{
"type": "URL",
"indicator": "https://spark.meta.com/terms/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://spark.meta.com/terms/",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3771621214,
"indicator": "https://spark.meta.com/terms/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 17,
"pulses": [
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-05-17T15:52:35.396000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 28000,
"FileHash-SHA256": 48374,
"FileHash-MD5": 42596,
"FileHash-SHA1": 23243,
"hostname": 35654,
"URL": 75758,
"SSLCertFingerprint": 30,
"CVE": 7585,
"email": 316,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"URI": 5,
"IPv4": 574,
"Mutex": 1
},
"indicator_count": 288350,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 92,
"modified_text": "15 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69df292dac938e1d181a38e2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.",
"modified": "2026-05-16T00:08:35.224000",
"created": "2026-04-15T05:59:09.898000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 5178,
"URL": 5165,
"FileHash-MD5": 1546,
"FileHash-SHA1": 381,
"domain": 1818,
"hostname": 3413,
"email": 22,
"URI": 2,
"CVE": 1
},
"indicator_count": 17526,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "17 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69df292b85c74fec867e4ed2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'",
"modified": "2026-05-16T00:08:35.224000",
"created": "2026-04-15T05:59:07.274000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3012,
"URL": 3826,
"FileHash-MD5": 734,
"FileHash-SHA1": 453,
"domain": 862,
"hostname": 1629,
"email": 25,
"CVE": 1
},
"indicator_count": 10542,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "17 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf261cc4e399447d78776c",
"name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |",
"description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com",
"modified": "2026-04-20T21:01:07.869000",
"created": "2026-03-21T23:13:32.760000",
"tags": [
"sc data",
"data upload",
"please sub",
"include data",
"extraction",
"failed",
"sc pulse",
"idron anv",
"extr please",
"include review",
"exclude sugges",
"stop show",
"typ domain",
"united",
"virtool",
"name servers",
"cryp",
"emails",
"win32",
"ip address",
"worm",
"trojan",
"learn",
"suspicious",
"informative",
"ck id",
"name tactics",
"command",
"adversaries",
"spawns",
"ssl certificate",
"initial access",
"link initial",
"prefetch8",
"mitre att",
"ck matrix",
"flag",
"windows nt",
"win64",
"accept",
"encrypt",
"form",
"hybrid",
"bypass",
"general",
"path",
"iframe",
"click",
"strings",
"anchor https",
"anchor",
"liberal",
"sabey",
"liberal friends",
"meta",
"html internet",
"html document",
"unicode text",
"utf8 text",
"info initial",
"access ta0001",
"compromise",
"t1189 network",
"communication",
"get http",
"artifacts v",
"full reports",
"v get",
"help dns",
"resolutions",
"ip traffic",
"extr data",
"enter sc",
"extra data",
"referen",
"broth",
"passive dns",
"urls",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"none google",
"safe browsing",
"inquest labs",
"lucas acha",
"code integrity",
"checks creation",
"otx logo",
"all hostname",
"files",
"domain",
"protect",
"date",
"title",
"exchange",
"se http",
"present jan",
"present feb",
"present dec",
"backdoor",
"certificate",
"all domain",
"alibaba cloud",
"hichina",
"porkbun llc",
"cloudflare",
"namecheap inc",
"namecheap",
"domains",
"dynadot llc",
"ascio",
"denmark",
"url https",
"filehashsha256",
"url http",
"dopple ai",
"snit",
"iocs",
"otx description",
"information",
"report spam",
"delete service",
"poem",
"hunter",
"malicious",
"porn revenge",
"brian sabeys",
"all report",
"spam delete",
"rl http",
"https",
"expiration http",
"spam brian",
"swipper",
"type indicator",
"role title",
"added active",
"related pulses",
"filehashmd5",
"filehashsha1",
"sha256",
"scan",
"learn more",
"indicators show",
"tbmvid",
"sourcelnms",
"zx1724209326040",
"xxx videos",
"xxxvideohd",
"adversary",
"packing",
"palantir.com",
"discovery",
"victim won case",
"doin it",
"palantirian abuse",
"apple",
"sabey data centers",
"insurance",
"quasi government",
"the brother sabey",
"reimer",
"law enforcement",
"vessel state",
"sabey porn",
"hall evans",
"christopher ahmann",
"defamation",
"google"
],
"references": [
"The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/",
"http://watchhers.net/index.php",
"http://212.33.237.86/images/1/report.php",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://webmail.police.govmm.org/owa/",
"https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl",
"https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215",
"Mark Brian Sabey",
"Melvin Sabey",
"Christopher P \u2018Buzz\u2019 Ahmann",
"Ronda Cordova",
"Unknown Persons impersonating Private Investigators (plural)",
"Quasi Government Case",
"Victim silenced. Struck by Car Driven by male police let walk",
"Denver Police let this attempted murder walk. Cited him as a ghost driver",
"Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora",
"Sexual and Physical Assaulter - Jeffrey Scott Reimer",
"Reimer was a PT. Unknown whereabouts , name or job description",
"Denver Police Department Major Crimes closed investigation",
"Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim",
"I bring up the personal nature of the crime because a delete service has been used",
"More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed",
"All IoC\u2019s originate from sources named. There are some unknown attackers",
"This is a serious crime. I\u2019m certain God WILL pay them.",
"https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com",
"http://palantirwww.sweetheartvideo.com/ (weirdness)",
"http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://207-207-25-201.fwd.datafoundry.com/",
"http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd",
"http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2sdbl.dvr.dn2.n-helix.com/",
"Updated | What\u2019s left after theft",
"207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com",
"207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com",
"https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse",
"https://www.datafoundry.com/category/news/press-releases/",
"207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com",
"209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com",
"www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com",
"http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com",
"http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/",
"https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022",
"https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/",
"https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com",
"Some may may find this content is very disturbing and offensive"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Porn Revenge",
"display_name": "Porn Revenge",
"target": null
},
{
"id": "Tons of Malware",
"display_name": "Tons of Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1495",
"name": "Firmware Corruption",
"display_name": "T1495 - Firmware Corruption"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1586.001",
"name": "Social Media Accounts",
"display_name": "T1586.001 - Social Media Accounts"
},
{
"id": "T1593.001",
"name": "Social Media",
"display_name": "T1593.001 - Social Media"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6034,
"domain": 1422,
"FileHash-MD5": 274,
"FileHash-SHA1": 252,
"FileHash-SHA256": 3378,
"email": 11,
"hostname": 2753,
"CVE": 1,
"SSLCertFingerprint": 9
},
"indicator_count": 14134,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "42 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64eccb5d39a90a3c391e",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:32.565000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 152,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64e1d5e06aa6207f78de",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:21.863000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 149,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "652a901fe2dbea9024b3d614",
"name": "Black Tech",
"description": "Found in a malicious Apple iTunes link. Lists several independent artists. Music \"producer\" is potentially highly dependent on use of AI generated instrumentation and conception. Hacking seems to target a single target and associates.",
"modified": "2024-09-24T00:01:38.502000",
"created": "2023-10-14T12:57:03.183000",
"tags": [
"referrer",
"historical ssl",
"ssl certificate",
"whois record",
"whois ssl",
"whois",
"historical",
"siblings parent",
"network",
"number",
"label shanghai",
"blue cloud",
"ltd regional",
"apnic country",
"cn continent",
"algorithm",
"data",
"v3 serial",
"cus cndigicert",
"basic rsa",
"cn ca",
"g2 odigicert",
"inc validity",
"oshanghai blue",
"road",
"beijing country",
"beijing",
"please",
"apnic person",
"cn phone",
"whois lookup",
"bluecloud descr",
"shanghai blue",
"ltd descr",
"cnnic",
"whois lookups",
"updated date",
"apnic netname",
"beijing abusec",
"abuse cnniccn",
"liu registrant",
"country",
"dns replication",
"date",
"domain",
"first",
"blacklist https",
"heur",
"html",
"malware",
"alexa top",
"site",
"filerepmetagen",
"suspected",
"adware",
"cisco umbrella",
"malware site",
"win64",
"opencandy",
"cleaner",
"artemis",
"iframe",
"agent",
"unsafe",
"riskware",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"genkryptik",
"exploit",
"presenoker",
"filetour",
"conduit",
"wacatac",
"softcnapp",
"xtrat",
"cve201711882",
"memscan",
"phishing",
"maltiverse",
"zbot",
"webtoolbar",
"trojanspy",
"million",
"united",
"phishing site",
"malicious site",
"proxy",
"firehol",
"detection list",
"ip address",
"blacklist",
"safe site",
"team",
"fusioncore",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"alexa",
"adposhel",
"installpack",
"xrat",
"azorult",
"service",
"runescape",
"facebook",
"download",
"gamehack",
"verdict",
"falcon sandbox",
"pattern match",
"show",
"file",
"indicator",
"ascii text",
"appdata",
"mitre att",
"et tor",
"known tor",
"severity",
"hybrid",
"general",
"misc attack",
"beginstring",
"script",
"relayrouter",
"exit",
"node traffic",
"null",
"error",
"unknown",
"span",
"body",
"refresh",
"class",
"critical",
"tools",
"look",
"verify",
"restart",
"click",
"strings",
"meta",
"anonymizer",
"team proxy",
"host",
"control server",
"meterpreter",
"dnspionage",
"filerepmalware",
"fakealert",
"pony",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"floxif",
"patcher",
"adload",
"webcompanion",
"seraph",
"downloader",
"generic",
"dapato",
"redline stealer",
"beach research",
"blacklist http",
"generic malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"bundled",
"dropped",
"contacted",
"most malicious",
"server",
"parent parent"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "Generic",
"display_name": "Generic",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 50,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2449,
"FileHash-SHA1": 217,
"FileHash-SHA256": 3441,
"URL": 2044,
"domain": 258,
"hostname": 1100,
"CIDR": 1,
"email": 4,
"CVE": 37
},
"indicator_count": 9551,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "616 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a9123acb8410d1158f8a",
"name": "DNSpionage",
"description": "",
"modified": "2023-12-06T17:02:10.861000",
"created": "2023-12-06T17:02:10.861000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 27,
"FileHash-SHA256": 3307,
"hostname": 1083,
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"domain": 255,
"URL": 1933,
"CIDR": 1,
"email": 4
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "908 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a90bc683765a535061dc",
"name": "27 CVE Talley | GameHack l Beach Research",
"description": "",
"modified": "2023-12-06T17:02:03.119000",
"created": "2023-12-06T17:02:03.119000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 27,
"FileHash-SHA256": 3307,
"hostname": 1083,
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"domain": 255,
"URL": 1933,
"CIDR": 1,
"email": 4
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "908 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a903fc0836f148fa45c9",
"name": "Oshanghai Blue",
"description": "",
"modified": "2023-12-06T17:01:55.465000",
"created": "2023-12-06T17:01:55.465000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 27,
"FileHash-SHA256": 3307,
"hostname": 1083,
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"domain": 255,
"URL": 1933,
"CIDR": 1,
"email": 4
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "908 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a8fb83452e1699674c37",
"name": "Black Tech",
"description": "",
"modified": "2023-12-06T17:01:47.488000",
"created": "2023-12-06T17:01:47.488000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 27,
"FileHash-SHA256": 3307,
"hostname": 1083,
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"domain": 255,
"URL": 1933,
"CIDR": 1,
"email": 4
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "908 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f09785f9ee8aebca2a667",
"name": "Remote Access | DeepScan | Dumping | DNS | Internal System Infiltration",
"description": "",
"modified": "2023-11-26T14:04:04.692000",
"created": "2023-10-30T01:40:08.022000",
"tags": [
"ssl certificate",
"historical ssl",
"resolutions",
"referrer",
"collections",
"contacted",
"efr1",
"parent domain",
"amazon 02",
"metro",
"crypto",
"cisco umbrella",
"site",
"safe site",
"heur",
"malware",
"alexa top",
"million",
"malicious url",
"malware site",
"malicious site",
"opencandy",
"riskware",
"unsafe",
"phishing",
"zbot",
"team",
"exploit",
"agent",
"mimikatz",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"downldr",
"presenoker",
"fusioncore",
"cleaner",
"wacatac",
"artemis",
"blacknet rat",
"stealer",
"trojanspy",
"blacklist https",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"tag count",
"tsara brashears",
"self",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"whois record",
"contacted urls",
"siblings domain",
"execution",
"goldmax",
"goldfinder",
"sibot",
"emotet",
"united",
"phishing site",
"maltiverse",
"adware",
"phishtank",
"xtrat",
"xrat",
"redline stealer",
"xtreme",
"crack",
"genkryptik",
"deepscan",
"win64",
"quasar rat",
"fareit",
"downloader",
"trojan",
"alexa",
"iframe",
"cve201711882",
"phish",
"genpack",
"suspicious",
"magazine",
"applicunwnt",
"cobalt strike",
"malicious",
"pattern match",
"file",
"web open",
"font format",
"truetype",
"indicator",
"windows nt",
"ascii text",
"mitre att",
"ck id",
"date",
"unknown",
"hybrid",
"accept",
"local",
"stream",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"pmejdjsu12",
"Royal Bank of Scotland",
"Phishing Bank of America Corporation",
"Phishing Netflix",
"Phishing Wells Fargo",
"Phishing RuneScape",
"Phishing Internal Revenue Service",
"Phtarget unspecified phishing",
"PAYPAL phishing",
"Phishing Indeed",
"Phishing eBay, Inc",
"PhisSafe",
"mobigame",
"Phishing Facebook",
"remote",
"mitm",
"tower",
"worm",
"firm",
"privilege",
"attacker",
"monitoring",
"cyber threat",
"apple",
"illegal",
"DNS_PROBE_STARTED",
"insurance",
"revenge",
"legal entities",
"https://boxofporn.com"
],
"references": [],
"public": 1,
"adversary": "[Unnamed group]",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Trojan.Hotkeychick",
"display_name": "Trojan.Hotkeychick",
"target": null
},
{
"id": "CVE Exploits",
"display_name": "CVE Exploits",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Generic.ASMalwS",
"display_name": "Generic.ASMalwS",
"target": null
},
{
"id": "HackTool.CheatEngine",
"display_name": "HackTool.CheatEngine",
"target": null
},
{
"id": "HackTool.BruteForce",
"display_name": "HackTool.BruteForce",
"target": null
},
{
"id": "Virus.Sality",
"display_name": "Virus.Sality",
"target": null
},
{
"id": "W32.Malware",
"display_name": "W32.Malware",
"target": null
},
{
"id": "TSGeneric",
"display_name": "TSGeneric",
"target": null
},
{
"id": "Trojan.OTNR",
"display_name": "Trojan.OTNR",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "BlackNET RAT",
"display_name": "BlackNET RAT",
"target": null
},
{
"id": "Mimikatz - S0002",
"display_name": "Mimikatz - S0002",
"target": null
},
{
"id": "GoldFinder",
"display_name": "GoldFinder",
"target": null
},
{
"id": "GoldMax - S0588",
"display_name": "GoldMax - S0588",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Sibot",
"display_name": "Sibot",
"target": null
},
{
"id": "Downloader.OpenCandy",
"display_name": "Downloader.OpenCandy",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "GoogleToolbar",
"display_name": "GoogleToolbar",
"target": null
},
{
"id": "BScope.Adware.MSIL",
"display_name": "BScope.Adware.MSIL",
"target": null
},
{
"id": "Application.Auslogics",
"display_name": "Application.Auslogics",
"target": null
},
{
"id": "PE.Heur",
"display_name": "PE.Heur",
"target": null
},
{
"id": "Gen:Variant.Application.Bundler.DownloadGuide",
"display_name": "Gen:Variant.Application.Bundler.DownloadGuide",
"target": null
},
{
"id": "Trojan:Win32/Xtrat",
"display_name": "Trojan:Win32/Xtrat",
"target": "/malware/Trojan:Win32/Xtrat"
},
{
"id": "Xtreme RAT",
"display_name": "Xtreme RAT",
"target": null
},
{
"id": "ML.Attribute",
"display_name": "ML.Attribute",
"target": null
},
{
"id": "AGEN.1045143",
"display_name": "AGEN.1045143",
"target": null
},
{
"id": "Hoax.DeceptPCClean",
"display_name": "Hoax.DeceptPCClean",
"target": null
},
{
"id": "Packed.Themida",
"display_name": "Packed.Themida",
"target": null
},
{
"id": "MSIL_Bladabindi.G.gen",
"display_name": "MSIL_Bladabindi.G.gen",
"target": null
},
{
"id": "Gen:NN.ZexaF.34090",
"display_name": "Gen:NN.ZexaF.34090",
"target": null
},
{
"id": "Unsafe.AI_Score_95% 2",
"display_name": "Unsafe.AI_Score_95% 2",
"target": null
},
{
"id": "BScope.Trojan",
"display_name": "BScope.Trojan",
"target": null
},
{
"id": "JS:Trojan.HideLink 2",
"display_name": "JS:Trojan.HideLink 2",
"target": null
},
{
"id": "Gen:Variant.Symmi",
"display_name": "Gen:Variant.Symmi",
"target": null
},
{
"id": "Gen:Heur.MSIL.Inject",
"display_name": "Gen:Heur.MSIL.Inject",
"target": null
},
{
"id": "Application.BitCoinMiner",
"display_name": "Application.BitCoinMiner",
"target": null
},
{
"id": "WebToolbar.Asparnet",
"display_name": "WebToolbar.Asparnet",
"target": null
},
{
"id": "W32.HfsAutoB",
"display_name": "W32.HfsAutoB",
"target": null
},
{
"id": "Gen:Variant.Ursu",
"display_name": "Gen:Variant.Ursu",
"target": null
},
{
"id": "HW32.Packed",
"display_name": "HW32.Packed",
"target": null
},
{
"id": "Application.Deceptor",
"display_name": "Application.Deceptor",
"target": null
},
{
"id": "Backdoor.Androm",
"display_name": "Backdoor.Androm",
"target": null
},
{
"id": "HEUR:Hoax.PCFixer",
"display_name": "HEUR:Hoax.PCFixer",
"target": null
},
{
"id": "Gen:Variant.Jacard",
"display_name": "Gen:Variant.Jacard",
"target": null
},
{
"id": "Tool.Patcher",
"display_name": "Tool.Patcher",
"target": null
},
{
"id": "Trojan.Khalesi 2\tAdware 2",
"display_name": "Trojan.Khalesi 2\tAdware 2",
"target": null
},
{
"id": "RiskWare.HackTool.Agent",
"display_name": "RiskWare.HackTool.Agent",
"target": null
},
{
"id": "Unsafe.AI_Score_94%",
"display_name": "Unsafe.AI_Score_94%",
"target": null
},
{
"id": "Trojan.WisdomEyes.16070401.9500",
"display_name": "Trojan.WisdomEyes.16070401.9500",
"target": null
},
{
"id": "RiskWare.Crack",
"display_name": "RiskWare.Crack",
"target": null
},
{
"id": "Gen:Variant.Bulz",
"display_name": "Gen:Variant.Bulz",
"target": null
},
{
"id": "VB:Trojan.Valyria",
"display_name": "VB:Trojan.Valyria",
"target": null
},
{
"id": "TrojanBanker.Banbra",
"display_name": "TrojanBanker.Banbra",
"target": null
},
{
"id": "DriverReviver.A potentially unwanted",
"display_name": "DriverReviver.A potentially unwanted",
"target": null
},
{
"id": "Warezov.gen3",
"display_name": "Warezov.gen3",
"target": null
},
{
"id": "JS:Trojan.Clicker",
"display_name": "JS:Trojan.Clicker",
"target": null
},
{
"id": "Nemucod.21C8",
"display_name": "Nemucod.21C8",
"target": null
},
{
"id": "Asparnet.P",
"display_name": "Asparnet.P",
"target": null
},
{
"id": "InstallCore.Gen7",
"display_name": "InstallCore.Gen7",
"target": null
},
{
"id": "CsQKHtaAI",
"display_name": "CsQKHtaAI",
"target": null
},
{
"id": "Clicker.VB",
"display_name": "Clicker.VB",
"target": null
},
{
"id": "Exploit.Zip.Heuristic",
"display_name": "Exploit.Zip.Heuristic",
"target": null
},
{
"id": "Trojan.Ransom.GandCrab",
"display_name": "Trojan.Ransom.GandCrab",
"target": null
},
{
"id": "ScrInject.B",
"display_name": "ScrInject.B",
"target": null
},
{
"id": "ScrInject.eric",
"display_name": "ScrInject.eric",
"target": null
},
{
"id": "HEUR:Trojan.Diztakun",
"display_name": "HEUR:Trojan.Diztakun",
"target": null
},
{
"id": "Agent.OCJ",
"display_name": "Agent.OCJ",
"target": null
},
{
"id": "Vdehu.A",
"display_name": "Vdehu.A",
"target": null
},
{
"id": "Hacktool.Crack",
"display_name": "Hacktool.Crack",
"target": null
},
{
"id": "Backdoor.DTR.15",
"display_name": "Backdoor.DTR.15",
"target": null
},
{
"id": "Freemake.A potentially unwanted",
"display_name": "Freemake.A potentially unwanted",
"target": null
},
{
"id": "Absolute Uninstaller",
"display_name": "Absolute Uninstaller",
"target": null
},
{
"id": "HTML:Script",
"display_name": "HTML:Script",
"target": null
},
{
"id": "Trojan.Small",
"display_name": "Trojan.Small",
"target": null
},
{
"id": "HackTool.Crack",
"display_name": "HackTool.Crack",
"target": null
},
{
"id": "Generic.Application.JS.Sobrab.1",
"display_name": "Generic.Application.JS.Sobrab.1",
"target": null
},
{
"id": "Trojan.Rozena",
"display_name": "Trojan.Rozena",
"target": null
},
{
"id": "Trojan.Downloader",
"display_name": "Trojan.Downloader",
"target": null
},
{
"id": "Trojan.Bayrob",
"display_name": "Trojan.Bayrob",
"target": null
},
{
"id": "Adware.OxyPumper",
"display_name": "Adware.OxyPumper",
"target": null
},
{
"id": "Worm.Chir",
"display_name": "Worm.Chir",
"target": null
},
{
"id": "Trojan.Linux.Generic",
"display_name": "Trojan.Linux.Generic",
"target": null
},
{
"id": "Trojan.Ransom.GenericKD",
"display_name": "Trojan.Ransom.GenericKD",
"target": null
},
{
"id": "Heur.BZC.YAX.Boxter.819",
"display_name": "Heur.BZC.YAX.Boxter.819",
"target": null
},
{
"id": "Faceliker.D",
"display_name": "Faceliker.D",
"target": null
},
{
"id": "Adware",
"display_name": "Adware",
"target": null
},
{
"id": "DeepScan:Generic.BrResMon.1",
"display_name": "DeepScan:Generic.BrResMon.1",
"target": null
},
{
"id": "Adware.KuziTui",
"display_name": "Adware.KuziTui",
"target": null
},
{
"id": "Trojan.Brsecmon",
"display_name": "Trojan.Brsecmon",
"target": null
},
{
"id": "SigRiskware.LespeedTechnologyLtd",
"display_name": "SigRiskware.LespeedTechnologyLtd",
"target": null
},
{
"id": "Doplik.J",
"display_name": "Doplik.J",
"target": null
},
{
"id": "Backdoor.Nhopro",
"display_name": "Backdoor.Nhopro",
"target": null
},
{
"id": "TrojanBanker.Banbra",
"display_name": "TrojanBanker.Banbra",
"target": null
},
{
"id": "Gen:NN.ZemsilF.32515",
"display_name": "Gen:NN.ZemsilF.32515",
"target": null
},
{
"id": "Downware",
"display_name": "Downware",
"target": null
},
{
"id": "MxResIcn.Heur",
"display_name": "MxResIcn.Heur",
"target": null
},
{
"id": "Mimikatz",
"display_name": "Mimikatz",
"target": null
},
{
"id": "Magazine phishing",
"display_name": "Magazine phishing",
"target": null
},
{
"id": "ApplicUnwnt@#2n6\tIRS",
"display_name": "ApplicUnwnt@#2n6\tIRS",
"target": null
},
{
"id": "TEL:Trojan:HTML/Phishing",
"display_name": "TEL:Trojan:HTML/Phishing",
"target": null
},
{
"id": "DriverReviver.A potentially unwanted",
"display_name": "DriverReviver.A potentially unwanted",
"target": null
},
{
"id": "Trojan.GandCrypt",
"display_name": "Trojan.GandCrypt",
"target": null
},
{
"id": "Redirector.AN",
"display_name": "Redirector.AN",
"target": null
},
{
"id": "Agent.CUX.gen",
"display_name": "Agent.CUX.gen",
"target": null
},
{
"id": "Gen:Variant.Application.Bundler",
"display_name": "Gen:Variant.Application.Bundler",
"target": null
},
{
"id": "Downloader.Generic",
"display_name": "Downloader.Generic",
"target": null
},
{
"id": "Trojan.ClipBanker",
"display_name": "Trojan.ClipBanker",
"target": null
},
{
"id": "TrojanDropper.Autit",
"display_name": "TrojanDropper.Autit",
"target": null
},
{
"id": "Dropper.Trojan.Agent",
"display_name": "Dropper.Trojan.Agent",
"target": null
},
{
"id": "QVM05.1.08E5.Malware",
"display_name": "QVM05.1.08E5.Malware",
"target": null
},
{
"id": "Trojan.CookiesStealer",
"display_name": "Trojan.CookiesStealer",
"target": null
},
{
"id": "Agent.MU",
"display_name": "Agent.MU",
"target": null
},
{
"id": "Wacatac.B",
"display_name": "Wacatac.B",
"target": null
},
{
"id": "Dropper.Gen",
"display_name": "Dropper.Gen",
"target": null
},
{
"id": "WiseCleaner.A potentially unwanted",
"display_name": "WiseCleaner.A potentially unwanted",
"target": null
},
{
"id": "Gen:Heur.MSIL.Androm",
"display_name": "Gen:Heur.MSIL.Androm",
"target": null
},
{
"id": "Gen:NN.ZemsilF.34170",
"display_name": "Gen:NN.ZemsilF.34170",
"target": null
},
{
"id": "Gen:Variant.MSILHeracles",
"display_name": "Gen:Variant.MSILHeracles",
"target": null
},
{
"id": "Trojan.DownLoader33",
"display_name": "Trojan.DownLoader33",
"target": null
},
{
"id": "Trojan.MSIL",
"display_name": "Trojan.MSIL",
"target": null
},
{
"id": "Program.Freemake",
"display_name": "Program.Freemake",
"target": null
},
{
"id": "Kryptik.dawvk",
"display_name": "Kryptik.dawvk",
"target": null
},
{
"id": "AdwareSig [Adw]",
"display_name": "AdwareSig [Adw]",
"target": null
},
{
"id": "Phishing JPMorgan Chase and Co.",
"display_name": "Phishing JPMorgan Chase and Co.",
"target": null
},
{
"id": "Adware.BrowseFoxCRTD",
"display_name": "Adware.BrowseFoxCRTD",
"target": null
},
{
"id": "Suspici.1F4405D1",
"display_name": "Suspici.1F4405D1",
"target": null
},
{
"id": "PUA.Wombat",
"display_name": "PUA.Wombat",
"target": null
},
{
"id": "AdWare.DealPly",
"display_name": "AdWare.DealPly",
"target": null
},
{
"id": "Injector.CUAM",
"display_name": "Injector.CUAM",
"target": null
},
{
"id": "Downldr.gen",
"display_name": "Downldr.gen",
"target": null
},
{
"id": "Troj_Gen.F04IE00CI19",
"display_name": "Troj_Gen.F04IE00CI19",
"target": null
},
{
"id": "Worm.Autorun",
"display_name": "Worm.Autorun",
"target": null
},
{
"id": "Worm.Boychi",
"display_name": "Worm.Boychi",
"target": null
},
{
"id": "Worm.Allaple",
"display_name": "Worm.Allaple",
"target": null
},
{
"id": "CVE-2014-3153",
"display_name": "CVE-2014-3153",
"target": null
},
{
"id": "BehavesLike.ICLoader",
"display_name": "BehavesLike.ICLoader",
"target": null
},
{
"id": "BScope.Backdoor",
"display_name": "BScope.Backdoor",
"target": null
},
{
"id": "Trojan.WIN32.PDF.Alien",
"display_name": "Trojan.WIN32.PDF.Alien",
"target": null
},
{
"id": "PUP.Systweak",
"display_name": "PUP.Systweak",
"target": null
},
{
"id": "Sabsik.FL.B",
"display_name": "Sabsik.FL.B",
"target": null
},
{
"id": "malicious.f01f67",
"display_name": "malicious.f01f67",
"target": null
},
{
"id": "AGEN.1144657",
"display_name": "AGEN.1144657",
"target": null
},
{
"id": "Gen:Variant.Tedy HackTool.VulnDriver",
"display_name": "Gen:Variant.Tedy HackTool.VulnDriver",
"target": null
},
{
"id": "Backdoor.Predator",
"display_name": "Backdoor.Predator",
"target": null
},
{
"id": "Kryptik.GKQR",
"display_name": "Kryptik.GKQR",
"target": null
},
{
"id": "DarkKomet.ife",
"display_name": "DarkKomet.ife",
"target": null
},
{
"id": "BehavesLike.Downloader",
"display_name": "BehavesLike.Downloader",
"target": null
},
{
"id": "Trojan.JS.Iframe",
"display_name": "Trojan.JS.Iframe",
"target": null
},
{
"id": "InstallCore.NP",
"display_name": "InstallCore.NP",
"target": null
},
{
"id": "Generic.JS.BlackHole",
"display_name": "Generic.JS.BlackHole",
"target": null
},
{
"id": "Dropper.Wanna",
"display_name": "Dropper.Wanna",
"target": null
},
{
"id": "Remote Utilities",
"display_name": "Remote Utilities",
"target": null
},
{
"id": "W32.InstallCore.AGX",
"display_name": "W32.InstallCore.AGX",
"target": null
},
{
"id": "NetTool.RemoteExec",
"display_name": "NetTool.RemoteExec",
"target": null
},
{
"id": "Bondat.A",
"display_name": "Bondat.A",
"target": null
},
{
"id": "VM201.0.B70B.Malware",
"display_name": "VM201.0.B70B.Malware",
"target": null
},
{
"id": "Riskware.NetFilter",
"display_name": "Riskware.NetFilter",
"target": null
},
{
"id": "Infected.WebPage",
"display_name": "Infected.WebPage",
"target": null
},
{
"id": "HEUR:Exploit.Script",
"display_name": "HEUR:Exploit.Script",
"target": null
},
{
"id": "BScope.TrojanDownloader",
"display_name": "BScope.TrojanDownloader",
"target": null
},
{
"id": "HTML:RedirBA",
"display_name": "HTML:RedirBA",
"target": null
},
{
"id": "Trojan.BAT.Qhost",
"display_name": "Trojan.BAT.Qhost",
"target": null
},
{
"id": "HTML:RedirME",
"display_name": "HTML:RedirME",
"target": null
},
{
"id": "TrojWare.JS.AdWare.Agent",
"display_name": "TrojWare.JS.AdWare.Agent",
"target": null
},
{
"id": "Packed.Dico",
"display_name": "Packed.Dico",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1602.001",
"name": "SNMP (MIB Dump)",
"display_name": "T1602.001 - SNMP (MIB Dump)"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "653bf3b076e4dbcd0c099992",
"export_count": 28,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1695,
"FileHash-SHA1": 756,
"FileHash-SHA256": 2029,
"domain": 290,
"URL": 1854,
"hostname": 568,
"CVE": 5
},
"indicator_count": 7197,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "918 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653bf3b076e4dbcd0c099992",
"name": "Remote Access | DeepScan | Dumping | DNS | Internal System Infiltration",
"description": "DeepScan run (absolute overkill). I witnessed excessive data use, device is completely practically unusable, many black pages, denial of most services. CNC. Browser bar became a malicious app that returns 0 searches. Attack directed towards my devices.\nNo stone left unturned. Passwords taken. Apps installed to device Covered can on device takes pictures/flash at will. Evasive. Very talented hackers. \nBravo! Very intrusive. Constantly attacking.\nTarget: Tsara Brashears and researcher",
"modified": "2023-11-26T14:04:04.692000",
"created": "2023-10-27T17:30:24.926000",
"tags": [
"ssl certificate",
"historical ssl",
"resolutions",
"referrer",
"collections",
"contacted",
"efr1",
"parent domain",
"amazon 02",
"metro",
"crypto",
"cisco umbrella",
"site",
"safe site",
"heur",
"malware",
"alexa top",
"million",
"malicious url",
"malware site",
"malicious site",
"opencandy",
"riskware",
"unsafe",
"phishing",
"zbot",
"team",
"exploit",
"agent",
"mimikatz",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"downldr",
"presenoker",
"fusioncore",
"cleaner",
"wacatac",
"artemis",
"blacknet rat",
"stealer",
"trojanspy",
"blacklist https",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"tag count",
"tsara brashears",
"self",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"whois record",
"contacted urls",
"siblings domain",
"execution",
"goldmax",
"goldfinder",
"sibot",
"emotet",
"united",
"phishing site",
"maltiverse",
"adware",
"phishtank",
"xtrat",
"xrat",
"redline stealer",
"xtreme",
"crack",
"genkryptik",
"deepscan",
"win64",
"quasar rat",
"fareit",
"downloader",
"trojan",
"alexa",
"iframe",
"cve201711882",
"phish",
"genpack",
"suspicious",
"magazine",
"applicunwnt",
"cobalt strike",
"malicious",
"pattern match",
"file",
"web open",
"font format",
"truetype",
"indicator",
"windows nt",
"ascii text",
"mitre att",
"ck id",
"date",
"unknown",
"hybrid",
"accept",
"local",
"stream",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"pmejdjsu12",
"Royal Bank of Scotland",
"Phishing Bank of America Corporation",
"Phishing Netflix",
"Phishing Wells Fargo",
"Phishing RuneScape",
"Phishing Internal Revenue Service",
"Phtarget unspecified phishing",
"PAYPAL phishing",
"Phishing Indeed",
"Phishing eBay, Inc",
"PhisSafe",
"mobigame",
"Phishing Facebook",
"remote",
"mitm",
"tower",
"worm",
"firm",
"privilege",
"attacker",
"monitoring",
"cyber threat",
"apple",
"illegal",
"DNS_PROBE_STARTED",
"insurance",
"revenge",
"legal entities",
"https://boxofporn.com"
],
"references": [],
"public": 1,
"adversary": "[Unnamed group]",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Trojan.Hotkeychick",
"display_name": "Trojan.Hotkeychick",
"target": null
},
{
"id": "CVE Exploits",
"display_name": "CVE Exploits",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Generic.ASMalwS",
"display_name": "Generic.ASMalwS",
"target": null
},
{
"id": "HackTool.CheatEngine",
"display_name": "HackTool.CheatEngine",
"target": null
},
{
"id": "HackTool.BruteForce",
"display_name": "HackTool.BruteForce",
"target": null
},
{
"id": "Virus.Sality",
"display_name": "Virus.Sality",
"target": null
},
{
"id": "W32.Malware",
"display_name": "W32.Malware",
"target": null
},
{
"id": "TSGeneric",
"display_name": "TSGeneric",
"target": null
},
{
"id": "Trojan.OTNR",
"display_name": "Trojan.OTNR",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "BlackNET RAT",
"display_name": "BlackNET RAT",
"target": null
},
{
"id": "Mimikatz - S0002",
"display_name": "Mimikatz - S0002",
"target": null
},
{
"id": "GoldFinder",
"display_name": "GoldFinder",
"target": null
},
{
"id": "GoldMax - S0588",
"display_name": "GoldMax - S0588",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Sibot",
"display_name": "Sibot",
"target": null
},
{
"id": "Downloader.OpenCandy",
"display_name": "Downloader.OpenCandy",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "GoogleToolbar",
"display_name": "GoogleToolbar",
"target": null
},
{
"id": "BScope.Adware.MSIL",
"display_name": "BScope.Adware.MSIL",
"target": null
},
{
"id": "Application.Auslogics",
"display_name": "Application.Auslogics",
"target": null
},
{
"id": "PE.Heur",
"display_name": "PE.Heur",
"target": null
},
{
"id": "Gen:Variant.Application.Bundler.DownloadGuide",
"display_name": "Gen:Variant.Application.Bundler.DownloadGuide",
"target": null
},
{
"id": "Trojan:Win32/Xtrat",
"display_name": "Trojan:Win32/Xtrat",
"target": "/malware/Trojan:Win32/Xtrat"
},
{
"id": "Xtreme RAT",
"display_name": "Xtreme RAT",
"target": null
},
{
"id": "ML.Attribute",
"display_name": "ML.Attribute",
"target": null
},
{
"id": "AGEN.1045143",
"display_name": "AGEN.1045143",
"target": null
},
{
"id": "Hoax.DeceptPCClean",
"display_name": "Hoax.DeceptPCClean",
"target": null
},
{
"id": "Packed.Themida",
"display_name": "Packed.Themida",
"target": null
},
{
"id": "MSIL_Bladabindi.G.gen",
"display_name": "MSIL_Bladabindi.G.gen",
"target": null
},
{
"id": "Gen:NN.ZexaF.34090",
"display_name": "Gen:NN.ZexaF.34090",
"target": null
},
{
"id": "Unsafe.AI_Score_95% 2",
"display_name": "Unsafe.AI_Score_95% 2",
"target": null
},
{
"id": "BScope.Trojan",
"display_name": "BScope.Trojan",
"target": null
},
{
"id": "JS:Trojan.HideLink 2",
"display_name": "JS:Trojan.HideLink 2",
"target": null
},
{
"id": "Gen:Variant.Symmi",
"display_name": "Gen:Variant.Symmi",
"target": null
},
{
"id": "Gen:Heur.MSIL.Inject",
"display_name": "Gen:Heur.MSIL.Inject",
"target": null
},
{
"id": "Application.BitCoinMiner",
"display_name": "Application.BitCoinMiner",
"target": null
},
{
"id": "WebToolbar.Asparnet",
"display_name": "WebToolbar.Asparnet",
"target": null
},
{
"id": "W32.HfsAutoB",
"display_name": "W32.HfsAutoB",
"target": null
},
{
"id": "Gen:Variant.Ursu",
"display_name": "Gen:Variant.Ursu",
"target": null
},
{
"id": "HW32.Packed",
"display_name": "HW32.Packed",
"target": null
},
{
"id": "Application.Deceptor",
"display_name": "Application.Deceptor",
"target": null
},
{
"id": "Backdoor.Androm",
"display_name": "Backdoor.Androm",
"target": null
},
{
"id": "HEUR:Hoax.PCFixer",
"display_name": "HEUR:Hoax.PCFixer",
"target": null
},
{
"id": "Gen:Variant.Jacard",
"display_name": "Gen:Variant.Jacard",
"target": null
},
{
"id": "Tool.Patcher",
"display_name": "Tool.Patcher",
"target": null
},
{
"id": "Trojan.Khalesi 2\tAdware 2",
"display_name": "Trojan.Khalesi 2\tAdware 2",
"target": null
},
{
"id": "RiskWare.HackTool.Agent",
"display_name": "RiskWare.HackTool.Agent",
"target": null
},
{
"id": "Unsafe.AI_Score_94%",
"display_name": "Unsafe.AI_Score_94%",
"target": null
},
{
"id": "Trojan.WisdomEyes.16070401.9500",
"display_name": "Trojan.WisdomEyes.16070401.9500",
"target": null
},
{
"id": "RiskWare.Crack",
"display_name": "RiskWare.Crack",
"target": null
},
{
"id": "Gen:Variant.Bulz",
"display_name": "Gen:Variant.Bulz",
"target": null
},
{
"id": "VB:Trojan.Valyria",
"display_name": "VB:Trojan.Valyria",
"target": null
},
{
"id": "TrojanBanker.Banbra",
"display_name": "TrojanBanker.Banbra",
"target": null
},
{
"id": "DriverReviver.A potentially unwanted",
"display_name": "DriverReviver.A potentially unwanted",
"target": null
},
{
"id": "Warezov.gen3",
"display_name": "Warezov.gen3",
"target": null
},
{
"id": "JS:Trojan.Clicker",
"display_name": "JS:Trojan.Clicker",
"target": null
},
{
"id": "Nemucod.21C8",
"display_name": "Nemucod.21C8",
"target": null
},
{
"id": "Asparnet.P",
"display_name": "Asparnet.P",
"target": null
},
{
"id": "InstallCore.Gen7",
"display_name": "InstallCore.Gen7",
"target": null
},
{
"id": "CsQKHtaAI",
"display_name": "CsQKHtaAI",
"target": null
},
{
"id": "Clicker.VB",
"display_name": "Clicker.VB",
"target": null
},
{
"id": "Exploit.Zip.Heuristic",
"display_name": "Exploit.Zip.Heuristic",
"target": null
},
{
"id": "Trojan.Ransom.GandCrab",
"display_name": "Trojan.Ransom.GandCrab",
"target": null
},
{
"id": "ScrInject.B",
"display_name": "ScrInject.B",
"target": null
},
{
"id": "ScrInject.eric",
"display_name": "ScrInject.eric",
"target": null
},
{
"id": "HEUR:Trojan.Diztakun",
"display_name": "HEUR:Trojan.Diztakun",
"target": null
},
{
"id": "Agent.OCJ",
"display_name": "Agent.OCJ",
"target": null
},
{
"id": "Vdehu.A",
"display_name": "Vdehu.A",
"target": null
},
{
"id": "Hacktool.Crack",
"display_name": "Hacktool.Crack",
"target": null
},
{
"id": "Backdoor.DTR.15",
"display_name": "Backdoor.DTR.15",
"target": null
},
{
"id": "Freemake.A potentially unwanted",
"display_name": "Freemake.A potentially unwanted",
"target": null
},
{
"id": "Absolute Uninstaller",
"display_name": "Absolute Uninstaller",
"target": null
},
{
"id": "HTML:Script",
"display_name": "HTML:Script",
"target": null
},
{
"id": "Trojan.Small",
"display_name": "Trojan.Small",
"target": null
},
{
"id": "HackTool.Crack",
"display_name": "HackTool.Crack",
"target": null
},
{
"id": "Generic.Application.JS.Sobrab.1",
"display_name": "Generic.Application.JS.Sobrab.1",
"target": null
},
{
"id": "Trojan.Rozena",
"display_name": "Trojan.Rozena",
"target": null
},
{
"id": "Trojan.Downloader",
"display_name": "Trojan.Downloader",
"target": null
},
{
"id": "Trojan.Bayrob",
"display_name": "Trojan.Bayrob",
"target": null
},
{
"id": "Adware.OxyPumper",
"display_name": "Adware.OxyPumper",
"target": null
},
{
"id": "Worm.Chir",
"display_name": "Worm.Chir",
"target": null
},
{
"id": "Trojan.Linux.Generic",
"display_name": "Trojan.Linux.Generic",
"target": null
},
{
"id": "Trojan.Ransom.GenericKD",
"display_name": "Trojan.Ransom.GenericKD",
"target": null
},
{
"id": "Heur.BZC.YAX.Boxter.819",
"display_name": "Heur.BZC.YAX.Boxter.819",
"target": null
},
{
"id": "Faceliker.D",
"display_name": "Faceliker.D",
"target": null
},
{
"id": "Adware",
"display_name": "Adware",
"target": null
},
{
"id": "DeepScan:Generic.BrResMon.1",
"display_name": "DeepScan:Generic.BrResMon.1",
"target": null
},
{
"id": "Adware.KuziTui",
"display_name": "Adware.KuziTui",
"target": null
},
{
"id": "Trojan.Brsecmon",
"display_name": "Trojan.Brsecmon",
"target": null
},
{
"id": "SigRiskware.LespeedTechnologyLtd",
"display_name": "SigRiskware.LespeedTechnologyLtd",
"target": null
},
{
"id": "Doplik.J",
"display_name": "Doplik.J",
"target": null
},
{
"id": "Backdoor.Nhopro",
"display_name": "Backdoor.Nhopro",
"target": null
},
{
"id": "TrojanBanker.Banbra",
"display_name": "TrojanBanker.Banbra",
"target": null
},
{
"id": "Gen:NN.ZemsilF.32515",
"display_name": "Gen:NN.ZemsilF.32515",
"target": null
},
{
"id": "Downware",
"display_name": "Downware",
"target": null
},
{
"id": "MxResIcn.Heur",
"display_name": "MxResIcn.Heur",
"target": null
},
{
"id": "Mimikatz",
"display_name": "Mimikatz",
"target": null
},
{
"id": "Magazine phishing",
"display_name": "Magazine phishing",
"target": null
},
{
"id": "ApplicUnwnt@#2n6\tIRS",
"display_name": "ApplicUnwnt@#2n6\tIRS",
"target": null
},
{
"id": "TEL:Trojan:HTML/Phishing",
"display_name": "TEL:Trojan:HTML/Phishing",
"target": null
},
{
"id": "DriverReviver.A potentially unwanted",
"display_name": "DriverReviver.A potentially unwanted",
"target": null
},
{
"id": "Trojan.GandCrypt",
"display_name": "Trojan.GandCrypt",
"target": null
},
{
"id": "Redirector.AN",
"display_name": "Redirector.AN",
"target": null
},
{
"id": "Agent.CUX.gen",
"display_name": "Agent.CUX.gen",
"target": null
},
{
"id": "Gen:Variant.Application.Bundler",
"display_name": "Gen:Variant.Application.Bundler",
"target": null
},
{
"id": "Downloader.Generic",
"display_name": "Downloader.Generic",
"target": null
},
{
"id": "Trojan.ClipBanker",
"display_name": "Trojan.ClipBanker",
"target": null
},
{
"id": "TrojanDropper.Autit",
"display_name": "TrojanDropper.Autit",
"target": null
},
{
"id": "Dropper.Trojan.Agent",
"display_name": "Dropper.Trojan.Agent",
"target": null
},
{
"id": "QVM05.1.08E5.Malware",
"display_name": "QVM05.1.08E5.Malware",
"target": null
},
{
"id": "Trojan.CookiesStealer",
"display_name": "Trojan.CookiesStealer",
"target": null
},
{
"id": "Agent.MU",
"display_name": "Agent.MU",
"target": null
},
{
"id": "Wacatac.B",
"display_name": "Wacatac.B",
"target": null
},
{
"id": "Dropper.Gen",
"display_name": "Dropper.Gen",
"target": null
},
{
"id": "WiseCleaner.A potentially unwanted",
"display_name": "WiseCleaner.A potentially unwanted",
"target": null
},
{
"id": "Gen:Heur.MSIL.Androm",
"display_name": "Gen:Heur.MSIL.Androm",
"target": null
},
{
"id": "Gen:NN.ZemsilF.34170",
"display_name": "Gen:NN.ZemsilF.34170",
"target": null
},
{
"id": "Gen:Variant.MSILHeracles",
"display_name": "Gen:Variant.MSILHeracles",
"target": null
},
{
"id": "Trojan.DownLoader33",
"display_name": "Trojan.DownLoader33",
"target": null
},
{
"id": "Trojan.MSIL",
"display_name": "Trojan.MSIL",
"target": null
},
{
"id": "Program.Freemake",
"display_name": "Program.Freemake",
"target": null
},
{
"id": "Kryptik.dawvk",
"display_name": "Kryptik.dawvk",
"target": null
},
{
"id": "AdwareSig [Adw]",
"display_name": "AdwareSig [Adw]",
"target": null
},
{
"id": "Phishing JPMorgan Chase and Co.",
"display_name": "Phishing JPMorgan Chase and Co.",
"target": null
},
{
"id": "Adware.BrowseFoxCRTD",
"display_name": "Adware.BrowseFoxCRTD",
"target": null
},
{
"id": "Suspici.1F4405D1",
"display_name": "Suspici.1F4405D1",
"target": null
},
{
"id": "PUA.Wombat",
"display_name": "PUA.Wombat",
"target": null
},
{
"id": "AdWare.DealPly",
"display_name": "AdWare.DealPly",
"target": null
},
{
"id": "Injector.CUAM",
"display_name": "Injector.CUAM",
"target": null
},
{
"id": "Downldr.gen",
"display_name": "Downldr.gen",
"target": null
},
{
"id": "Troj_Gen.F04IE00CI19",
"display_name": "Troj_Gen.F04IE00CI19",
"target": null
},
{
"id": "Worm.Autorun",
"display_name": "Worm.Autorun",
"target": null
},
{
"id": "Worm.Boychi",
"display_name": "Worm.Boychi",
"target": null
},
{
"id": "Worm.Allaple",
"display_name": "Worm.Allaple",
"target": null
},
{
"id": "CVE-2014-3153",
"display_name": "CVE-2014-3153",
"target": null
},
{
"id": "BehavesLike.ICLoader",
"display_name": "BehavesLike.ICLoader",
"target": null
},
{
"id": "BScope.Backdoor",
"display_name": "BScope.Backdoor",
"target": null
},
{
"id": "Trojan.WIN32.PDF.Alien",
"display_name": "Trojan.WIN32.PDF.Alien",
"target": null
},
{
"id": "PUP.Systweak",
"display_name": "PUP.Systweak",
"target": null
},
{
"id": "Sabsik.FL.B",
"display_name": "Sabsik.FL.B",
"target": null
},
{
"id": "malicious.f01f67",
"display_name": "malicious.f01f67",
"target": null
},
{
"id": "AGEN.1144657",
"display_name": "AGEN.1144657",
"target": null
},
{
"id": "Gen:Variant.Tedy HackTool.VulnDriver",
"display_name": "Gen:Variant.Tedy HackTool.VulnDriver",
"target": null
},
{
"id": "Backdoor.Predator",
"display_name": "Backdoor.Predator",
"target": null
},
{
"id": "Kryptik.GKQR",
"display_name": "Kryptik.GKQR",
"target": null
},
{
"id": "DarkKomet.ife",
"display_name": "DarkKomet.ife",
"target": null
},
{
"id": "BehavesLike.Downloader",
"display_name": "BehavesLike.Downloader",
"target": null
},
{
"id": "Trojan.JS.Iframe",
"display_name": "Trojan.JS.Iframe",
"target": null
},
{
"id": "InstallCore.NP",
"display_name": "InstallCore.NP",
"target": null
},
{
"id": "Generic.JS.BlackHole",
"display_name": "Generic.JS.BlackHole",
"target": null
},
{
"id": "Dropper.Wanna",
"display_name": "Dropper.Wanna",
"target": null
},
{
"id": "Remote Utilities",
"display_name": "Remote Utilities",
"target": null
},
{
"id": "W32.InstallCore.AGX",
"display_name": "W32.InstallCore.AGX",
"target": null
},
{
"id": "NetTool.RemoteExec",
"display_name": "NetTool.RemoteExec",
"target": null
},
{
"id": "Bondat.A",
"display_name": "Bondat.A",
"target": null
},
{
"id": "VM201.0.B70B.Malware",
"display_name": "VM201.0.B70B.Malware",
"target": null
},
{
"id": "Riskware.NetFilter",
"display_name": "Riskware.NetFilter",
"target": null
},
{
"id": "Infected.WebPage",
"display_name": "Infected.WebPage",
"target": null
},
{
"id": "HEUR:Exploit.Script",
"display_name": "HEUR:Exploit.Script",
"target": null
},
{
"id": "BScope.TrojanDownloader",
"display_name": "BScope.TrojanDownloader",
"target": null
},
{
"id": "HTML:RedirBA",
"display_name": "HTML:RedirBA",
"target": null
},
{
"id": "Trojan.BAT.Qhost",
"display_name": "Trojan.BAT.Qhost",
"target": null
},
{
"id": "HTML:RedirME",
"display_name": "HTML:RedirME",
"target": null
},
{
"id": "TrojWare.JS.AdWare.Agent",
"display_name": "TrojWare.JS.AdWare.Agent",
"target": null
},
{
"id": "Packed.Dico",
"display_name": "Packed.Dico",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1602.001",
"name": "SNMP (MIB Dump)",
"display_name": "T1602.001 - SNMP (MIB Dump)"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1695,
"FileHash-SHA1": 756,
"FileHash-SHA256": 2029,
"domain": 290,
"URL": 1854,
"hostname": 568,
"CVE": 5
},
"indicator_count": 7197,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "918 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f19afc40e663452f60260",
"name": "DNSpionage",
"description": "",
"modified": "2023-11-13T12:00:59.446000",
"created": "2023-10-30T02:49:19.586000",
"tags": [
"referrer",
"historical ssl",
"ssl certificate",
"whois record",
"whois ssl",
"whois",
"historical",
"siblings parent",
"network",
"number",
"label shanghai",
"blue cloud",
"ltd regional",
"apnic country",
"cn continent",
"algorithm",
"data",
"v3 serial",
"cus cndigicert",
"basic rsa",
"cn ca",
"g2 odigicert",
"inc validity",
"oshanghai blue",
"road",
"beijing country",
"beijing",
"please",
"apnic person",
"cn phone",
"whois lookup",
"bluecloud descr",
"shanghai blue",
"ltd descr",
"cnnic",
"whois lookups",
"updated date",
"apnic netname",
"beijing abusec",
"abuse cnniccn",
"liu registrant",
"country",
"dns replication",
"date",
"domain",
"first",
"blacklist https",
"heur",
"html",
"malware",
"alexa top",
"site",
"filerepmetagen",
"suspected",
"adware",
"cisco umbrella",
"malware site",
"win64",
"opencandy",
"cleaner",
"artemis",
"iframe",
"agent",
"unsafe",
"riskware",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"genkryptik",
"exploit",
"presenoker",
"filetour",
"conduit",
"wacatac",
"softcnapp",
"xtrat",
"cve201711882",
"memscan",
"phishing",
"maltiverse",
"zbot",
"webtoolbar",
"trojanspy",
"million",
"united",
"phishing site",
"malicious site",
"proxy",
"firehol",
"detection list",
"ip address",
"blacklist",
"safe site",
"team",
"fusioncore",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"alexa",
"adposhel",
"installpack",
"xrat",
"azorult",
"service",
"runescape",
"facebook",
"download",
"gamehack",
"verdict",
"falcon sandbox",
"pattern match",
"show",
"file",
"indicator",
"ascii text",
"appdata",
"mitre att",
"et tor",
"known tor",
"severity",
"hybrid",
"general",
"misc attack",
"beginstring",
"script",
"relayrouter",
"exit",
"node traffic",
"null",
"error",
"unknown",
"span",
"body",
"refresh",
"class",
"critical",
"tools",
"look",
"verify",
"restart",
"click",
"strings",
"meta",
"anonymizer",
"team proxy",
"host",
"control server",
"meterpreter",
"dnspionage",
"filerepmalware",
"fakealert",
"pony",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"floxif",
"patcher",
"adload",
"webcompanion",
"seraph",
"downloader",
"generic",
"dapato",
"redline stealer",
"beach research",
"blacklist http",
"generic malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"bundled",
"dropped",
"contacted",
"most malicious",
"server",
"parent parent"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "Generic",
"display_name": "Generic",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "652a9637ba159a3febc414c4",
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"FileHash-SHA256": 3307,
"URL": 1933,
"domain": 255,
"hostname": 1083,
"CIDR": 1,
"email": 4,
"CVE": 27
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "931 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "652a9637ba159a3febc414c4",
"name": "DNSpionage",
"description": "",
"modified": "2023-11-13T12:00:59.446000",
"created": "2023-10-14T13:23:03.558000",
"tags": [
"referrer",
"historical ssl",
"ssl certificate",
"whois record",
"whois ssl",
"whois",
"historical",
"siblings parent",
"network",
"number",
"label shanghai",
"blue cloud",
"ltd regional",
"apnic country",
"cn continent",
"algorithm",
"data",
"v3 serial",
"cus cndigicert",
"basic rsa",
"cn ca",
"g2 odigicert",
"inc validity",
"oshanghai blue",
"road",
"beijing country",
"beijing",
"please",
"apnic person",
"cn phone",
"whois lookup",
"bluecloud descr",
"shanghai blue",
"ltd descr",
"cnnic",
"whois lookups",
"updated date",
"apnic netname",
"beijing abusec",
"abuse cnniccn",
"liu registrant",
"country",
"dns replication",
"date",
"domain",
"first",
"blacklist https",
"heur",
"html",
"malware",
"alexa top",
"site",
"filerepmetagen",
"suspected",
"adware",
"cisco umbrella",
"malware site",
"win64",
"opencandy",
"cleaner",
"artemis",
"iframe",
"agent",
"unsafe",
"riskware",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"genkryptik",
"exploit",
"presenoker",
"filetour",
"conduit",
"wacatac",
"softcnapp",
"xtrat",
"cve201711882",
"memscan",
"phishing",
"maltiverse",
"zbot",
"webtoolbar",
"trojanspy",
"million",
"united",
"phishing site",
"malicious site",
"proxy",
"firehol",
"detection list",
"ip address",
"blacklist",
"safe site",
"team",
"fusioncore",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"alexa",
"adposhel",
"installpack",
"xrat",
"azorult",
"service",
"runescape",
"facebook",
"download",
"gamehack",
"verdict",
"falcon sandbox",
"pattern match",
"show",
"file",
"indicator",
"ascii text",
"appdata",
"mitre att",
"et tor",
"known tor",
"severity",
"hybrid",
"general",
"misc attack",
"beginstring",
"script",
"relayrouter",
"exit",
"node traffic",
"null",
"error",
"unknown",
"span",
"body",
"refresh",
"class",
"critical",
"tools",
"look",
"verify",
"restart",
"click",
"strings",
"meta",
"anonymizer",
"team proxy",
"host",
"control server",
"meterpreter",
"dnspionage",
"filerepmalware",
"fakealert",
"pony",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"floxif",
"patcher",
"adload",
"webcompanion",
"seraph",
"downloader",
"generic",
"dapato",
"redline stealer",
"beach research",
"blacklist http",
"generic malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"bundled",
"dropped",
"contacted",
"most malicious",
"server",
"parent parent"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "Generic",
"display_name": "Generic",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "652a9441becbdf690c095816",
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"FileHash-SHA256": 3307,
"URL": 1933,
"domain": 255,
"hostname": 1083,
"CIDR": 1,
"email": 4,
"CVE": 27
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "931 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "652a9441becbdf690c095816",
"name": "27 CVE Talley | GameHack l Beach Research",
"description": "",
"modified": "2023-11-13T12:00:59.446000",
"created": "2023-10-14T13:14:41.530000",
"tags": [
"referrer",
"historical ssl",
"ssl certificate",
"whois record",
"whois ssl",
"whois",
"historical",
"siblings parent",
"network",
"number",
"label shanghai",
"blue cloud",
"ltd regional",
"apnic country",
"cn continent",
"algorithm",
"data",
"v3 serial",
"cus cndigicert",
"basic rsa",
"cn ca",
"g2 odigicert",
"inc validity",
"oshanghai blue",
"road",
"beijing country",
"beijing",
"please",
"apnic person",
"cn phone",
"whois lookup",
"bluecloud descr",
"shanghai blue",
"ltd descr",
"cnnic",
"whois lookups",
"updated date",
"apnic netname",
"beijing abusec",
"abuse cnniccn",
"liu registrant",
"country",
"dns replication",
"date",
"domain",
"first",
"blacklist https",
"heur",
"html",
"malware",
"alexa top",
"site",
"filerepmetagen",
"suspected",
"adware",
"cisco umbrella",
"malware site",
"win64",
"opencandy",
"cleaner",
"artemis",
"iframe",
"agent",
"unsafe",
"riskware",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"genkryptik",
"exploit",
"presenoker",
"filetour",
"conduit",
"wacatac",
"softcnapp",
"xtrat",
"cve201711882",
"memscan",
"phishing",
"maltiverse",
"zbot",
"webtoolbar",
"trojanspy",
"million",
"united",
"phishing site",
"malicious site",
"proxy",
"firehol",
"detection list",
"ip address",
"blacklist",
"safe site",
"team",
"fusioncore",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"alexa",
"adposhel",
"installpack",
"xrat",
"azorult",
"service",
"runescape",
"facebook",
"download",
"gamehack",
"verdict",
"falcon sandbox",
"pattern match",
"show",
"file",
"indicator",
"ascii text",
"appdata",
"mitre att",
"et tor",
"known tor",
"severity",
"hybrid",
"general",
"misc attack",
"beginstring",
"script",
"relayrouter",
"exit",
"node traffic",
"null",
"error",
"unknown",
"span",
"body",
"refresh",
"class",
"critical",
"tools",
"look",
"verify",
"restart",
"click",
"strings",
"meta",
"anonymizer",
"team proxy",
"host",
"control server",
"meterpreter",
"dnspionage",
"filerepmalware",
"fakealert",
"pony",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"floxif",
"patcher",
"adload",
"webcompanion",
"seraph",
"downloader",
"generic",
"dapato",
"redline stealer",
"beach research",
"blacklist http",
"generic malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"bundled",
"dropped",
"contacted",
"most malicious",
"server",
"parent parent"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "Generic",
"display_name": "Generic",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "652a901fe2dbea9024b3d614",
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"FileHash-SHA256": 3307,
"URL": 1933,
"domain": 255,
"hostname": 1083,
"CIDR": 1,
"email": 4,
"CVE": 27
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "931 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "652a913f48809612f1bd7deb",
"name": "Oshanghai Blue ",
"description": "",
"modified": "2023-11-13T12:00:59.446000",
"created": "2023-10-14T13:01:51.164000",
"tags": [
"referrer",
"historical ssl",
"ssl certificate",
"whois record",
"whois ssl",
"whois",
"historical",
"siblings parent",
"network",
"number",
"label shanghai",
"blue cloud",
"ltd regional",
"apnic country",
"cn continent",
"algorithm",
"data",
"v3 serial",
"cus cndigicert",
"basic rsa",
"cn ca",
"g2 odigicert",
"inc validity",
"oshanghai blue",
"road",
"beijing country",
"beijing",
"please",
"apnic person",
"cn phone",
"whois lookup",
"bluecloud descr",
"shanghai blue",
"ltd descr",
"cnnic",
"whois lookups",
"updated date",
"apnic netname",
"beijing abusec",
"abuse cnniccn",
"liu registrant",
"country",
"dns replication",
"date",
"domain",
"first",
"blacklist https",
"heur",
"html",
"malware",
"alexa top",
"site",
"filerepmetagen",
"suspected",
"adware",
"cisco umbrella",
"malware site",
"win64",
"opencandy",
"cleaner",
"artemis",
"iframe",
"agent",
"unsafe",
"riskware",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"genkryptik",
"exploit",
"presenoker",
"filetour",
"conduit",
"wacatac",
"softcnapp",
"xtrat",
"cve201711882",
"memscan",
"phishing",
"maltiverse",
"zbot",
"webtoolbar",
"trojanspy",
"million",
"united",
"phishing site",
"malicious site",
"proxy",
"firehol",
"detection list",
"ip address",
"blacklist",
"safe site",
"team",
"fusioncore",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"alexa",
"adposhel",
"installpack",
"xrat",
"azorult",
"service",
"runescape",
"facebook",
"download",
"gamehack",
"verdict",
"falcon sandbox",
"pattern match",
"show",
"file",
"indicator",
"ascii text",
"appdata",
"mitre att",
"et tor",
"known tor",
"severity",
"hybrid",
"general",
"misc attack",
"beginstring",
"script",
"relayrouter",
"exit",
"node traffic",
"null",
"error",
"unknown",
"span",
"body",
"refresh",
"class",
"critical",
"tools",
"look",
"verify",
"restart",
"click",
"strings",
"meta",
"anonymizer",
"team proxy",
"host",
"control server",
"meterpreter",
"dnspionage",
"filerepmalware",
"fakealert",
"pony",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"floxif",
"patcher",
"adload",
"webcompanion",
"seraph",
"downloader",
"generic",
"dapato",
"redline stealer",
"beach research",
"blacklist http",
"generic malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"bundled",
"dropped",
"contacted",
"most malicious",
"server",
"parent parent"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "Generic",
"display_name": "Generic",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "652a901fe2dbea9024b3d614",
"export_count": 32,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"FileHash-SHA256": 3307,
"URL": 1933,
"domain": 255,
"hostname": 1083,
"CIDR": 1,
"email": 4,
"CVE": 27
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "931 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"http://212.33.237.86/images/1/report.php",
"Victim silenced. Struck by Car Driven by male police let walk",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"Verification failure observed in automated verification handlers during sandbox replay.",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"Quasi Government Case",
"https://webmail.police.govmm.org/owa/",
"Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora",
"207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://207-207-25-201.fwd.datafoundry.com/",
"https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"Mark Brian Sabey",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/",
"https://www.datafoundry.com/category/news/press-releases/",
"http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"This is a serious crime. I\u2019m certain God WILL pay them.",
"https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl",
"http://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ",
"http://foundry2sdbl.dvr.dn2.n-helix.com/",
"http://watchhers.net/index.php",
"Christopher P \u2018Buzz\u2019 Ahmann",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"Melvin Sabey",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com",
"207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"Denver Police let this attempted murder walk. Cited him as a ghost driver",
"https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215",
"My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.",
"All IoC\u2019s originate from sources named. There are some unknown attackers",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com",
"Ronda Cordova",
"https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim",
"https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"Some may may find this content is very disturbing and offensive",
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Sexual and Physical Assaulter - Jeffrey Scott Reimer",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"Reimer was a PT. Unknown whereabouts , name or job description",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Denver Police Department Major Crimes closed investigation",
"http://palantirwww.sweetheartvideo.com/ (weirdness)",
"Unknown Persons impersonating Private Investigators (plural)",
"http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"I bring up the personal nature of the crime because a delete service has been used",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://rdweb.datafoundry.com/",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"Updated | What\u2019s left after theft",
"https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com",
"www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138."
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"[Unnamed group]"
],
"malware_families": [
"Sabsik.fl.b",
"Quasar rat",
"Troj_gen.f04ie00ci19",
"Hacktool.bruteforce",
"Gen:nn.zexaf.34090",
"Nettool.remoteexec",
"Trojan.bat.qhost",
"Backdoor.dtr.15",
"Tool.patcher",
"Kryptik.dawvk",
"Injector.cuam",
"Trojan.ransom.gandcrab",
"Scrinject.eric",
"Trojanspy",
"Wacatac.b",
"Trojan.downloader",
"Cobalt strike",
"Bondat.a",
"Virus.sality",
"Deepscan:generic.brresmon.1",
"Dropper.trojan.agent",
"Trojan.otnr",
"Gen:variant.bulz",
"Infected.webpage",
"Goldfinder",
"Heur:hoax.pcfixer",
"Gen:variant.msilheracles",
"Trojan.bayrob",
"Downloader.opencandy",
"Bscope.backdoor",
"Heur:trojan.diztakun",
"Trojan.rozena",
"Trojan.brsecmon",
"Downware",
"Gen:variant.application.bundler.downloadguide",
"Application.auslogics",
"Adwaresig [adw]",
"Trojan.ransom.generickd",
"Backdoor.nhopro",
"Hacktool.crack",
"Trojan.downloader33",
"Trojware.js.adware.agent",
"Application.bitcoinminer",
"Agen.1045143",
"Magazine phishing",
"Adware.dealply",
"Trojan.wisdomeyes.16070401.9500",
"Vm201.0.b70b.malware",
"Trojan:win32/xtrat",
"Trojan.cookiesstealer",
"Blacknet rat",
"Qvm05.1.08e5.malware",
"Mimikatz",
"Asparnet.p",
"Agent.mu",
"Googletoolbar",
"Sigriskware.lespeedtechnologyltd",
"Adware",
"Redirector.an",
"Maltiverse",
"Gen:variant.symmi",
"Msil_bladabindi.g.gen",
"Backdoor.predator",
"Driverreviver.a potentially unwanted",
"Beach research",
"Exploit.zip.heuristic",
"Js:trojan.clicker",
"Bscope.adware.msil",
"Downloader.generic",
"Heur:exploit.script",
"Trojan.small",
"Wisecleaner.a potentially unwanted",
"Dropper.gen",
"Riskware.hacktool.agent",
"Html:script",
"Gen:variant.ursu",
"Pup.systweak",
"Vdehu.a",
"Trojan.clipbanker",
"Scrinject.b",
"Pua.wombat",
"Trojan.win32.pdf.alien",
"Backdoor.androm",
"Gen:variant.tedy hacktool.vulndriver",
"Generic.asmalws",
"Adware.kuzitui",
"Worm.autorun",
"Malicious.f01f67",
"Trojan.msil",
"Cve-2014-3153",
"Generic.js.blackhole",
"Behaveslike.icloader",
"Dropper.wanna",
"Gen:heur.msil.inject",
"W32.hfsautob",
"Trojan.hotkeychick",
"Packed.themida",
"Worm.boychi",
"Agen.1144657",
"Trojanbanker.banbra",
"Nemucod.21c8",
"Packed.dico",
"Gen:variant.application.bundler",
"Goldmax - s0588",
"Hacktool.cheatengine",
"Webtoolbar",
"Azorult",
"Gen:heur.msil.androm",
"Downldr.gen",
"Kryptik.gkqr",
"Html:redirba",
"Clicker.vb",
"Redline stealer",
"Trojan.khalesi 2\tadware 2",
"W32.malware",
"Csqkhtaai",
"Pe.heur",
"Hw32.packed",
"Riskware.crack",
"Mxresicn.heur",
"Phishing jpmorgan chase and co.",
"Zbot",
"Warezov.gen3",
"Trojan.js.iframe",
"Behav",
"Program.freemake",
"Doplik.j",
"Html:redirme",
"Heur.bzc.yax.boxter.819",
"Gen:variant.jacard",
"Applicunwnt@#2n6\tirs",
"Agent.cux.gen",
"Worm.allaple",
"Behaveslike.downloader",
"Hoax.deceptpcclean",
"Tons of malware",
"Gen:nn.zemsilf.34170",
"Cve exploits",
"Darkkomet.ife",
"Tel:trojan:html/phishing",
"Installcore.np",
"Gamehack",
"Unsafe.ai_score_94%",
"Generic",
"Js:trojan.hidelink 2",
"Remote utilities",
"Generic.application.js.sobrab.1",
"Emotet",
"Vb:trojan.valyria",
"Application.deceptor",
"Xtreme rat",
"Adware.oxypumper",
"Bscope.trojandownloader",
"W32.installcore.agx",
"Webtoolbar.asparnet",
"Absolute uninstaller",
"Gen:nn.zemsilf.32515",
"Adware.browsefoxcrtd",
"Riskware.netfilter",
"Faceliker.d",
"Porn revenge",
"Trojan.gandcrypt",
"Unsafe.ai_score_95% 2",
"Ml.attribute",
"Trojan.linux.generic",
"Sibot",
"Installcore.gen7",
"Tsgeneric",
"Trojandropper.autit",
"Suspici.1f4405d1",
"Freemake.a potentially unwanted",
"Bscope.trojan",
"Agent.ocj",
"Worm.chir",
"Mimikatz - s0002"
],
"industries": [
"Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in"
],
"unique_indicators": 169367
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/meta.com",
"whois": "http://whois.domaintools.com/meta.com",
"domain": "meta.com",
"hostname": "spark.meta.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 17,
"pulses": [
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-05-17T15:52:35.396000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 28000,
"FileHash-SHA256": 48374,
"FileHash-MD5": 42596,
"FileHash-SHA1": 23243,
"hostname": 35654,
"URL": 75758,
"SSLCertFingerprint": 30,
"CVE": 7585,
"email": 316,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"URI": 5,
"IPv4": 574,
"Mutex": 1
},
"indicator_count": 288350,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 92,
"modified_text": "15 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69df292dac938e1d181a38e2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.",
"modified": "2026-05-16T00:08:35.224000",
"created": "2026-04-15T05:59:09.898000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 5178,
"URL": 5165,
"FileHash-MD5": 1546,
"FileHash-SHA1": 381,
"domain": 1818,
"hostname": 3413,
"email": 22,
"URI": 2,
"CVE": 1
},
"indicator_count": 17526,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "17 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69df292b85c74fec867e4ed2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'",
"modified": "2026-05-16T00:08:35.224000",
"created": "2026-04-15T05:59:07.274000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3012,
"URL": 3826,
"FileHash-MD5": 734,
"FileHash-SHA1": 453,
"domain": 862,
"hostname": 1629,
"email": 25,
"CVE": 1
},
"indicator_count": 10542,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "17 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf261cc4e399447d78776c",
"name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |",
"description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com",
"modified": "2026-04-20T21:01:07.869000",
"created": "2026-03-21T23:13:32.760000",
"tags": [
"sc data",
"data upload",
"please sub",
"include data",
"extraction",
"failed",
"sc pulse",
"idron anv",
"extr please",
"include review",
"exclude sugges",
"stop show",
"typ domain",
"united",
"virtool",
"name servers",
"cryp",
"emails",
"win32",
"ip address",
"worm",
"trojan",
"learn",
"suspicious",
"informative",
"ck id",
"name tactics",
"command",
"adversaries",
"spawns",
"ssl certificate",
"initial access",
"link initial",
"prefetch8",
"mitre att",
"ck matrix",
"flag",
"windows nt",
"win64",
"accept",
"encrypt",
"form",
"hybrid",
"bypass",
"general",
"path",
"iframe",
"click",
"strings",
"anchor https",
"anchor",
"liberal",
"sabey",
"liberal friends",
"meta",
"html internet",
"html document",
"unicode text",
"utf8 text",
"info initial",
"access ta0001",
"compromise",
"t1189 network",
"communication",
"get http",
"artifacts v",
"full reports",
"v get",
"help dns",
"resolutions",
"ip traffic",
"extr data",
"enter sc",
"extra data",
"referen",
"broth",
"passive dns",
"urls",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"none google",
"safe browsing",
"inquest labs",
"lucas acha",
"code integrity",
"checks creation",
"otx logo",
"all hostname",
"files",
"domain",
"protect",
"date",
"title",
"exchange",
"se http",
"present jan",
"present feb",
"present dec",
"backdoor",
"certificate",
"all domain",
"alibaba cloud",
"hichina",
"porkbun llc",
"cloudflare",
"namecheap inc",
"namecheap",
"domains",
"dynadot llc",
"ascio",
"denmark",
"url https",
"filehashsha256",
"url http",
"dopple ai",
"snit",
"iocs",
"otx description",
"information",
"report spam",
"delete service",
"poem",
"hunter",
"malicious",
"porn revenge",
"brian sabeys",
"all report",
"spam delete",
"rl http",
"https",
"expiration http",
"spam brian",
"swipper",
"type indicator",
"role title",
"added active",
"related pulses",
"filehashmd5",
"filehashsha1",
"sha256",
"scan",
"learn more",
"indicators show",
"tbmvid",
"sourcelnms",
"zx1724209326040",
"xxx videos",
"xxxvideohd",
"adversary",
"packing",
"palantir.com",
"discovery",
"victim won case",
"doin it",
"palantirian abuse",
"apple",
"sabey data centers",
"insurance",
"quasi government",
"the brother sabey",
"reimer",
"law enforcement",
"vessel state",
"sabey porn",
"hall evans",
"christopher ahmann",
"defamation",
"google"
],
"references": [
"The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/",
"http://watchhers.net/index.php",
"http://212.33.237.86/images/1/report.php",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://webmail.police.govmm.org/owa/",
"https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl",
"https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215",
"Mark Brian Sabey",
"Melvin Sabey",
"Christopher P \u2018Buzz\u2019 Ahmann",
"Ronda Cordova",
"Unknown Persons impersonating Private Investigators (plural)",
"Quasi Government Case",
"Victim silenced. Struck by Car Driven by male police let walk",
"Denver Police let this attempted murder walk. Cited him as a ghost driver",
"Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora",
"Sexual and Physical Assaulter - Jeffrey Scott Reimer",
"Reimer was a PT. Unknown whereabouts , name or job description",
"Denver Police Department Major Crimes closed investigation",
"Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim",
"I bring up the personal nature of the crime because a delete service has been used",
"More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed",
"All IoC\u2019s originate from sources named. There are some unknown attackers",
"This is a serious crime. I\u2019m certain God WILL pay them.",
"https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com",
"http://palantirwww.sweetheartvideo.com/ (weirdness)",
"http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://207-207-25-201.fwd.datafoundry.com/",
"http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd",
"http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2sdbl.dvr.dn2.n-helix.com/",
"Updated | What\u2019s left after theft",
"207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com",
"207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com",
"https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse",
"https://www.datafoundry.com/category/news/press-releases/",
"207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com",
"209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com",
"www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com",
"http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com",
"http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/",
"https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022",
"https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/",
"https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com",
"Some may may find this content is very disturbing and offensive"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Porn Revenge",
"display_name": "Porn Revenge",
"target": null
},
{
"id": "Tons of Malware",
"display_name": "Tons of Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1495",
"name": "Firmware Corruption",
"display_name": "T1495 - Firmware Corruption"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1586.001",
"name": "Social Media Accounts",
"display_name": "T1586.001 - Social Media Accounts"
},
{
"id": "T1593.001",
"name": "Social Media",
"display_name": "T1593.001 - Social Media"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6034,
"domain": 1422,
"FileHash-MD5": 274,
"FileHash-SHA1": 252,
"FileHash-SHA256": 3378,
"email": 11,
"hostname": 2753,
"CVE": 1,
"SSLCertFingerprint": 9
},
"indicator_count": 14134,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "42 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64eccb5d39a90a3c391e",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:32.565000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 152,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64e1d5e06aa6207f78de",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:21.863000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 149,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "652a901fe2dbea9024b3d614",
"name": "Black Tech",
"description": "Found in a malicious Apple iTunes link. Lists several independent artists. Music \"producer\" is potentially highly dependent on use of AI generated instrumentation and conception. Hacking seems to target a single target and associates.",
"modified": "2024-09-24T00:01:38.502000",
"created": "2023-10-14T12:57:03.183000",
"tags": [
"referrer",
"historical ssl",
"ssl certificate",
"whois record",
"whois ssl",
"whois",
"historical",
"siblings parent",
"network",
"number",
"label shanghai",
"blue cloud",
"ltd regional",
"apnic country",
"cn continent",
"algorithm",
"data",
"v3 serial",
"cus cndigicert",
"basic rsa",
"cn ca",
"g2 odigicert",
"inc validity",
"oshanghai blue",
"road",
"beijing country",
"beijing",
"please",
"apnic person",
"cn phone",
"whois lookup",
"bluecloud descr",
"shanghai blue",
"ltd descr",
"cnnic",
"whois lookups",
"updated date",
"apnic netname",
"beijing abusec",
"abuse cnniccn",
"liu registrant",
"country",
"dns replication",
"date",
"domain",
"first",
"blacklist https",
"heur",
"html",
"malware",
"alexa top",
"site",
"filerepmetagen",
"suspected",
"adware",
"cisco umbrella",
"malware site",
"win64",
"opencandy",
"cleaner",
"artemis",
"iframe",
"agent",
"unsafe",
"riskware",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"genkryptik",
"exploit",
"presenoker",
"filetour",
"conduit",
"wacatac",
"softcnapp",
"xtrat",
"cve201711882",
"memscan",
"phishing",
"maltiverse",
"zbot",
"webtoolbar",
"trojanspy",
"million",
"united",
"phishing site",
"malicious site",
"proxy",
"firehol",
"detection list",
"ip address",
"blacklist",
"safe site",
"team",
"fusioncore",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"alexa",
"adposhel",
"installpack",
"xrat",
"azorult",
"service",
"runescape",
"facebook",
"download",
"gamehack",
"verdict",
"falcon sandbox",
"pattern match",
"show",
"file",
"indicator",
"ascii text",
"appdata",
"mitre att",
"et tor",
"known tor",
"severity",
"hybrid",
"general",
"misc attack",
"beginstring",
"script",
"relayrouter",
"exit",
"node traffic",
"null",
"error",
"unknown",
"span",
"body",
"refresh",
"class",
"critical",
"tools",
"look",
"verify",
"restart",
"click",
"strings",
"meta",
"anonymizer",
"team proxy",
"host",
"control server",
"meterpreter",
"dnspionage",
"filerepmalware",
"fakealert",
"pony",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"floxif",
"patcher",
"adload",
"webcompanion",
"seraph",
"downloader",
"generic",
"dapato",
"redline stealer",
"beach research",
"blacklist http",
"generic malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"bundled",
"dropped",
"contacted",
"most malicious",
"server",
"parent parent"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "Generic",
"display_name": "Generic",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 50,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2449,
"FileHash-SHA1": 217,
"FileHash-SHA256": 3441,
"URL": 2044,
"domain": 258,
"hostname": 1100,
"CIDR": 1,
"email": 4,
"CVE": 37
},
"indicator_count": 9551,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "616 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a9123acb8410d1158f8a",
"name": "DNSpionage",
"description": "",
"modified": "2023-12-06T17:02:10.861000",
"created": "2023-12-06T17:02:10.861000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 27,
"FileHash-SHA256": 3307,
"hostname": 1083,
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"domain": 255,
"URL": 1933,
"CIDR": 1,
"email": 4
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "908 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a90bc683765a535061dc",
"name": "27 CVE Talley | GameHack l Beach Research",
"description": "",
"modified": "2023-12-06T17:02:03.119000",
"created": "2023-12-06T17:02:03.119000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 27,
"FileHash-SHA256": 3307,
"hostname": 1083,
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"domain": 255,
"URL": 1933,
"CIDR": 1,
"email": 4
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "908 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a903fc0836f148fa45c9",
"name": "Oshanghai Blue",
"description": "",
"modified": "2023-12-06T17:01:55.465000",
"created": "2023-12-06T17:01:55.465000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 27,
"FileHash-SHA256": 3307,
"hostname": 1083,
"FileHash-MD5": 2420,
"FileHash-SHA1": 189,
"domain": 255,
"URL": 1933,
"CIDR": 1,
"email": 4
},
"indicator_count": 9219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "908 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://spark.meta.com/terms/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://spark.meta.com/terms/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780372580.6415746
}