube.net/search-porn/tsara-brashears/",
            "CVE-2023-22518 | CVE-2023-4966"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Netherlands"
          ],
          "malware_families": [
            {
              "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
              "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
              "target": null
            },
            {
              "id": "Win32:Karagany-D\\ [Trj]",
              "display_name": "Win32:Karagany-D\\ [Trj]",
              "target": null
            },
            {
              "id": "Win.Trojan.Xtoober-650",
              "display_name": "Win.Trojan.Xtoober-650",
              "target": null
            },
            {
              "id": "Trojan:Win32/Startpage.SS",
              "display_name": "Trojan:Win32/Startpage.SS",
              "target": "/malware/Trojan:Win32/Startpage.SS"
            },
            {
              "id": "Win.Packed.Pincav-7537597-0",
              "display_name": "Win.Packed.Pincav-7537597-0",
              "target": null
            },
            {
              "id": "Trojan.Karagany - S0094",
              "display_name": "Trojan.Karagany - S0094",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1574.002",
              "name": "DLL Side-Loading",
              "display_name": "T1574.002 - DLL Side-Loading"
            },
            {
              "id": "TA0002",
              "name": "Execution",
              "display_name": "TA0002 - Execution"
            },
            {
              "id": "TA0003",
              "name": "Persistence",
              "display_name": "TA0003 - Persistence"
            },
            {
              "id": "TA0004",
              "name": "Privilege Escalation",
              "display_name": "TA0004 - Privilege Escalation"
            },
            {
              "id": "TA0005",
              "name": "Defense Evasion",
              "display_name": "TA0005 - Defense Evasion"
            },
            {
              "id": "TA0008",
              "name": "Lateral Movement",
              "display_name": "TA0008 - Lateral Movement"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            }
          ],
          "industries": [
            "Healthcare",
            "Technology",
            "Telecommunications",
            "Finance - Insurance Sector"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 31,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 2950,
            "FileHash-MD5": 193,
            "FileHash-SHA1": 171,
            "FileHash-SHA256": 1885,
            "URL": 8907,
            "domain": 2945,
            "SSLCertFingerprint": 2,
            "email": 11,
            "CVE": 2
          },
          "indicator_count": 17066,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 225,
          "modified_text": "649 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "6665d9ae1b06b560698b2a70",
          "name": "Assurance [a Prudential company] S0094-Remote Access",
          "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business;  Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023.    Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly/Crouching Yeti and more. Infostealer, malware and unwanted programs  downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966",
          "modified": "2024-07-09T15:02:04.111000",
          "created": "2024-06-09T16:34:54.161000",
          "tags": [
            "falcon sandbox",
            "sha256",
            "sha1",
            "et tor",
            "known tor",
            "relayrouter",
            "exit",
            "node traffic",
            "misc attack",
            "pattern match",
            "ascii text",
            "null",
            "hybrid",
            "refresh",
            "body",
            "span",
            "june",
            "click",
            "date",
            "strings",
            "error",
            "tools",
            "look",
            "verify",
            "restart",
            "contact",
            "historical ssl",
            "referrer",
            "httponly",
            "path",
            "secure",
            "maxage31557600",
            "expiresmon",
            "samesitenone",
            "expireswed",
            "etag w",
            "setcookie dids",
            "maxage864000",
            "http response",
            "final url",
            "serving ip",
            "address",
            "status code",
            "html document",
            "history",
            "utc names",
            "html info",
            "title assurance",
            "meta tags",
            "script tags",
            "anchor hrefs",
            "code",
            "requestid",
            "hostid",
            "xml file",
            "accessdenied",
            "message",
            "signature",
            "expires",
            "awsaccesskeyid",
            "log id",
            "gmtn",
            "passive dns",
            "urls",
            "digicert global",
            "g2 tls",
            "rsa sha256",
            "tls web",
            "full name",
            "self",
            "false",
            "united",
            "as8075",
            "unknown",
            "gmt server",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "pulse submit",
            "url analysis",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "aaaa",
            "meta",
            "link",
            "search",
            "creation date",
            "wheels up",
            "moved",
            "homepage",
            "servers",
            "service",
            "name servers",
            "hostname",
            "next",
            "japan unknown",
            "as2510 fujitsu",
            "status",
            "page",
            "ltd dba",
            "com laude",
            "record value",
            "ireland",
            "germany",
            "australia",
            "as44786 adobe",
            "whitelisted",
            "win32",
            "present may",
            "trojan",
            "karaganye",
            "regsetvalueexa",
            "regdword",
            "default",
            "show",
            "presto",
            "regbinary",
            "medium",
            "create c",
            "query",
            "double",
            "malware",
            "copy",
            "karagany",
            "write",
            "showing",
            "as35908 krypt",
            "as45102 alibaba",
            "hong kong",
            "data service",
            "script script",
            "div div",
            "title",
            "entries",
            "files",
            "japan asn",
            "dns resolutions",
            "memory pattern",
            "ip traffic",
            "domains",
            "urls https",
            "files c",
            "filesgoogle c",
            "written c",
            "extensions",
            "as20446",
            "as14061",
            "emails",
            "threat roundup",
            "bashlite",
            "jupyter rising",
            "vmware",
            "security blog",
            "april",
            "september",
            "december",
            "january",
            "enemybot",
            "core"
          ],
          "references": [
            "Assurance",
            "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2",
            "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)",
            "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger",
            "Domains Contacted: simplesausages.cx.cc adobe.com",
            "https://test2.ditproducts.com/dat/wannacry1.html",
            "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F",
            "https://www.anyxxxtube.net/search-porn/tsara-brashears/",
            "CVE-2023-22518 | CVE-2023-4966"
          ],
          "public": 1,
          "adversary": "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,",
          "targeted_countries": [
            "United States of America",
            "Netherlands"
          ],
          "malware_families": [
            {
              "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
              "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
              "target": null
            },
            {
              "id": "Win32:Karagany-D\\ [Trj]",
              "display_name": "Win32:Karagany-D\\ [Trj]",
              "target": null
            },
            {
              "id": "Win.Trojan.Xtoober-650",
              "display_name": "Win.Trojan.Xtoober-650",
              "target": null
            },
            {
              "id": "Trojan:Win32/Startpage.SS",
              "display_name": "Trojan:Win32/Startpage.SS",
              "target": "/malware/Trojan:Win32/Startpage.SS"
            },
            {
              "id": "Win.Packed.Pincav-7537597-0",
              "display_name": "Win.Packed.Pincav-7537597-0",
              "target": null
            },
            {
              "id": "Trojan.Karagany - S0094",
              "display_name": "Trojan.Karagany - S0094",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1574.002",
              "name": "DLL Side-Loading",
              "display_name": "T1574.002 - DLL Side-Loading"
            },
            {
              "id": "TA0002",
              "name": "Execution",
              "display_name": "TA0002 - Execution"
            },
            {
              "id": "TA0003",
              "name": "Persistence",
              "display_name": "TA0003 - Persistence"
            },
            {
              "id": "TA0004",
              "name": "Privilege Escalation",
              "display_name": "TA0004 - Privilege Escalation"
            },
            {
              "id": "TA0005",
              "name": "Defense Evasion",
              "display_name": "TA0005 - Defense Evasion"
            },
            {
              "id": "TA0008",
              "name": "Lateral Movement",
              "display_name": "TA0008 - Lateral Movement"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            }
          ],
          "industries": [
            "Healthcare",
            "Technology",
            "Telecommunications",
            "Finance - Insurance Sector"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 38,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 2950,
            "FileHash-MD5": 193,
            "FileHash-SHA1": 171,
            "FileHash-SHA256": 1885,
            "URL": 8907,
            "domain": 2945,
            "SSLCertFingerprint": 2,
            "email": 11,
            "CVE": 2
          },
          "indicator_count": 17066,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 226,
          "modified_text": "649 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "657083ed4fcdc6eded29d59b",
          "name": "crowdtangle.com 03.29.2017",
          "description": "",
          "modified": "2023-12-06T14:23:41.446000",
          "created": "2023-12-06T14:23:41.446000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 989,
            "domain": 121,
            "hostname": 196,
            "URL": 612,
            "CIDR": 6,
            "FileHash-MD5": 4
          },
          "indicator_count": 1928,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 109,
          "modified_text": "865 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "657081b63e54107a19bbe58c",
          "name": "www.scytl.com/en/\", ~ 09.16.2020",
          "description": "",
          "modified": "2023-12-06T14:14:14.965000",
          "created": "2023-12-06T14:14:14.965000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 754,
            "domain": 66,
            "hostname": 190,
            "URL": 574,
            "CIDR": 4,
            "FileHash-MD5": 9
          },
          "indicator_count": 1597,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "865 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "65708189dea82839ffe4be99",
          "name": "www.scytl.com:en:%22,.",
          "description": "",
          "modified": "2023-12-06T14:13:29.953000",
          "created": "2023-12-06T14:13:29.953000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 753,
            "domain": 66,
            "hostname": 190,
            "URL": 572,
            "CIDR": 4,
            "FileHash-MD5": 9
          },
          "indicator_count": 1594,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 109,
          "modified_text": "865 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "6570805fcfc42f9740d5cdc0",
          "name": "www.hartintercivic.com:hybrid",
          "description": "",
          "modified": "2023-12-06T14:08:31.382000",
          "created": "2023-12-06T14:08:31.382000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1134,
            "hostname": 391,
            "domain": 247,
            "URL": 1221,
            "CIDR": 9,
            "FileHash-MD5": 35
          },
          "indicator_count": 3037,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 109,
          "modified_text": "865 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "65707ff30cc6d94d175b8bb2",
          "name": "modems.org",
          "description": "",
          "modified": "2023-12-06T14:06:43.176000",
          "created": "2023-12-06T14:06:43.176000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 709,
            "hostname": 223,
            "domain": 65,
            "URL": 537,
            "CIDR": 9,
            "FileHash-MD5": 14,
            "FileHash-SHA1": 3
          },
          "indicator_count": 1560,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 109,
          "modified_text": "865 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "6231e27f73bce35cac1ac401",
          "name": "crowdtangle.com 03.29.2017",
          "description": "",
          "modified": "2022-04-15T00:03:47.669000",
          "created": "2022-03-16T13:13:35.659000",
          "tags": [
            "WannaCry"
          ],
          "references": [
            "crowdtangle.com 03.29.2017.pdf"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Win.Ransomware.WannaCry-9856297-0",
              "display_name": "Win.Ransomware.WannaCry-9856297-0",
              "target": null
            }
          ],
          "attack_ids": [],
          "industries": [
            "Government"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 7,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Kailula4",
            "id": "131997",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 196,
            "URL": 613,
            "FileHash-SHA256": 989,
            "domain": 121,
            "CIDR": 6,
            "FileHash-MD5": 4
          },
          "indicator_count": 1929,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 407,
          "modified_text": "1465 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "622f4724c965841ea9d2e83e",
          "name": "www.scytl.com/en/\", ~ 09.16.2020",
          "description": "",
          "modified": "2022-04-13T00:01:48.292000",
          "created": "2022-03-14T13:46:12.626000",
          "tags": [],
          "references": [
            "www.scytl.com:en:%22,.pdf"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Government"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 7,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Kailula4",
            "id": "131997",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 190,
            "URL": 575,
            "domain": 66,
            "FileHash-SHA256": 754,
            "CIDR": 4,
            "FileHash-MD5": 9
          },
          "indicator_count": 1598,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 407,
          "modified_text": "1467 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "622cd4c75d6cbdce06473fd1",
          "name": "www.scytl.com:en:%22,.",
          "description": "",
          "modified": "2022-04-11T00:04:29.819000",
          "created": "2022-03-12T17:13:43.521000",
          "tags": [],
          "references": [
            "www.scytl.com:en:%22,.pdf"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Kailula4",
            "id": "131997",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 190,
            "URL": 573,
            "domain": 66,
            "FileHash-SHA256": 753,
            "CIDR": 4,
            "FileHash-MD5": 9
          },
          "indicator_count": 1595,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 408,
          "modified_text": "1469 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "622211f643bd9b043e7dfb8f",
          "name": "www.hartintercivic.com:hybrid",
          "description": "",
          "modified": "2022-04-03T00:00:55.161000",
          "created": "2022-03-04T13:19:50.635000",
          "tags": [],
          "references": [
            "www.hartintercivic.com:hybrid:%22,           %22request%22: {.pdf",
            "www.hartintercivic.com:hybrid:.pdf",
            "www.hartintercivic.com:hybrid:%22,.pdf"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Government"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Kailula4",
            "id": "131997",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 391,
            "URL": 1222,
            "domain": 247,
            "FileHash-SHA256": 1134,
            "CIDR": 9,
            "FileHash-MD5": 35
          },
          "indicator_count": 3038,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 407,
          "modified_text": "1477 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "6220720cba72010be9d258b4",
          "name": "modems.org",
          "description": "",
          "modified": "2022-04-02T00:04:50.405000",
          "created": "2022-03-03T07:45:16.626000",
          "tags": [],
          "references": [
            ":www.njdems.org.pdf"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Government"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Kailula4",
            "id": "131997",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 223,
            "URL": 537,
            "domain": 65,
            "FileHash-SHA256": 709,
            "CIDR": 9,
            "FileHash-MD5": 14,
            "FileHash-SHA1": 3
          },
          "indicator_count": 1560,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 406,
          "modified_text": "1478 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
        "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F",
        "Assurance",
        ":www.njdems.org.pdf",
        "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "http://watchhers.net/index.php (espionage entity /palantir relationship  - seen before with palantir and Pegasus sometimes simultaneously )",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
        "https://www.anyxxxtube.net/search-porn/tsara-brashears/",
        "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
        "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)",
        "www.scytl.com:en:%22,.pdf",
        "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU",
        "https://test2.ditproducts.com/dat/wannacry1.html",
        "www.hartintercivic.com:hybrid:%22,.pdf",
        "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
        "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
        "remotewd.com x 34 devices",
        "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
        "www.hartintercivic.com:hybrid:%22,           %22request%22: {.pdf",
        "crowdtangle.com 03.29.2017.pdf",
        "South Africa based:  remote.advisoroffice.com",
        "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
        "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger",
        "rmhumanservices.org",
        "chinaeast2.admin.api.powerautomate.cn",
        "https://www.mlkfoundation.net/ (Foundry DGA)",
        "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "CVE-2023-22518 | CVE-2023-4966",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
        "ssa-gov.authorizeddns",
        "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
        "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
        "hmmm\u2026http://palander.stjernstrom.se/",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
        "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022  emails.redvue.com \u2022",
        "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2",
        "acc.lehigtapp.com - malware",
        "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
        "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
        "Active - pointing:  https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "1.organization.api.powerplatform.partner.microsoftonline.cn",
        "Domains Contacted: simplesausages.cx.cc adobe.com",
        "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
        "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
        "www.hartintercivic.com:hybrid:.pdf"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": [],
          "unique_indicators": 0
        },
        "other": {
          "adversary": [
            "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,",
            "APT 10"
          ],
          "malware_families": [
            "Andromeda",
            "Sality",
            "Onelouder",
            "Bayrob",
            "Apt 10",
            "Trojan.karagany - s0094",
            "Win.malware.installcore-6950365-0",
            "Nivdort checkin",
            "Win.trojan.xtoober-650",
            "Alf:jasyp:trojandownloader:win32/karagany!atmn",
            "Win.ransomware.wannacry-9856297-0",
            "Trojan:win32/startpage.ss",
            "Koobface",
            "Win32:karagany-d\\ [trj]",
            "Win.packed.pincav-7537597-0"
          ],
          "industries": [
            "Telecommunications",
            "Golfing",
            "Healthcare",
            "Government",
            "Technology",
            "Finance - insurance sector"
          ],
          "unique_indicators": 38135
        }
      }
    },
    "false_positive": [],
    "alexa": "http://www.alexa.com/siteinfo/gravatar.com",
    "whois": "http://whois.domaintools.com/gravatar.com",
    "domain": "gravatar.com",
    "hostname": "secure.gravatar.com"
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 15,
  "pulses": [
    {
      "id": "69c5c7194394ff775d44f7e0",
      "name": "WaypointsStickyChromeCache",
      "description": "A complete analysis of user-created Pulses (AVs) at the University of California, Los Angeles, has been published by the BBC's Newsnight website, along with a series of links.<pretext",
      "modified": "2026-03-27T00:12:08.015000",
      "created": "2026-03-26T23:54:01.493000",
      "tags": [
        "http",
        "urls",
        "unique",
        "pulse pulses",
        "location united",
        "flag united",
        "related",
        "pulses",
        "related tags",
        "x tec",
        "log id",
        "gmtn",
        "tls web",
        "self",
        "encrypt",
        "b2 f6",
        "b0n timestamp",
        "f9401a",
        "timestamp",
        "url add",
        "false"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 121,
        "hostname": 31,
        "domain": 5,
        "FileHash-MD5": 20,
        "FileHash-SHA1": 18,
        "FileHash-SHA256": 98,
        "SSLCertFingerprint": 2,
        "IPv4": 1,
        "CVE": 1
      },
      "indicator_count": 297,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 48,
      "modified_text": "23 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "68cb233ba91aa1eb958b3f31",
      "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022  OneLouder",
      "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea",
      "modified": "2025-10-17T19:03:15.031000",
      "created": "2025-09-17T21:08:11.518000",
      "tags": [
        "script urls",
        "meta",
        "moved",
        "x tec",
        "passive dns",
        "encrypt",
        "america flag",
        "san francisco",
        "extraction",
        "data upload",
        "type indicatod",
        "united states",
        "a domains",
        "united",
        "gmt server",
        "jose",
        "university",
        "bill",
        "rmhs",
        "information",
        "board",
        "lorin",
        "joseph",
        "all veterans",
        "rocky mountain",
        "mission",
        "vice",
        "april",
        "school",
        "austin",
        "prior",
        "ipv4 add",
        "urls",
        "files",
        "location united",
        "wordpress",
        "rmhs meta",
        "tags viewport",
        "rmhs og",
        "rmhs article",
        "wpbakery page",
        "builder",
        "slider plugin",
        "google tag",
        "mountain human",
        "denver",
        "connecting",
        "denver start",
        "relevance home",
        "providers",
        "contact us",
        "rmhs main",
        "server",
        "redacted tech",
        "redacted admin",
        "registrar abuse",
        "algorithm",
        "key identifier",
        "x509v3 subject",
        "dnssec",
        "country",
        "ttl value",
        "graph summary",
        "resolved ips",
        "ip address",
        "port",
        "data",
        "screenshots no",
        "involved direct",
        "country name",
        "name response",
        "tcp connections",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "command",
        "adversaries",
        "found",
        "spawns",
        "t1590 gather",
        "path",
        "ascii text",
        "exif standard",
        "tiff image",
        "format",
        "stop",
        "false",
        "soldier",
        "model",
        "youth",
        "baby",
        "june",
        "general",
        "local",
        "click",
        "strings",
        "core",
        "warrior",
        "green",
        "emotion",
        "flash",
        "nina",
        "hunk",
        "fono",
        "daam",
        "mitre att",
        "ck techniques",
        "id name",
        "malicious",
        "windows nt",
        "win64",
        "khtml",
        "gecko",
        "brand",
        "microsoft edge",
        "show process",
        "self",
        "date",
        "comspec",
        "hybrid",
        "form",
        "log id",
        "gmtn",
        "tls web",
        "b2 f6",
        "b0n timestamp",
        "f9401a",
        "record value",
        "x wix",
        "certificate",
        "domain add",
        "pulse submit",
        "body",
        "domain related",
        "blackbox",
        "apple",
        "helix",
        "dvrdns",
        "tracking",
        "remote access",
        "ios",
        "spyware",
        "hoax",
        "dynamicloader",
        "ptls6",
        "medium",
        "flashpix",
        "high",
        "ygjpavclsline",
        "officespace",
        "chartshared",
        "powershell",
        "write",
        "malware",
        "ygjpaulscontext",
        "status",
        "japan unknown",
        "domain",
        "pulses",
        "search",
        "accept",
        "apt10",
        "trojanspy",
        "win32",
        "entries",
        "susp",
        "backdoor",
        "useragent",
        "showing",
        "virtool",
        "twitter",
        "mozilla",
        "trojandropper",
        "trojan",
        "title",
        "onelouder",
        "yara det",
        "maware samoe",
        "genaco x",
        "ids detec",
        "ids terse",
        "win3 data",
        "include review",
        "exclude sugges",
        "targeting",
        "show",
        "copy",
        "reads",
        "dynamic",
        "vendor finding",
        "notes clamav",
        "files matching",
        "number",
        "sample analysis",
        "hide samples",
        "date hash",
        "next yara"
      ],
      "references": [
        "rmhumanservices.org",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
        "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
        "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
        "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
        "https://www.mlkfoundation.net/ (Foundry DGA)",
        "remotewd.com x 34 devices",
        "South Africa based:  remote.advisoroffice.com",
        "acc.lehigtapp.com - malware",
        "http://watchhers.net/index.php (espionage entity /palantir relationship  - seen before with palantir and Pegasus sometimes simultaneously )",
        "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022  emails.redvue.com \u2022",
        "Active - pointing:  https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
        "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
        "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
        "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
        "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
        "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
        "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
        "1.organization.api.powerplatform.partner.microsoftonline.cn",
        "chinaeast2.admin.api.powerautomate.cn",
        "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
        "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
        "ssa-gov.authorizeddns",
        "hmmm\u2026http://palander.stjernstrom.se/",
        "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU"
      ],
      "public": 1,
      "adversary": "APT 10",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "APT 10",
          "display_name": "APT 10",
          "target": null
        },
        {
          "id": "OneLouder",
          "display_name": "OneLouder",
          "target": null
        },
        {
          "id": "Andromeda",
          "display_name": "Andromeda",
          "target": null
        },
        {
          "id": "Sality",
          "display_name": "Sality",
          "target": null
        },
        {
          "id": "KoobFace",
          "display_name": "KoobFace",
          "target": null
        },
        {
          "id": "Bayrob",
          "display_name": "Bayrob",
          "target": null
        },
        {
          "id": "Nivdort Checkin",
          "display_name": "Nivdort Checkin",
          "target": null
        },
        {
          "id": "Win.Malware.Installcore-6950365-0",
          "display_name": "Win.Malware.Installcore-6950365-0",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1102",
          "name": "Web Service",
          "display_name": "T1102 - Web Service"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1590",
          "name": "Gather Victim Network Information",
          "display_name": "T1590 - Gather Victim Network Information"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1132",
          "name": "Data Encoding",
          "display_name": "T1132 - Data Encoding"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1574.006",
          "name": "Dynamic Linker Hijacking",
          "display_name": "T1574.006 - Dynamic Linker Hijacking"
        },
        {
          "id": "T1210",
          "name": "Exploitation of Remote Services",
          "display_name": "T1210 - Exploitation of Remote Services"
        },
        {
          "id": "T1449",
          "name": "Exploit SS7 to Redirect Phone Calls/SMS",
          "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
        },
        {
          "id": "TA0011",
          "name": "Command and Control",
          "display_name": "TA0011 - Command and Control"
        }
      ],
      "industries": [
        "Golfing",
        "Healthcare",
        "Government"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 9,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 690,
        "hostname": 1912,
        "URL": 5925,
        "FileHash-SHA1": 273,
        "email": 8,
        "FileHash-SHA256": 3618,
        "CIDR": 3,
        "FileHash-MD5": 254,
        "SSLCertFingerprint": 19,
        "CVE": 2
      },
      "indicator_count": 12704,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 141,
      "modified_text": "184 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "685afb805ba518e374abc735",
      "name": "Home - RMHS - Ransom",
      "description": "I can only  imagine what is going on. This is a real organization, with a building,  ever changing case workers who don\u2019t want to meet with clients in person . I have received several incoming concerns since 2021. It seems that a threat actor may be ringing along or certain people are being handled / investigated / silenced and closely monitored by a very large interconnected Cyber Intelligence entity  \u2022 Trojan:X97M/ShellHide.C |\n\u2022 Trojan:PDF/Phish.RR!MTB |\n\u2022 Win.Trojan.Agent-370485 |\nAntivirus Detections:\n\u2022 Win.Trojan.Agent-370485\nYara: VirusWin32Span |\nAlerts\nransomware_file_modifications\nstealth_file\nDomains Contacted: Unknown\n(efbkfqpcdh.com) [\t\t\t\t2025-07-24T16:00:00\t14\t\n\nURL\nhttp://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel] #phishing #malware #intel? #trojan #infectiin",
      "modified": "2025-07-24T19:04:24.993000",
      "created": "2025-06-24T19:24:48.632000",
      "tags": [
        "wordpress",
        "home",
        "rmhs og",
        "rmhs article",
        "wpbakery page",
        "builder",
        "slider plugin",
        "utc google",
        "tag manager",
        "g5cygkcj7g1",
        "dynamicloader",
        "ms windows",
        "intel",
        "users",
        "medium",
        "pe32",
        "search",
        "show",
        "windows",
        "videos",
        "music",
        "copy",
        "write",
        "next",
        "ford mustang",
        "converter pdf",
        "gt convertible",
        "trim",
        "models ford",
        "mustang coupe",
        "createdate",
        "producer solid",
        "filehash",
        "trojan",
        "format",
        "united",
        "moved",
        "passive dns",
        "ipv4 add",
        "pulse submit",
        "url analysis",
        "urls",
        "files",
        "location united",
        "america flag",
        "encrypt",
        "date",
        "sc onlogon",
        "write c",
        "port",
        "showing",
        "entries",
        "module load",
        "execution",
        "malware",
        "self",
        "reverse dns",
        "url https",
        "resource",
        "general full",
        "name value",
        "security tls",
        "hash",
        "san francisco",
        "june",
        "input",
        "form",
        "dom get",
        "search start",
        "get https",
        "post",
        "value",
        "variables",
        "msgoriginaltext",
        "msgoptions",
        "isns function",
        "setupns",
        "rsiw number",
        "rsih object",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "command",
        "adversaries",
        "found",
        "spawns",
        "ck techniques",
        "flag",
        "markmonitor",
        "name server",
        "server",
        "rocky mountain",
        "human",
        "domain address",
        "enom",
        "copy sha256",
        "path",
        "copy md5",
        "copy sha1",
        "sha256",
        "size",
        "sha1",
        "attrib",
        "rowcycur",
        "hz4urdyi",
        "stop",
        "false",
        "soldier",
        "model",
        "youth",
        "baby",
        "core",
        "warrior",
        "green",
        "emotion",
        "flash",
        "nina",
        "hunk",
        "fono",
        "daam",
        "destination",
        "tlsv1",
        "dyndns domain",
        "irfan skiljan",
        "yara detections",
        "pdf pdf",
        "producer pdftk",
        "title data",
        "pulse pulses",
        "av detections",
        "ids detections",
        "alerts",
        "analysis date",
        "pictures",
        "read",
        "delete",
        "thumbprint",
        "graph summary",
        "url http",
        "gna7hdu",
        "g4 rsa4096",
        "adobe systems",
        "services1",
        "adobe product",
        "creatortool",
        "ascii text",
        "description svg",
        "scalable vector",
        "graphics image"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1158",
          "name": "Hidden Files and Directories",
          "display_name": "T1158 - Hidden Files and Directories"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1590",
          "name": "Gather Victim Network Information",
          "display_name": "T1590 - Gather Victim Network Information"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 34,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 56,
        "URL": 262,
        "hostname": 165,
        "FileHash-SHA256": 2141,
        "FileHash-MD5": 308,
        "FileHash-SHA1": 308,
        "SSLCertFingerprint": 3,
        "email": 1
      },
      "indicator_count": 3244,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 138,
      "modified_text": "269 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "6665d55d941729c5f283b3f7",
      "name": "S0094-Remote Access - Assurance [a Prudential company]",
      "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business;  Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. health insurance agents Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly. Infostealer, malware and unwanted programs  downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966",
      "modified": "2024-07-09T15:02:04.111000",
      "created": "2024-06-09T16:16:29.634000",
      "tags": [
        "falcon sandbox",
        "sha256",
        "sha1",
        "et tor",
        "known tor",
        "relayrouter",
        "exit",
        "node traffic",
        "misc attack",
        "pattern match",
        "ascii text",
        "null",
        "hybrid",
        "refresh",
        "body",
        "span",
        "june",
        "click",
        "date",
        "strings",
        "error",
        "tools",
        "look",
        "verify",
        "restart",
        "contact",
        "historical ssl",
        "referrer",
        "httponly",
        "path",
        "secure",
        "maxage31557600",
        "expiresmon",
        "samesitenone",
        "expireswed",
        "etag w",
        "setcookie dids",
        "maxage864000",
        "http response",
        "final url",
        "serving ip",
        "address",
        "status code",
        "html document",
        "history",
        "utc names",
        "html info",
        "title assurance",
        "meta tags",
        "script tags",
        "anchor hrefs",
        "code",
        "requestid",
        "hostid",
        "xml file",
        "accessdenied",
        "message",
        "signature",
        "expires",
        "awsaccesskeyid",
        "log id",
        "gmtn",
        "passive dns",
        "urls",
        "digicert global",
        "g2 tls",
        "rsa sha256",
        "tls web",
        "full name",
        "self",
        "false",
        "united",
        "as8075",
        "unknown",
        "gmt server",
        "scan endpoints",
        "all scoreblue",
        "ipv4",
        "pulse submit",
        "url analysis",
        "url https",
        "pulse pulses",
        "http",
        "ip address",
        "related nids",
        "files location",
        "aaaa",
        "meta",
        "link",
        "search",
        "creation date",
        "wheels up",
        "moved",
        "homepage",
        "servers",
        "service",
        "name servers",
        "hostname",
        "next",
        "japan unknown",
        "as2510 fujitsu",
        "status",
        "page",
        "ltd dba",
        "com laude",
        "record value",
        "ireland",
        "germany",
        "australia",
        "as44786 adobe",
        "whitelisted",
        "win32",
        "present may",
        "trojan",
        "karaganye",
        "regsetvalueexa",
        "regdword",
        "default",
        "show",
        "presto",
        "regbinary",
        "medium",
        "create c",
        "query",
        "double",
        "malware",
        "copy",
        "karagany",
        "write",
        "showing",
        "as35908 krypt",
        "as45102 alibaba",
        "hong kong",
        "data service",
        "script script",
        "div div",
        "title",
        "entries",
        "files",
        "japan asn",
        "dns resolutions",
        "memory pattern",
        "ip traffic",
        "domains",
        "urls https",
        "files c",
        "filesgoogle c",
        "written c",
        "extensions",
        "as20446",
        "as14061",
        "emails",
        "threat roundup",
        "bashlite",
        "jupyter rising",
        "vmware",
        "security blog",
        "april",
        "september",
        "december",
        "january",
        "enemybot",
        "core"
      ],
      "references": [
        "Assurance",
        "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2",
        "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)",
        "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger",
        "Domains Contacted: simplesausages.cx.cc adobe.com",
        "https://test2.ditproducts.com/dat/wannacry1.html",
        "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F",
        "https://www.anyxxxtube.net/search-porn/tsara-brashears/",
        "CVE-2023-22518 | CVE-2023-4966"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "Netherlands"
      ],
      "malware_families": [
        {
          "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
          "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
          "target": null
        },
        {
          "id": "Win32:Karagany-D\\ [Trj]",
          "display_name": "Win32:Karagany-D\\ [Trj]",
          "target": null
        },
        {
          "id": "Win.Trojan.Xtoober-650",
          "display_name": "Win.Trojan.Xtoober-650",
          "target": null
        },
        {
          "id": "Trojan:Win32/Startpage.SS",
          "display_name": "Trojan:Win32/Startpage.SS",
          "target": "/malware/Trojan:Win32/Startpage.SS"
        },
        {
          "id": "Win.Packed.Pincav-7537597-0",
          "display_name": "Win.Packed.Pincav-7537597-0",
          "target": null
        },
        {
          "id": "Trojan.Karagany - S0094",
          "display_name": "Trojan.Karagany - S0094",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1040",
          "name": "Network Sniffing",
          "display_name": "T1040 - Network Sniffing"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1574.002",
          "name": "DLL Side-Loading",
          "display_name": "T1574.002 - DLL Side-Loading"
        },
        {
          "id": "TA0002",
          "name": "Execution",
          "display_name": "TA0002 - Execution"
        },
        {
          "id": "TA0003",
          "name": "Persistence",
          "display_name": "TA0003 - Persistence"
        },
        {
          "id": "TA0004",
          "name": "Privilege Escalation",
          "display_name": "TA0004 - Privilege Escalation"
        },
        {
          "id": "TA0005",
          "name": "Defense Evasion",
          "display_name": "TA0005 - Defense Evasion"
        },
        {
          "id": "TA0008",
          "name": "Lateral Movement",
          "display_name": "TA0008 - Lateral Movement"
        },
        {
          "id": "TA0011",
          "name": "Command and Control",
          "display_name": "TA0011 - Command and Control"
        }
      ],
      "industries": [
        "Healthcare",
        "Technology",
        "Telecommunications",
        "Finance - Insurance Sector"
      ],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 31,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "hostname": 2950,
        "FileHash-MD5": 193,
        "FileHash-SHA1": 171,
        "FileHash-SHA256": 1885,
        "URL": 8907,
        "domain": 2945,
        "SSLCertFingerprint": 2,
        "email": 11,
        "CVE": 2
      },
      "indicator_count": 17066,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 225,
      "modified_text": "649 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "6665d9ae1b06b560698b2a70",
      "name": "Assurance [a Prudential company] S0094-Remote Access",
      "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business;  Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023.    Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly/Crouching Yeti and more. Infostealer, malware and unwanted programs  downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966",
      "modified": "2024-07-09T15:02:04.111000",
      "created": "2024-06-09T16:34:54.161000",
      "tags": [
        "falcon sandbox",
        "sha256",
        "sha1",
        "et tor",
        "known tor",
        "relayrouter",
        "exit",
        "node traffic",
        "misc attack",
        "pattern match",
        "ascii text",
        "null",
        "hybrid",
        "refresh",
        "body",
        "span",
        "june",
        "click",
        "date",
        "strings",
        "error",
        "tools",
        "look",
        "verify",
        "restart",
        "contact",
        "historical ssl",
        "referrer",
        "httponly",
        "path",
        "secure",
        "maxage31557600",
        "expiresmon",
        "samesitenone",
        "expireswed",
        "etag w",
        "setcookie dids",
        "maxage864000",
        "http response",
        "final url",
        "serving ip",
        "address",
        "status code",
        "html document",
        "history",
        "utc names",
        "html info",
        "title assurance",
        "meta tags",
        "script tags",
        "anchor hrefs",
        "code",
        "requestid",
        "hostid",
        "xml file",
        "accessdenied",
        "message",
        "signature",
        "expires",
        "awsaccesskeyid",
        "log id",
        "gmtn",
        "passive dns",
        "urls",
        "digicert global",
        "g2 tls",
        "rsa sha256",
        "tls web",
        "full name",
        "self",
        "false",
        "united",
        "as8075",
        "unknown",
        "gmt server",
        "scan endpoints",
        "all scoreblue",
        "ipv4",
        "pulse submit",
        "url analysis",
        "url https",
        "pulse pulses",
        "http",
        "ip address",
        "related nids",
        "files location",
        "aaaa",
        "meta",
        "link",
        "search",
        "creation date",
        "wheels up",
        "moved",
        "homepage",
        "servers",
        "service",
        "name servers",
        "hostname",
        "next",
        "japan unknown",
        "as2510 fujitsu",
        "status",
        "page",
        "ltd dba",
        "com laude",
        "record value",
        "ireland",
        "germany",
        "australia",
        "as44786 adobe",
        "whitelisted",
        "win32",
        "present may",
        "trojan",
        "karaganye",
        "regsetvalueexa",
        "regdword",
        "default",
        "show",
        "presto",
        "regbinary",
        "medium",
        "create c",
        "query",
        "double",
        "malware",
        "copy",
        "karagany",
        "write",
        "showing",
        "as35908 krypt",
        "as45102 alibaba",
        "hong kong",
        "data service",
        "script script",
        "div div",
        "title",
        "entries",
        "files",
        "japan asn",
        "dns resolutions",
        "memory pattern",
        "ip traffic",
        "domains",
        "urls https",
        "files c",
        "filesgoogle c",
        "written c",
        "extensions",
        "as20446",
        "as14061",
        "emails",
        "threat roundup",
        "bashlite",
        "jupyter rising",
        "vmware",
        "security blog",
        "april",
        "september",
        "december",
        "january",
        "enemybot",
        "core"
      ],
      "references": [
        "Assurance",
        "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2",
        "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)",
        "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger",
        "Domains Contacted: simplesausages.cx.cc adobe.com",
        "https://test2.ditproducts.com/dat/wannacry1.html",
        "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F",
        "https://www.anyxxxtube.net/search-porn/tsara-brashears/",
        "CVE-2023-22518 | CVE-2023-4966"
      ],
      "public": 1,
      "adversary": "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,",
      "targeted_countries": [
        "United States of America",
        "Netherlands"
      ],
      "malware_families": [
        {
          "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
          "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
          "target": null
        },
        {
          "id": "Win32:Karagany-D\\ [Trj]",
          "display_name": "Win32:Karagany-D\\ [Trj]",
          "target": null
        },
        {
          "id": "Win.Trojan.Xtoober-650",
          "display_name": "Win.Trojan.Xtoober-650",
          "target": null
        },
        {
          "id": "Trojan:Win32/Startpage.SS",
          "display_name": "Trojan:Win32/Startpage.SS",
          "target": "/malware/Trojan:Win32/Startpage.SS"
        },
        {
          "id": "Win.Packed.Pincav-7537597-0",
          "display_name": "Win.Packed.Pincav-7537597-0",
          "target": null
        },
        {
          "id": "Trojan.Karagany - S0094",
          "display_name": "Trojan.Karagany - S0094",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1040",
          "name": "Network Sniffing",
          "display_name": "T1040 - Network Sniffing"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1574.002",
          "name": "DLL Side-Loading",
          "display_name": "T1574.002 - DLL Side-Loading"
        },
        {
          "id": "TA0002",
          "name": "Execution",
          "display_name": "TA0002 - Execution"
        },
        {
          "id": "TA0003",
          "name": "Persistence",
          "display_name": "TA0003 - Persistence"
        },
        {
          "id": "TA0004",
          "name": "Privilege Escalation",
          "display_name": "TA0004 - Privilege Escalation"
        },
        {
          "id": "TA0005",
          "name": "Defense Evasion",
          "display_name": "TA0005 - Defense Evasion"
        },
        {
          "id": "TA0008",
          "name": "Lateral Movement",
          "display_name": "TA0008 - Lateral Movement"
        },
        {
          "id": "TA0011",
          "name": "Command and Control",
          "display_name": "TA0011 - Command and Control"
        }
      ],
      "industries": [
        "Healthcare",
        "Technology",
        "Telecommunications",
        "Finance - Insurance Sector"
      ],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 38,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "hostname": 2950,
        "FileHash-MD5": 193,
        "FileHash-SHA1": 171,
        "FileHash-SHA256": 1885,
        "URL": 8907,
        "domain": 2945,
        "SSLCertFingerprint": 2,
        "email": 11,
        "CVE": 2
      },
      "indicator_count": 17066,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 226,
      "modified_text": "649 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "657083ed4fcdc6eded29d59b",
      "name": "crowdtangle.com 03.29.2017",
      "description": "",
      "modified": "2023-12-06T14:23:41.446000",
      "created": "2023-12-06T14:23:41.446000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 2,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "api",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "StreamMiningEx",
        "id": "262917",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 989,
        "domain": 121,
        "hostname": 196,
        "URL": 612,
        "CIDR": 6,
        "FileHash-MD5": 4
      },
      "indicator_count": 1928,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 109,
      "modified_text": "865 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "657081b63e54107a19bbe58c",
      "name": "www.scytl.com/en/\", ~ 09.16.2020",
      "description": "",
      "modified": "2023-12-06T14:14:14.965000",
      "created": "2023-12-06T14:14:14.965000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 2,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "api",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "StreamMiningEx",
        "id": "262917",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 754,
        "domain": 66,
        "hostname": 190,
        "URL": 574,
        "CIDR": 4,
        "FileHash-MD5": 9
      },
      "indicator_count": 1597,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 110,
      "modified_text": "865 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "65708189dea82839ffe4be99",
      "name": "www.scytl.com:en:%22,.",
      "description": "",
      "modified": "2023-12-06T14:13:29.953000",
      "created": "2023-12-06T14:13:29.953000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 2,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "api",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "StreamMiningEx",
        "id": "262917",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 753,
        "domain": 66,
        "hostname": 190,
        "URL": 572,
        "CIDR": 4,
        "FileHash-MD5": 9
      },
      "indicator_count": 1594,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 109,
      "modified_text": "865 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "6570805fcfc42f9740d5cdc0",
      "name": "www.hartintercivic.com:hybrid",
      "description": "",
      "modified": "2023-12-06T14:08:31.382000",
      "created": "2023-12-06T14:08:31.382000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 2,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "api",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "StreamMiningEx",
        "id": "262917",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 1134,
        "hostname": 391,
        "domain": 247,
        "URL": 1221,
        "CIDR": 9,
        "FileHash-MD5": 35
      },
      "indicator_count": 3037,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 109,
      "modified_text": "865 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "65707ff30cc6d94d175b8bb2",
      "name": "modems.org",
      "description": "",
      "modified": "2023-12-06T14:06:43.176000",
      "created": "2023-12-06T14:06:43.176000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 2,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "api",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "StreamMiningEx",
        "id": "262917",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 709,
        "hostname": 223,
        "domain": 65,
        "URL": 537,
        "CIDR": 9,
        "FileHash-MD5": 14,
        "FileHash-SHA1": 3
      },
      "indicator_count": 1560,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 109,
      "modified_text": "865 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "https://secure.gravatar.com",
    "type": "URL"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "https://secure.gravatar.com",
    "type": "URL",
    "found": false,
    "verdict": "clean",
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1776639092.2441375
}