{ "type": "URL", "indicator": "https://snapshot.monitor.azure.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://snapshot.monitor.azure.com/", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #45", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain azure.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain azure.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4337112139, "indicator": "https://snapshot.monitor.azure.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69f3dd29978345cc0033cdec", "name": "CAPE Sandbox - powershell unsigned trust bypass affects arpa and msedge update", "description": "File is not signed-Microsoft Corporation. All rights reserved.\nProduct\nMicrosoft\u00ae Windows\u00ae Operating System\nDescription\nWindows PowerShell\nOriginal Name\nPowerShell.EXE\nInternal Name\nPOWERSHELL\nFile Version\n10.0.19041.546 (WinBuild.160101.0800)\nrefer to belasco chain or broken seal\nclient does not have windows", "modified": "2026-05-31T01:02:14", "created": "2026-04-30T22:52:25.691000", "tags": [ "31community", "35business", "cid1", "youtube https", "cohasset", "meta tags", "home category0", "home themecolor", "script tags" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 718, "FileHash-SHA1": 428, "FileHash-SHA256": 1579, "URL": 720, "hostname": 612, "domain": 210, "email": 4 }, "indicator_count": 4271, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f3f9e7dc1e04dba54504e9", "name": "23.227.38.32 + luv[txt]vbs", "description": "This domain has a high-volume repository for malicious activity, currently hosting 94.2K communicating files, 200 Passive DNS entries, and 133 referring files. The presence of the luv[txt]vbs script, a known delivery mechanism for broader compromises exists. Technical Findings: Scale of Infiltration: I have successfully ingested and uploaded the 133 referring files and a significant sample of the 94.2K communicating files. Due to the massive scale of this repository, full ingestion is ongoing; however, the primary infection vector is confirmed to be targeting Windows [EXE] documents, as evidenced by high-frequency VirusTotal (VT) flagging.Stealth & Obfuscation Techniques: The domain contains a subset of documents disguised as \"classroom education\" materials. These files utilize a specific obfuscation technique where the first letter of the filename or content is omitted.", "modified": "2026-05-31T01:02:14", "created": "2026-05-01T00:55:03.371000", "tags": [], "references": [ "This missing-letter technique is likely a stealth tactic designed to bypass traditional heuristic detection and signature-based antivirus (AV) scans. These indicators are consistent with high-integrity sources and threat actors I have previously documented and reported.", "\"Network port scanning and reconnaissance - according to source Guardpot - 10 months ago This IP was involved in 632 events across 1 distinct attack types. Attacks: dns-query (632). First seen: 2025-06-17 00:47 UTC, Last seen: 2025-06-17 00:48 UTC.\"", "", "Code Insights VT, Of note, a lot of the malicious PDFs I have detected through sandboxing do not flag and all have code insights. Incidental finding that is curious.", "The code insights look like this \"The analyzed document exhibits no internal execution chains, embedded scripts, or exploits, but heavily utilizes numerous external URIs. Visual and textual analysis indicates the file functions as an SEO poisoning or doorway document. The PDF consists almost entirely of a dense, nonsensical list of hyperlinked keywords referencing various brands, user manuals, and textbooks, all operating under a garbled, unrelated title. Although the file is structurally harmless and lack" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Education", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1518, "URL": 568, "FileHash-SHA256": 1807, "hostname": 375, "FileHash-MD5": 1186, "FileHash-SHA1": 774, "email": 32, "CIDR": 3 }, "indicator_count": 6263, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "This missing-letter technique is likely a stealth tactic designed to bypass traditional heuristic detection and signature-based antivirus (AV) scans. These indicators are consistent with high-integrity sources and threat actors I have previously documented and reported.", "Code Insights VT, Of note, a lot of the malicious PDFs I have detected through sandboxing do not flag and all have code insights. Incidental finding that is curious.", "\"Network port scanning and reconnaissance - according to source Guardpot - 10 months ago This IP was involved in 632 events across 1 distinct attack types. Attacks: dns-query (632). First seen: 2025-06-17 00:47 UTC, Last seen: 2025-06-17 00:48 UTC.\"", "The code insights look like this \"The analyzed document exhibits no internal execution chains, embedded scripts, or exploits, but heavily utilizes numerous external URIs. Visual and textual analysis indicates the file functions as an SEO poisoning or doorway document. The PDF consists almost entirely of a dense, nonsensical list of hyperlinked keywords referencing various brands, user manuals, and textbooks, all operating under a garbled, unrelated title. Although the file is structurally harmless and lack" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [ "Telecommunications", "Government", "Education", "Technology" ], "unique_indicators": 5365 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/azure.com", "whois": "http://whois.domaintools.com/azure.com", "domain": "azure.com", "hostname": "snapshot.monitor.azure.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69f3dd29978345cc0033cdec", "name": "CAPE Sandbox - powershell unsigned trust bypass affects arpa and msedge update", "description": "File is not signed-Microsoft Corporation. All rights reserved.\nProduct\nMicrosoft\u00ae Windows\u00ae Operating System\nDescription\nWindows PowerShell\nOriginal Name\nPowerShell.EXE\nInternal Name\nPOWERSHELL\nFile Version\n10.0.19041.546 (WinBuild.160101.0800)\nrefer to belasco chain or broken seal\nclient does not have windows", "modified": "2026-05-31T01:02:14", "created": "2026-04-30T22:52:25.691000", "tags": [ "31community", "35business", "cid1", "youtube https", "cohasset", "meta tags", "home category0", "home themecolor", "script tags" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 718, "FileHash-SHA1": 428, "FileHash-SHA256": 1579, "URL": 720, "hostname": 612, "domain": 210, "email": 4 }, "indicator_count": 4271, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f3f9e7dc1e04dba54504e9", "name": "23.227.38.32 + luv[txt]vbs", "description": "This domain has a high-volume repository for malicious activity, currently hosting 94.2K communicating files, 200 Passive DNS entries, and 133 referring files. The presence of the luv[txt]vbs script, a known delivery mechanism for broader compromises exists. Technical Findings: Scale of Infiltration: I have successfully ingested and uploaded the 133 referring files and a significant sample of the 94.2K communicating files. Due to the massive scale of this repository, full ingestion is ongoing; however, the primary infection vector is confirmed to be targeting Windows [EXE] documents, as evidenced by high-frequency VirusTotal (VT) flagging.Stealth & Obfuscation Techniques: The domain contains a subset of documents disguised as \"classroom education\" materials. These files utilize a specific obfuscation technique where the first letter of the filename or content is omitted.", "modified": "2026-05-31T01:02:14", "created": "2026-05-01T00:55:03.371000", "tags": [], "references": [ "This missing-letter technique is likely a stealth tactic designed to bypass traditional heuristic detection and signature-based antivirus (AV) scans. These indicators are consistent with high-integrity sources and threat actors I have previously documented and reported.", "\"Network port scanning and reconnaissance - according to source Guardpot - 10 months ago This IP was involved in 632 events across 1 distinct attack types. Attacks: dns-query (632). First seen: 2025-06-17 00:47 UTC, Last seen: 2025-06-17 00:48 UTC.\"", "", "Code Insights VT, Of note, a lot of the malicious PDFs I have detected through sandboxing do not flag and all have code insights. Incidental finding that is curious.", "The code insights look like this \"The analyzed document exhibits no internal execution chains, embedded scripts, or exploits, but heavily utilizes numerous external URIs. Visual and textual analysis indicates the file functions as an SEO poisoning or doorway document. The PDF consists almost entirely of a dense, nonsensical list of hyperlinked keywords referencing various brands, user manuals, and textbooks, all operating under a garbled, unrelated title. Although the file is structurally harmless and lack" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Education", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1518, "URL": 568, "FileHash-SHA256": 1807, "hostname": 375, "FileHash-MD5": 1186, "FileHash-SHA1": 774, "email": 32, "CIDR": 3 }, "indicator_count": 6263, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://snapshot.monitor.azure.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://snapshot.monitor.azure.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780317543.5420778 }