{
"type": "URL",
"indicator": "https://stl-mx-02.messagingengine.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://stl-mx-02.messagingengine.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4148396345,
"indicator": "https://stl-mx-02.messagingengine.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 2,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69312c4db6fe7eb34abd179d",
"name": "BeeLineRouter.Net \u2022 Apple \u2022 Worms \u2022 Ransom \u2022 SpyWare",
"description": "Direct- remotely accesses iOS devices. Same threat actors. Further research warranted.| \n\n#theyswarm #apple #worms #spyware #ransom #quasi",
"modified": "2026-01-03T05:02:11.376000",
"created": "2025-12-04T06:38:05.504000",
"tags": [
"worm",
"readme.exe",
"foto.pif",
"z1nic.exe",
"dynamicloader",
"high",
"windows",
"checks",
"named pipe",
"http traffic",
"ids detections",
"yara detections",
"alerts",
"launch",
"defense evasion",
"ta0005",
"files",
"msie",
"next dropped",
"process name",
"pe32",
"intel",
"ms windows",
"unknown",
"united",
"tlsv1",
"as14618",
"top source",
"top destination",
"port",
"destination",
"source source",
"matches rule",
"hidden file",
"extension",
"connection",
"http vary",
"tulach",
"url https",
"indicator role",
"active related",
"ipv4",
"url http",
"macintosh",
"intel mac",
"os x",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"bq dec",
"virtool",
"win32mydoom dec",
"trojan",
"win32cve dec",
"avast avg",
"mtb dec",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"ff d5",
"yara rule",
"ascii text",
"f0 ff",
"eb e1",
"write",
"malware",
"suspicious",
"observed dns",
"query",
"exploits",
"sid name",
"malware cve",
"exif data",
"show",
"value exe",
"next",
"all ipv4",
"pulse pulses",
"passive dns",
"urls",
"reverse dns",
"location united",
"america flag",
"ashburn",
"status",
"name servers",
"ip address",
"showing",
"domain",
"files ip",
"windows nt",
"slcc2",
"media center",
"medium",
"simda",
"internal",
"local",
"write c",
"domain add",
"ip whois",
"registrar",
"hostname",
"present jul",
"unknown ns",
"present dec",
"music",
"servers",
"hostname add",
"pulse submit",
"url analysis",
"aaaa",
"backdoor",
"entries",
"found",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"record value",
"emails",
"win32",
"mtb may",
"invalid url",
"ransom",
"trojanspy",
"msil",
"akamai",
"expiration date",
"body html",
"present nov",
"url add",
"http",
"files domain",
"files related",
"pulses none",
"related tags",
"present sep",
"present oct",
"flag",
"analysis tip",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"date",
"domain address",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"network traffic",
"ck id",
"show technique",
"mitre att",
"ck matrix",
"t1566",
"submitted url",
"t1204",
"learn",
"name tactics",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"pattern match",
"show process",
"t1071",
"t1057",
"general",
"path",
"brian sabey",
"christopher p ahmann",
"quasi",
"foundry",
"helix",
"remote attacks",
"hit men",
"sreredrum",
"pleh"
],
"references": [
"apple.com \u2022 getsupport.apple.com \u2022",
"https://www.idvd.eu/?cid=oas-japac-domains-applestore.com.cn/90.i.lolik.anyciona.patrolita.casse.897866 \u2022 oas-japac-domains-applestore.com.cn",
"http://beelinerouter.net/",
"Tulach - 114.114.114.114",
"http://foundry2-lbl.dvr.dn2.n-helix.com",
"foundry.com \u2022 helix. com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/Fadok!rfn",
"display_name": "Worm:Win32/Fadok!rfn",
"target": "/malware/Worm:Win32/Fadok!rfn"
},
{
"id": "VirTool:Win32/Injector.gen!BQ",
"display_name": "VirTool:Win32/Injector.gen!BQ",
"target": "/malware/VirTool:Win32/Injector.gen!BQ"
},
{
"id": "Mydoom",
"display_name": "Mydoom",
"target": null
},
{
"id": "Win.Spyware.88778-2",
"display_name": "Win.Spyware.88778-2",
"target": null
},
{
"id": "Win.Malware.Delf-10008156-0",
"display_name": "Win.Malware.Delf-10008156-0",
"target": null
},
{
"id": "Trojan.MyDoom/Muldrop",
"display_name": "Trojan.MyDoom/Muldrop",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1578",
"name": "Modify Cloud Compute Infrastructure",
"display_name": "T1578 - Modify Cloud Compute Infrastructure"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1584.003",
"name": "Virtual Private Server",
"display_name": "T1584.003 - Virtual Private Server"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 422,
"FileHash-SHA1": 316,
"FileHash-SHA256": 1950,
"domain": 899,
"URL": 6117,
"email": 21,
"hostname": 2037,
"SSLCertFingerprint": 2,
"CVE": 1
},
"indicator_count": 11765,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "148 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"It appears there are 5-7 known affected that I was able to find",
"https://www.idvd.eu/?cid=oas-japac-domains-applestore.com.cn/90.i.lolik.anyciona.patrolita.casse.897866 \u2022 oas-japac-domains-applestore.com.cn",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"apple.com \u2022 getsupport.apple.com \u2022",
"http://beelinerouter.net/",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"Tulach - 114.114.114.114",
"http://foundry2-lbl.dvr.dn2.n-helix.com",
"foundry.com \u2022 helix. com",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Trojan:win32/smkldr.h!mtb",
"#lowfi:lua:dllsuspiciousexport.a",
"Trojan.mydoom/muldrop",
"Win.malware.delf-10008156-0",
"Worm:win32/fadok!rfn",
"Icedid",
"Win.spyware.88778-2",
"Mydoom",
"Virtool:win32/injector.gen!bq",
"Trojanspy",
"Virtool:win32/obfuscator"
],
"industries": [
"Legal",
"Telecom",
"Technology"
],
"unique_indicators": 23812
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/messagingengine.com",
"whois": "http://whois.domaintools.com/messagingengine.com",
"domain": "messagingengine.com",
"hostname": "stl-mx-02.messagingengine.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 2,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69312c4db6fe7eb34abd179d",
"name": "BeeLineRouter.Net \u2022 Apple \u2022 Worms \u2022 Ransom \u2022 SpyWare",
"description": "Direct- remotely accesses iOS devices. Same threat actors. Further research warranted.| \n\n#theyswarm #apple #worms #spyware #ransom #quasi",
"modified": "2026-01-03T05:02:11.376000",
"created": "2025-12-04T06:38:05.504000",
"tags": [
"worm",
"readme.exe",
"foto.pif",
"z1nic.exe",
"dynamicloader",
"high",
"windows",
"checks",
"named pipe",
"http traffic",
"ids detections",
"yara detections",
"alerts",
"launch",
"defense evasion",
"ta0005",
"files",
"msie",
"next dropped",
"process name",
"pe32",
"intel",
"ms windows",
"unknown",
"united",
"tlsv1",
"as14618",
"top source",
"top destination",
"port",
"destination",
"source source",
"matches rule",
"hidden file",
"extension",
"connection",
"http vary",
"tulach",
"url https",
"indicator role",
"active related",
"ipv4",
"url http",
"macintosh",
"intel mac",
"os x",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"bq dec",
"virtool",
"win32mydoom dec",
"trojan",
"win32cve dec",
"avast avg",
"mtb dec",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"ff d5",
"yara rule",
"ascii text",
"f0 ff",
"eb e1",
"write",
"malware",
"suspicious",
"observed dns",
"query",
"exploits",
"sid name",
"malware cve",
"exif data",
"show",
"value exe",
"next",
"all ipv4",
"pulse pulses",
"passive dns",
"urls",
"reverse dns",
"location united",
"america flag",
"ashburn",
"status",
"name servers",
"ip address",
"showing",
"domain",
"files ip",
"windows nt",
"slcc2",
"media center",
"medium",
"simda",
"internal",
"local",
"write c",
"domain add",
"ip whois",
"registrar",
"hostname",
"present jul",
"unknown ns",
"present dec",
"music",
"servers",
"hostname add",
"pulse submit",
"url analysis",
"aaaa",
"backdoor",
"entries",
"found",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"record value",
"emails",
"win32",
"mtb may",
"invalid url",
"ransom",
"trojanspy",
"msil",
"akamai",
"expiration date",
"body html",
"present nov",
"url add",
"http",
"files domain",
"files related",
"pulses none",
"related tags",
"present sep",
"present oct",
"flag",
"analysis tip",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"date",
"domain address",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"network traffic",
"ck id",
"show technique",
"mitre att",
"ck matrix",
"t1566",
"submitted url",
"t1204",
"learn",
"name tactics",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"pattern match",
"show process",
"t1071",
"t1057",
"general",
"path",
"brian sabey",
"christopher p ahmann",
"quasi",
"foundry",
"helix",
"remote attacks",
"hit men",
"sreredrum",
"pleh"
],
"references": [
"apple.com \u2022 getsupport.apple.com \u2022",
"https://www.idvd.eu/?cid=oas-japac-domains-applestore.com.cn/90.i.lolik.anyciona.patrolita.casse.897866 \u2022 oas-japac-domains-applestore.com.cn",
"http://beelinerouter.net/",
"Tulach - 114.114.114.114",
"http://foundry2-lbl.dvr.dn2.n-helix.com",
"foundry.com \u2022 helix. com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/Fadok!rfn",
"display_name": "Worm:Win32/Fadok!rfn",
"target": "/malware/Worm:Win32/Fadok!rfn"
},
{
"id": "VirTool:Win32/Injector.gen!BQ",
"display_name": "VirTool:Win32/Injector.gen!BQ",
"target": "/malware/VirTool:Win32/Injector.gen!BQ"
},
{
"id": "Mydoom",
"display_name": "Mydoom",
"target": null
},
{
"id": "Win.Spyware.88778-2",
"display_name": "Win.Spyware.88778-2",
"target": null
},
{
"id": "Win.Malware.Delf-10008156-0",
"display_name": "Win.Malware.Delf-10008156-0",
"target": null
},
{
"id": "Trojan.MyDoom/Muldrop",
"display_name": "Trojan.MyDoom/Muldrop",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1578",
"name": "Modify Cloud Compute Infrastructure",
"display_name": "T1578 - Modify Cloud Compute Infrastructure"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1584.003",
"name": "Virtual Private Server",
"display_name": "T1584.003 - Virtual Private Server"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 422,
"FileHash-SHA1": 316,
"FileHash-SHA256": 1950,
"domain": 899,
"URL": 6117,
"email": 21,
"hostname": 2037,
"SSLCertFingerprint": 2,
"CVE": 1
},
"indicator_count": 11765,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "148 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://stl-mx-02.messagingengine.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://stl-mx-02.messagingengine.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780236250.7296576
}