{
"type": "URL",
"indicator": "https://support.Apple.com/en",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://support.Apple.com/en",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3047610478,
"indicator": "https://support.Apple.com/en",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-04-19T08:11:41.130000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27678,
"FileHash-SHA256": 47676,
"FileHash-MD5": 42534,
"FileHash-SHA1": 23213,
"hostname": 33703,
"URL": 75433,
"SSLCertFingerprint": 30,
"CVE": 7582,
"email": 313,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"IPv4": 80,
"URI": 5
},
"indicator_count": 284461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6995e22d28c9e9d76f0dec64",
"name": "Not So Awesome Fonts",
"description": "Researchers: Further review warranted on awesome fonts.",
"modified": "2026-04-13T23:46:40.833000",
"created": "2026-02-18T16:00:45.725000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 123,
"FileHash-MD5": 10,
"FileHash-SHA1": 12,
"FileHash-SHA256": 223,
"email": 5,
"hostname": 223,
"URL": 565,
"CVE": 29,
"SSLCertFingerprint": 2
},
"indicator_count": 1192,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6992bae83a5988dff8311490",
"name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)",
"description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.",
"modified": "2026-04-13T23:46:20.071000",
"created": "2026-02-16T06:36:24.788000",
"tags": [
"Obfuscation: XOR-based String Encryption (0x20)",
"T1110.001 (Brute Force: Password Guessing)",
"Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba",
"MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
"#PotentialUS-Origin_FalseFlag_Obfuscation"
],
"references": [
"Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186",
"Obfuscation: XOR-based String Encryption (0x20)",
"T1110.001 (Brute Force: Password Guessing)",
"This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains",
"Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f",
"Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.",
"his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.",
"The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.",
"By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.",
"The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting",
"",
"The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.",
"By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.",
"The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.",
"LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.",
"LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.",
"LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.",
"Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.",
"Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs",
"Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.",
"Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.",
"Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.",
"WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset."
],
"public": 1,
"adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s",
"targeted_countries": [],
"malware_families": [
{
"id": "Malware Family: StealthWorker / GoBrut",
"display_name": "Malware Family: StealthWorker / GoBrut",
"target": "/malware/Malware Family: StealthWorker / GoBrut"
},
{
"id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
"display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
"target": null
}
],
"attack_ids": [
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2166,
"FileHash-SHA1": 2067,
"FileHash-SHA256": 3371,
"domain": 13295,
"URL": 6860,
"email": 272,
"hostname": 4705,
"SSLCertFingerprint": 268,
"CVE": 107,
"CIDR": 6
},
"indicator_count": 33117,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 62,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d6619d62ea0c3bbf0ebf75",
"name": "Mac OS Unwanted Programs | Mac Booster application potentially installed in background without target\u2019s knowledge",
"description": "Not installed by users I\u2019m researching for. Downloaded as an unwanted program Overview of com.iobit.MacBooster-3\ncom.iobit.MacBooster-3 is the package identifier for MacBooster 3, a software application developed by IObit. This application is specifically designed for optimizing and maintaining Mac computers.\nKey Features\nMacBooster 3 includes several essential features aimed at enhancing the performance and security of Mac systems:\nSystem Cleanup: .\nPerformance Boosting: \nMalware Protection: .\nCompatibility\nMacBooster 3 is compatible with macOS versions starting from OS X 10.9. False - \nWhat are the potential risks of using MacBooster 3 on a Mac computer?\nUsing MacBooster 3 on a Mac computer can lead to potentially unwanted program (PUP) behavior, including browser interference, frequent pop-ups, and the installation of unnecessary software.",
"modified": "2026-04-08T14:09:33.432000",
"created": "2026-04-08T14:09:33.432000",
"tags": [
"issuer apple",
"valid from",
"valid",
"serial number",
"macho",
"macho 64bit",
"mac os",
"x macho",
"intel",
"file version",
"team identifier",
"apple root",
"ca feb",
"am ma9eduzpcw",
"signers",
"issuer valid",
"from valid",
"status issuer",
"apple inc",
"valid apple",
"a9 a8",
"process32nextw",
"regsetvalueexa",
"read c",
"regdword",
"tls handshake",
"failure",
"msie",
"malware",
"write",
"win32",
"unknown",
"dynamicloader",
"high",
"myapp",
"device driver",
"host",
"worm",
"delphi",
"error",
"code",
"defender",
"next",
"file score",
"cryp",
"virus",
"checkin tls",
"forbidden yara",
"msvisualcpp2008",
"less ip",
"contacted",
"scanning host",
"trojan",
"exploit host",
"apple inc",
"monitored target",
"targeting",
"name servers",
"servers",
"expiration date",
"value emails",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"tulach"
],
"references": [
"com.iobit.MacBooster-3",
"IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden",
"Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,",
"Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun",
"Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer",
"Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe",
"Alerts: injection_process_search antivm_network_adapters privilege_luid_check",
"Alerts: checks_debugger has_pdb raises_exception",
"IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96",
"Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com",
"Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen",
"I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.",
"https://otx.alienvault.com/indicator/cve/CVE-2023-22518",
"Issue! Team member found CVE-2023-22518 have origins from the State of Colorado",
"Issue! Multiple IoC\u2019s missing.",
"A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more",
"I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place",
"Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue",
"Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s",
"Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.",
"Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?",
"Researching using an easy powerful tool like this has led to confrontations.",
"I liked the tool. There is something strange happening with the pulses & IoC\u2019s",
"I did not clone my pulse to read Bit.io",
"I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members",
"There are serious researchers on here for a short time hoping to resolve serious cyber issues",
"I am unable to reach Level Blue regarding issues. Mailer Daemon only",
"It\u2019s not just me. I have contacted from very secured emails, networks, devices",
"I typically follow targets who have truly dangerous situations who no longer pulse.",
"This would be sent in an email but \u2026.",
"About pulse, found in peripheral.",
"When your pulse says contacted, who is contacted besides OTX?",
"An earlier version contacted entities affected or affecting targets."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Virus:Win32/Floxif.H",
"display_name": "Virus:Win32/Floxif.H",
"target": "/malware/Virus:Win32/Floxif.H"
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "Ransom:Win32/CVE-2017-0147",
"display_name": "Ransom:Win32/CVE-2017-0147",
"target": "/malware/Ransom:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 75,
"FileHash-MD5": 102,
"FileHash-SHA256": 2076,
"IPv4": 111,
"URL": 2496,
"CVE": 2,
"domain": 483,
"hostname": 938,
"email": 4,
"SSLCertFingerprint": 2
},
"indicator_count": 6289,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "11 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69aeda93ec05fb8653adca6d",
"name": "clone of my pulse. this dmv kit pdfkit.net used the same off logo kit it was one of the few i found in their fcc application . rpi&macids look for",
"description": "",
"modified": "2026-04-08T00:00:45.252000",
"created": "2026-03-09T14:34:59.072000",
"tags": [
"pfft.net"
],
"references": [
""
],
"public": 1,
"adversary": "pi, pdfkit.net",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "698c75717175e2cc7ff33df2",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 551,
"domain": 638,
"CVE": 114,
"hostname": 449,
"email": 28,
"FileHash-MD5": 145,
"FileHash-SHA1": 188,
"FileHash-SHA256": 132,
"Mutex": 1
},
"indicator_count": 2246,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 50,
"modified_text": "11 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a145ba89a2b4af5a0aa721",
"name": "Credential Stuffing & C2 Config: AREK-BTC Variant (Zeppelin-Linked)",
"description": "IoCs for 83hcm-eadaebdbd / BF_BIND_STUFF Campaign\n[CONFIG_START]\nVERSION: 4.2.1-NSV4\nSERVER_HOST: akamaihd.net/eum/results.txt\nAUTH_KEY: 83hcm-eadaebdbd\nTARGET_LIST: /nests/stuffed_cred_v4.db\nACTION: BF_BIND_STUFF\nRETRY_LIMIT: 400\nLOG_PATH: /tmp/results_log.txt\n[PAYLOAD_REDIRECTS]\nURL1: https://formsv.nycourts.gov...\nURL2: https://caneidhelp.miami.edu...\nURL3: https://www.americanexpress.com...\n[USER_AGENT_SPOOF]\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\n[END_CONFIG]",
"modified": "2026-04-01T00:44:45.494000",
"created": "2026-02-27T07:20:26.222000",
"tags": [
"configstart",
"version",
"authkey",
"url1",
"useragentspoof",
"windows nt",
"win64",
"endconfig"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 91,
"domain": 33,
"hostname": 29,
"FileHash-SHA256": 91,
"FileHash-MD5": 1,
"FileHash-SHA1": 20,
"CVE": 14,
"email": 1
},
"indicator_count": 280,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6989077aa8c925b423ef9354",
"name": "Hybrid Managed Service Actor / provisioned insider",
"description": "An artifact was observed on May 4, 2025, utilizing a document lure. Analysis of the artifact indicated a failed cryptographic validation. This activity occurred specifically within the 24-hour period preceding the May 5, 2025, Microsoft DMARC/DKIM/SPF enforcement.\nThis activity was followed by the execution of suspected malware payloads, leading to the unauthorized transfer of data. The observed data exfiltration endpoint was hasthe.technology.",
"modified": "2026-03-31T21:36:40.020000",
"created": "2026-02-08T22:00:24.065000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 414,
"FileHash-SHA256": 115,
"CVE": 91,
"hostname": 374,
"URL": 657,
"email": 19,
"JA3": 1,
"FileHash-MD5": 13,
"FileHash-SHA1": 13
},
"indicator_count": 1697,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 51,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698d30c03b57c38dff915023",
"name": "Double Umbrella AS15169/AS21928: This evaluates a critical structural convergence between Google (AS15169) and T-Mobile USA (AS21928) within the global Tier-1 routing backbone",
"description": "Research credit: msudosos, The research identifies a high-fidelity pattern where traffic from dual origins commingles within a restricted lateral transit hub, allowing for horizontal movement across backbone providers that typically maintain distinct trust boundaries. Specifically, the Content Origin (Umbrella A) originated by Google (AS15169) reaches the core backbone through a high-trust sequence involving Arelion (AS1299), NTT (AS2914), and GTT (AS3257). Simultaneously, the Mobile Origin (Umbrella B) originated by T-Mobile USA (AS21928) enters the backbone via Cogent (AS174) and Lumen (AS3356). The findings designate Lumen (AS3356) as the central lateral hub where traffic pivots horizontally between the \u201cCore Five\u201d partners-including Zayo (AS6461) and Hurricane Electric (AS6939) \u2014before leaking to international sub-transit peers like Sparkle (AS6762) and Telxius (AS12956), finally exiting at global edge points such as PCCW (AS3491) and Tata (AS6453).",
"modified": "2026-03-29T06:02:00.914000",
"created": "2026-02-12T01:45:36.128000",
"tags": [
"The dynamics of the mudoSOSIntersectalign with sophisticated adv"
],
"references": [
"as15169"
],
"public": 1,
"adversary": "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 3,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URI": 1,
"domain": 2661,
"URL": 6810,
"hostname": 2147,
"email": 56,
"FileHash-SHA256": 2781,
"CVE": 172,
"FileHash-MD5": 365,
"FileHash-SHA1": 344,
"IPv4": 1,
"CIDR": 20940
},
"indicator_count": 36278,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 52,
"modified_text": "21 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698c3273517158869e0ba780",
"name": "Reputation Shielded C2 Pivot; High-Churn Wix Infrastructure with iCloud Exfil Adjacency",
"description": "Researcher Note (Feb 11, 2026) IPv4 185.230.61.96 (AS58182 \u2013 Wix.com Ltd.), resolving to unalocated.61.wixsite.com, demonstrates indicators consistent with structured abuse of shared SaaS hosting for command-and-control operations. Passive DNS telemetry reflects 500+ historical domain bindings across 52 TLDs, suggesting deliberate namespace dispersion and rotational overlay management rather than static tenancy. Network detections include repeated FormBook HTTP GET check-ins, Pushdo loader beacon cadence, and Windows Network Diagnostics user-agent spoofing, collectively aligning with controlled tasking infrastructure. Associated artifacts (11/50 AV detections) cluster around credential-stealer and loader families, including FormBook and GandCrab lineage components. The behavioral profile supports assessment of reputation parasitism\u2014leveraging trusted hosting to inherit platform trust and evade domain-based enforcement controls. Confidence: Moderate-High. MITRE: T1071.001, T1105, T1036.",
"modified": "2026-03-29T00:29:26.398000",
"created": "2026-02-11T07:40:32.757000",
"tags": [],
"references": [],
"public": 1,
"adversary": "Tier-1 SaaS Reputation Parasitism Leveraging Wix Infrastructure",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 265,
"domain": 294,
"URL": 331,
"email": 12,
"CVE": 61,
"FileHash-MD5": 73,
"FileHash-SHA1": 64,
"FileHash-SHA256": 74
},
"indicator_count": 1174,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 53,
"modified_text": "21 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698ef344417f9985660e698b",
"name": "Pulse Data",
"description": "A complete summary of all the key points in the analysis of the W32.virus, compiled by the University of California, Los Angeles, at the end of May, 2014, and published online.",
"modified": "2026-03-28T07:23:23.210000",
"created": "2026-02-13T09:47:48.788000",
"tags": [
"imphash",
"file type",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"detections tls",
"zeppelin"
],
"references": [
"",
"4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq , aPLib , PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access "
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 646,
"FileHash-SHA1": 604,
"FileHash-SHA256": 1373,
"hostname": 1143,
"domain": 1381,
"URL": 2537,
"CVE": 101,
"email": 25,
"SSLCertFingerprint": 9
},
"indicator_count": 7819,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "22 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6988faa4f668aeeed6f86da8",
"name": "zero trust",
"description": "researcher credit: msudoSOS : CLBCatQ.DLL\tThe malware is hijacking your COM+ Class Catalog to hide as a System Service.\nCoMarshalInterface\tYour identity is being \"packaged\" and sent via the LTE Trial to the '' Edge.\npid 2356 / 2812\tThese are the active processes currently communicating with the 49.12.22.106 C2 server.",
"modified": "2026-03-27T09:05:26.285000",
"created": "2026-02-08T21:05:37.829000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/C2Lop",
"display_name": "ALF:HeraklezEval:Trojan:Win32/C2Lop",
"target": null
},
{
"id": "#LowFi:HSTR:PyInstaller_Packaged_Script",
"display_name": "#LowFi:HSTR:PyInstaller_Packaged_Script",
"target": null
},
{
"id": "#Exploit:Win32/BlofeldsCat",
"display_name": "#Exploit:Win32/BlofeldsCat",
"target": "/malware/#Exploit:Win32/BlofeldsCat"
},
{
"id": "TEL:Exploit:HTML/PSWebkit",
"display_name": "TEL:Exploit:HTML/PSWebkit",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 394,
"hostname": 250,
"CVE": 112,
"URL": 190,
"email": 25,
"JA3": 1,
"FileHash-MD5": 191,
"FileHash-SHA1": 214,
"FileHash-SHA256": 607
},
"indicator_count": 1984,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 59,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698904c316bc7710b967d01d",
"name": "Rare Tier 1 Persistence - Critical \"Patched\", Non Patched Vulnerabilities Remain bypassing Lockdown Mode",
"description": "Researcher Note (Feb 08, 2026):\nThis artifact represents a sophisticated Cross-Protocol Mesh. Observations confirm that the Cymt/Nemucod wrapper is being utilized as a delivery vehicle for a Firmware-resident ELF binary (Mirai variant).\nThe persistence is notable for its ability to survive Full DFU Restores and Faraday-isolated states, likely due to JTAG-level interaction with the Power Management IC (Chip 4799). This is not a standard opportunistic infection; it is a targeted provisioning event leveraging IDMSA (Identity Management) bridges and Verizon/Akamai Edge infrastructure.\nThe integration with CalendarKit and Maps for geofenced execution suggests a highly coordinated surveillance objective. Forensic analysts should pay specific attention to the sizeofrawdata_antidbg anomalies, which indicate a focus on bypassing Apple Lockdown Mode and Secure Enclave. \nresearcher credit: msudoSOS",
"modified": "2026-03-27T09:05:26.285000",
"created": "2026-02-08T21:48:49.147000",
"tags": [
"#supportsitewebsiteabuse #rootcertificatefailure #cryptographicf"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 909,
"URL": 1779,
"CVE": 126,
"domain": 659,
"email": 23,
"JA3": 1,
"FileHash-MD5": 230,
"FileHash-SHA1": 227,
"FileHash-SHA256": 934,
"CIDR": 13
},
"indicator_count": 4901,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 54,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698918baac756a084ef67089",
"name": "151.101.0.22",
"description": "151.101.0.22",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-02-08T23:13:59.775000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 317,
"domain": 494,
"URL": 286,
"CVE": 78,
"email": 33,
"JA3": 1,
"FileHash-MD5": 10,
"FileHash-SHA1": 4,
"FileHash-SHA256": 2
},
"indicator_count": 1225,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 53,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698910df5a3e7798d4da271a",
"name": "hostasa.org",
"description": "Correlated activity identified with hostasa.org (IP: 34.41.139.193). Indicators suggest an MSI-based Malspam vector initiated on May 4, 2025. Artifacts utilize HWRN nameservers for resilient command-and-control, bridging ASP.NET reflective loaders to the Verizon LTE/Baseband layer. Domain is currently tagged for SpyNoon and ClipBanker exfiltration",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-02-08T22:40:28.891000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 278,
"hostname": 177,
"URL": 133,
"FileHash-SHA256": 22,
"CVE": 69,
"email": 14,
"JA3": 1
},
"indicator_count": 694,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 51,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698910e3f78fe72e45c8e068",
"name": "hostasa.org",
"description": "Correlated activity identified with hostasa.org (IP: 34.41.139.193). Indicators suggest an MSI-based Malspam vector initiated on May 4, 2025. Artifacts utilize HWRN nameservers for resilient command-and-control, bridging ASP.NET reflective loaders to the Verizon LTE/Baseband layer. Domain is currently tagged for SpyNoon and ClipBanker exfiltration",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-02-08T22:40:32.430000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 80,
"URL": 141,
"domain": 348,
"hostname": 234,
"email": 18,
"JA3": 1,
"FileHash-MD5": 10,
"FileHash-SHA1": 7,
"FileHash-SHA256": 6
},
"indicator_count": 845,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 52,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698c75717175e2cc7ff33df2",
"name": "103.203.175.90 - Document and Domain Research Intersect, PDFKIT.NET DMV",
"description": "http://103.203.175.90:81/fdScript/RootOfEBooks/E%20Book%20collection%20-%202024%20-%20D/CSE%20%20IT%20AIDS%20ML/Raspberry%20Pi%20linux-@Computer_IT_Engineering.pdf\n103.203.175.90",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-02-11T12:26:20.490000",
"tags": [
"pfft.net"
],
"references": [
""
],
"public": 1,
"adversary": "pi, pdfkit.net",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 550,
"domain": 638,
"CVE": 113,
"hostname": 445,
"email": 28,
"FileHash-MD5": 145,
"FileHash-SHA1": 136,
"FileHash-SHA256": 132,
"Mutex": 1
},
"indicator_count": 2188,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 50,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698e906da16336f8e87c3b90",
"name": "CoinHive Clone ",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-02-13T02:46:05.544000",
"tags": [
"united",
"td tr",
"a domains",
"history group",
"state",
"b td",
"present sep",
"find",
"alabama",
"iowa",
"apache",
"content type",
"passive dns",
"meta http",
"content",
"gmt server",
"pragma",
"title",
"linksys eseries",
"device rce",
"inbound",
"et exploit",
"attempt",
"et webserver",
"suspicious user",
"user agent",
"et worm",
"policy python",
"python",
"agent",
"generic",
"malware",
"nids",
"dst_ip",
"\"sid\": 2017515,",
"2020/08/23",
"dst_port\": 8080",
"suricata",
"network_icmp",
"tcp_syn_scan",
"unix",
"mirai",
"infection",
"port 8080",
"aitm",
"mitm",
"xfinity",
"lumen backbone",
"xfinity cf",
"et info",
"useragent",
"webserver",
"android",
"linux",
"statistically stripped",
"local",
"Jefferson County",
"Colorado",
"State",
"is__elf",
"is__war",
"cyber warfare",
"marking",
"targeting",
"stalking",
"impersonating",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"initial access",
"defense evasion",
"mitre att",
"ck matrix",
"february",
"hybrid",
"general",
"path",
"encrypt",
"click",
"strings",
"attack",
"ssl certificate",
"ascii text",
"dynamicloader",
"yara rule",
"ff d5",
"medium",
"high",
"eb d8",
"f0 ff",
"ff bb",
"host",
"unknown",
"explorer",
"virtool",
"write",
"next",
"Douglas County",
"Michael Roberts",
"Brian Sabey",
"Chris\u2019Buzz\u2019 Ahmann",
"Mirai BotMaster",
"file type",
"pexe",
"pe32",
"intel",
"ms windows",
"date march",
"am size",
"imphash",
"otx logo",
"all filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"moved",
"urls",
"expiration date",
"all hostname",
"files",
"media",
"present feb",
"present jan",
"present dec",
"present nov",
"ip address",
"present",
"codex",
"sf.net",
"next associated",
"ipv4 add",
"location united",
"america flag",
"spawns",
"found",
"t1480 execution",
"pattern match",
"present aug",
"search",
"name servers",
"showing",
"record value",
"meta",
"accept",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"denver",
"yandex",
"post",
"entries",
"post http",
"show",
"post liquor",
"execution",
"port",
"destination",
"icmp traffic",
"dns query",
"include",
"top source"
],
"references": [
"https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in",
"genealogytrails.com",
"It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT",
"Has been present throughout a specific campaign",
"Mirai",
"IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt",
"IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS",
"IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests",
"IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)",
"IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden",
"ET INFO User-Agent (python-requests) Inbound to Webserver",
"Suspicious User Agent | ETPRO POLICY Python Requests",
"src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105",
"\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,",
"TCP SYN packets were observed",
"ET WORM TheMoon.linksys.router",
"ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound",
"\"ET WEB_SERVER WebShell Generic - wget http - POST",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX",
"Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication",
"Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc",
"Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject",
"File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:",
"upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4",
"192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net",
"Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB",
"IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz",
"IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin",
"Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process",
"Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options",
"Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..",
"IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193",
"IPs Contacted: 149.56.240.31 172.66.136.209",
"Domains Contacted: c.statcounter.com sstatic1.histats.com",
"Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com",
"Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com",
"Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com",
"Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com",
"Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com",
"Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com",
"Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com",
"Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Unix.Trojan.Mirai-7646352-0",
"display_name": "Unix.Trojan.Mirai-7646352-0",
"target": null
},
{
"id": "SpyFu",
"display_name": "SpyFu",
"target": null
},
{
"id": "Win.Trojan.VB-83922",
"display_name": "Win.Trojan.VB-83922",
"target": null
},
{
"id": "virtool:Win32/VBInject.gen!JB",
"display_name": "virtool:Win32/VBInject.gen!JB",
"target": "/malware/virtool:Win32/VBInject.gen!JB"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1562.003",
"name": "Impair Command History Logging",
"display_name": "T1562.003 - Impair Command History Logging"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1608.004",
"name": "Drive-by Target",
"display_name": "T1608.004 - Drive-by Target"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "698966742c9fd9691396bb3a",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5836,
"domain": 857,
"FileHash-MD5": 185,
"FileHash-SHA1": 147,
"hostname": 1842,
"email": 7,
"FileHash-SHA256": 947,
"CVE": 43,
"SSLCertFingerprint": 8
},
"indicator_count": 9872,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64eccb5d39a90a3c391e",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:32.565000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64e1d5e06aa6207f78de",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:21.863000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf27fc6d31ed143807e1db",
"name": "Apple abuse by law firm - remote attackers.",
"description": "They will put you in many botnets. Remote attacks on Apple products.http://thebrotherssabey.com/\t\t\t\nhttps://thebrotherssabey.com/\t\t\t\nthebrotherssabey.com",
"modified": "2026-03-21T23:21:32.200000",
"created": "2026-03-21T23:21:32.200000",
"tags": [
"active related",
"thebrotherssabey",
"apple"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 196,
"domain": 11,
"hostname": 79,
"FileHash-SHA256": 20
},
"indicator_count": 306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "28 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf261cc4e399447d78776c",
"name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |",
"description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com",
"modified": "2026-03-21T23:13:32.760000",
"created": "2026-03-21T23:13:32.760000",
"tags": [
"sc data",
"data upload",
"please sub",
"include data",
"extraction",
"failed",
"sc pulse",
"idron anv",
"extr please",
"include review",
"exclude sugges",
"stop show",
"typ domain",
"united",
"virtool",
"name servers",
"cryp",
"emails",
"win32",
"ip address",
"worm",
"trojan",
"learn",
"suspicious",
"informative",
"ck id",
"name tactics",
"command",
"adversaries",
"spawns",
"ssl certificate",
"initial access",
"link initial",
"prefetch8",
"mitre att",
"ck matrix",
"flag",
"windows nt",
"win64",
"accept",
"encrypt",
"form",
"hybrid",
"bypass",
"general",
"path",
"iframe",
"click",
"strings",
"anchor https",
"anchor",
"liberal",
"sabey",
"liberal friends",
"meta",
"html internet",
"html document",
"unicode text",
"utf8 text",
"info initial",
"access ta0001",
"compromise",
"t1189 network",
"communication",
"get http",
"artifacts v",
"full reports",
"v get",
"help dns",
"resolutions",
"ip traffic",
"extr data",
"enter sc",
"extra data",
"referen",
"broth",
"passive dns",
"urls",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"none google",
"safe browsing",
"inquest labs",
"lucas acha",
"code integrity",
"checks creation",
"otx logo",
"all hostname",
"files",
"domain",
"protect",
"date",
"title",
"exchange",
"se http",
"present jan",
"present feb",
"present dec",
"backdoor",
"certificate",
"all domain",
"alibaba cloud",
"hichina",
"porkbun llc",
"cloudflare",
"namecheap inc",
"namecheap",
"domains",
"dynadot llc",
"ascio",
"denmark",
"url https",
"filehashsha256",
"url http",
"dopple ai",
"snit",
"iocs",
"otx description",
"information",
"report spam",
"delete service",
"poem",
"hunter",
"malicious",
"porn revenge",
"brian sabeys",
"all report",
"spam delete",
"rl http",
"https",
"expiration http",
"spam brian",
"swipper",
"type indicator",
"role title",
"added active",
"related pulses",
"filehashmd5",
"filehashsha1",
"sha256",
"scan",
"learn more",
"indicators show",
"tbmvid",
"sourcelnms",
"zx1724209326040",
"xxx videos",
"xxxvideohd",
"adversary",
"packing",
"palantir.com",
"discovery",
"victim won case",
"doin it",
"palantirian abuse",
"apple",
"sabey data centers",
"insurance",
"quasi government",
"the brother sabey",
"reimer",
"law enforcement",
"vessel state",
"sabey porn",
"hall evans",
"christopher ahmann",
"defamation",
"google"
],
"references": [
"The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/",
"http://watchhers.net/index.php",
"http://212.33.237.86/images/1/report.php",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://webmail.police.govmm.org/owa/",
"https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl",
"https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215",
"Mark Brian Sabey",
"Melvin Sabey",
"Christopher P \u2018Buzz\u2019 Ahmann",
"Ronda Cordova",
"Unknown Persons impersonating Private Investigators (plural)",
"Quasi Government Case",
"Victim silenced. Struck by Car Driven by male police let walk",
"Denver Police let this attempted murder walk. Cited him as a ghost driver",
"Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora",
"Sexual and Physical Assaulter - Jeffrey Scott Reimer",
"Reimer was a PT. Unknown whereabouts , name or job description",
"Denver Police Department Major Crimes closed investigation",
"Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim",
"I bring up the personal nature of the crime because a delete service has been used",
"More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed",
"All IoC\u2019s originate from sources named. There are some unknown attackers",
"This is a serious crime. I\u2019m certain God WILL pay them.",
"https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com",
"http://palantirwww.sweetheartvideo.com/ (weirdness)",
"http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://207-207-25-201.fwd.datafoundry.com/",
"http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd",
"http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2sdbl.dvr.dn2.n-helix.com/",
"Updated | What\u2019s left after theft",
"207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com",
"207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com",
"https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse",
"https://www.datafoundry.com/category/news/press-releases/",
"207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com",
"209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com",
"www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com",
"http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com",
"http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/",
"https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022",
"https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/",
"https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com",
"Some may may find this content is very disturbing and offensive"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Porn Revenge",
"display_name": "Porn Revenge",
"target": null
},
{
"id": "Tons of Malware",
"display_name": "Tons of Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1495",
"name": "Firmware Corruption",
"display_name": "T1495 - Firmware Corruption"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1586.001",
"name": "Social Media Accounts",
"display_name": "T1586.001 - Social Media Accounts"
},
{
"id": "T1593.001",
"name": "Social Media",
"display_name": "T1593.001 - Social Media"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6034,
"domain": 1422,
"IPv4": 883,
"FileHash-MD5": 274,
"FileHash-SHA1": 252,
"FileHash-SHA256": 3378,
"email": 11,
"hostname": 2753,
"CVE": 1,
"SSLCertFingerprint": 9,
"IPv6": 32
},
"indicator_count": 15049,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "28 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "697931b0ee201182f970bc33",
"name": "https://support[.]apple[.]com/en-ca/",
"description": "Apple iPadOS Update\nhttps://support[.]apple[.]com/en-ca/126047\nCertificate Trust Settings:\nTrust Store Version: 2025082000\nTrust Asset Version: 1011",
"modified": "2026-02-26T21:03:49.546000",
"created": "2026-01-27T21:44:16.421000",
"tags": [
"Apple"
],
"references": [
"https://www.virustotal.com/gui/collection/49dc173bbaf3c632d46d614106ac72d2fba72444f14c618995b797757815d5b4",
"https://www.virustotal.com/gui/collection/49dc173bbaf3c632d46d614106ac72d2fba72444f14c618995b797757815d5b4/iocs",
"https://www.virustotal.com/graph/embed/g67beb17fa38042baaa378cde359bbf4ba510be6f4d5c4f40b2d39917c7f7b67c?theme=dark"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Germany",
"Netherlands",
"Poland"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 4,
"URL": 438,
"domain": 18,
"hostname": 9,
"FileHash-SHA256": 102
},
"indicator_count": 571,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 131,
"modified_text": "51 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6962bb143187f7cb571ef6f5",
"name": "Pahamify Pegasus",
"description": "Hmmm, only able to manually add IOC\u2019s after last pulse.\n\nPulse: Pahamify Pegasus - Apple IOC\u2019s",
"modified": "2026-02-09T22:00:25.303000",
"created": "2026-01-10T20:48:20.438000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1190,
"hostname": 891,
"URL": 4201,
"FileHash-SHA256": 1555,
"email": 33,
"FileHash-MD5": 591,
"FileHash-SHA1": 400
},
"indicator_count": 8861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6962d43456bb524b17e9d5ce",
"name": "Apple MyDoom + IOC\u2019s isolated from Palantir related Pahamify Pegasus | BibleGateway App | Drive by & other targeting /.monitoring Access Attacks ",
"description": "",
"modified": "2026-02-09T22:00:25.303000",
"created": "2026-01-10T22:35:32.582000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6962bb143187f7cb571ef6f5",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1190,
"hostname": 891,
"URL": 4201,
"FileHash-SHA256": 1555,
"email": 33,
"FileHash-MD5": 591,
"FileHash-SHA1": 400
},
"indicator_count": 8861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6962b68da732abc66a0c2caf",
"name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus",
"description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else",
"modified": "2026-02-09T19:00:09.890000",
"created": "2026-01-10T20:29:01.675000",
"tags": [
"ip address",
"status code",
"kb body",
"iocs",
"deny age",
"cloudfront",
"utc google",
"tag manager",
"g8t6ln06z40",
"utc na",
"google tag",
"injection",
"t1055 malware",
"tree",
"help v",
"defense evasion",
"injection t1055",
"resolved ips",
"get http",
"dns resolutions",
"v memory",
"pattern domains",
"full reports",
"v help",
"memory pattern",
"urls https",
"hashes",
"tiktok",
"microsoft",
"dashboard falcon",
"request",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"appleid",
"united",
"name servers",
"aaaa",
"servers",
"moved",
"script urls",
"passive dns",
"urls",
"data upload",
"extraction",
"failed",
"jsvendor",
"jsapp",
"script script",
"cssapp",
"jsfirebase",
"pegasus",
"encrypt",
"title error",
"ipv4",
"files",
"reverse dns",
"united states",
"malware",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"execution att",
"t1204 user",
"script",
"beginstring",
"bad traffic",
"et info",
"null",
"title",
"refresh",
"span",
"strings",
"error",
"tools",
"meta",
"look",
"verify",
"restart",
"mitre att",
"ascii text",
"pattern match",
"ck matrix",
"tls handshake",
"hybrid",
"general",
"local",
"path",
"click",
"ck techniques",
"access att",
"div div",
"a li",
"ul div",
"record value",
"emails",
"accept",
"referen https",
"microsoft-falcon.net",
"proxy",
"status",
"certificate",
"updated date",
"whois server",
"zipcode",
"entries http",
"scans show",
"search",
"matches x",
"type",
"gmt cache",
"all ipv4",
"america flag",
"america asn",
"sameorigin",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results jan",
"ipv4 add",
"win32mydoom jan",
"trojan",
"worm",
"expiration date",
"files show",
"date hash",
"avast avg",
"win32mydoom",
"backdoor",
"found",
"gmt connection",
"control",
"content type",
"twitter",
"dynamicloader",
"medium",
"high",
"msie",
"wow64",
"slcc2",
"media center",
"write",
"global",
"domain name",
"hostname",
"apple",
"racebook",
"mouse movement",
"remote mouse",
"domain",
"hostname add",
"url analysis",
"crlf line",
"ff d5",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"f0 ff",
"ff bb",
"music",
"push",
"autorun",
"unknown",
"present sep",
"present may",
"present jan",
"present aug",
"cname",
"present nov",
"present jun",
"apache",
"body",
"pragma",
"found registry",
"able",
"model",
"indicator",
"source",
"show technique",
"file",
"internet",
"errore",
"erreur",
"download",
"service",
"crypto",
"compiler",
"installer",
"yang",
"updater",
"shutdown",
"thunk",
"este",
"install",
"reboot",
"code",
"downloader",
"sigur",
"kanna",
"der zugriff",
"google",
"chrome",
"Pahamify Pegasus",
"christoper p. ahmann",
"law enforcement",
"retaliation",
"phone",
"espionage",
"united states",
"m brian sabey",
"quasi government",
"target",
"monitored targeting",
"aig",
"therahand (old name)",
"target: tsara brashears",
"douglas county, co",
"sheriff",
"industry and commerce",
"worker\u2019s compensation",
"crime",
"financial crime",
"danger",
"nem tih",
"amazon",
"aws",
"amazon aws",
"deal",
"deal with it lawfully",
"pay victim",
"protecting reimer"
],
"references": [
"https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur",
"Pahamify Pegasus",
"Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
"https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
"https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
"tv.apple.com",
"dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
"Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A",
"IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
"IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
"IDS: TLS Handshake Failure",
"Yara Detections BackdoorWin32Simda",
"Google_Chrome_64bit_v136.0.7103.49.exe",
"https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Pariham.A",
"display_name": "Trojan:Win32/Pariham.A",
"target": "/malware/Trojan:Win32/Pariham.A"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Virus:Win95/Cerebrus",
"display_name": "Virus:Win95/Cerebrus",
"target": "/malware/Virus:Win95/Cerebrus"
},
{
"id": "AutoRunIt",
"display_name": "AutoRunIt",
"target": null
},
{
"id": "Sigur",
"display_name": "Sigur",
"target": null
},
{
"id": "Kanna",
"display_name": "Kanna",
"target": null
},
{
"id": "Der Zugriff",
"display_name": "Der Zugriff",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1029",
"name": "Scheduled Transfer",
"display_name": "T1029 - Scheduled Transfer"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1124",
"name": "System Time Discovery",
"display_name": "T1124 - System Time Discovery"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1213",
"name": "Data from Information Repositories",
"display_name": "T1213 - Data from Information Repositories"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1489",
"name": "Service Stop",
"display_name": "T1489 - Service Stop"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1529",
"name": "System Shutdown/Reboot",
"display_name": "T1529 - System Shutdown/Reboot"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1559",
"name": "Inter-Process Communication",
"display_name": "T1559 - Inter-Process Communication"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1569",
"name": "System Services",
"display_name": "T1569 - System Services"
},
{
"id": "T1570",
"name": "Lateral Tool Transfer",
"display_name": "T1570 - Lateral Tool Transfer"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1569.002",
"name": "Service Execution",
"display_name": "T1569.002 - Service Execution"
},
{
"id": "T1543.003",
"name": "Windows Service",
"display_name": "T1543.003 - Windows Service"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1134.001",
"name": "Token Impersonation/Theft",
"display_name": "T1134.001 - Token Impersonation/Theft"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1134.002",
"name": "Create Process with Token",
"display_name": "T1134.002 - Create Process with Token"
},
{
"id": "T1070.006",
"name": "Timestomp",
"display_name": "T1070.006 - Timestomp"
},
{
"id": "T1564.003",
"name": "Hidden Window",
"display_name": "T1564.003 - Hidden Window"
},
{
"id": "T1497.003",
"name": "Time Based Evasion",
"display_name": "T1497.003 - Time Based Evasion"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1497.002",
"name": "User Activity Based Checks",
"display_name": "T1497.002 - User Activity Based Checks"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1074.001",
"name": "Local Data Staging",
"display_name": "T1074.001 - Local Data Staging"
},
{
"id": "T1560.002",
"name": "Archive via Library",
"display_name": "T1560.002 - Archive via Library"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
}
],
"industries": [
"Civil Society",
"Legal",
"Government",
"Technology",
"Telecommunications",
"Financial"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6094,
"domain": 1195,
"hostname": 2001,
"FileHash-SHA256": 2598,
"FileHash-MD5": 546,
"FileHash-SHA1": 403,
"email": 16,
"CVE": 2,
"SSLCertFingerprint": 3
},
"indicator_count": 12858,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692e8cd886e0bb692e8a9d08",
"name": "Blocker Ransomware affecting Apple and iCloud | Injection",
"description": "Wild! Hackers attack-ack-acking!\nThey\u2019re quite good. Persistent. Angry. \nIt\u2019s the same group of hackers.",
"modified": "2026-01-01T06:01:02.583000",
"created": "2025-12-02T06:53:12.823000",
"tags": [
"url https",
"url http",
"domain",
"fh no",
"ipv4",
"united",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"mitre att",
"ck id",
"ck matrix",
"ascii text",
"href",
"network traffic",
"general",
"local",
"click",
"strings",
"learn",
"name tactics",
"suspicious",
"informative",
"found",
"command",
"adversaries",
"spawns",
"defense evasion",
"dynamicloader",
"windows nt",
"wow64",
"khtml",
"gecko",
"write c",
"unknown",
"virtool",
"write",
"defender",
"malware",
"delete",
"alerts",
"backdoor",
"high",
"ip address",
"t1045",
"packing",
"t1055",
"injection",
"t1060",
"run keys",
"startup",
"folder",
"t1119",
"t1027",
"tools",
"families",
"mirai",
"indicator role",
"active related",
"hackers",
"ahmann",
"usual suspects"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Backdoor:Win32/Drixed",
"display_name": "Backdoor:Win32/Drixed",
"target": "/malware/Backdoor:Win32/Drixed"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
},
{
"id": "Ransom:Win32/Blocker.NN!MTB",
"display_name": "Ransom:Win32/Blocker.NN!MTB",
"target": "/malware/Ransom:Win32/Blocker.NN!MTB"
},
{
"id": "Unix.Trojan.Mirai-7135937-0",
"display_name": "Unix.Trojan.Mirai-7135937-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1066",
"name": "Indicator Removal from Tools",
"display_name": "T1066 - Indicator Removal from Tools"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1590.002",
"name": "DNS",
"display_name": "T1590.002 - DNS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 234,
"FileHash-SHA1": 219,
"FileHash-SHA256": 841,
"URL": 2606,
"domain": 298,
"hostname": 772,
"SSLCertFingerprint": 2,
"CVE": 1
},
"indicator_count": 4973,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "108 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6910cafb096eae0dcb39a800",
"name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious",
"description": "Chronicles of how quasi government , a State owned criminal defense attorney , protects sexual assaulter Jeffrey Reimer DPT. victim Palantir harassed, withheld healthcare , diagnoses, justice, monetary award for injured, stole insurance policies, hacked Denver artists, sold music her to artists whom profited, hacked Denver music studios, hired stalkers, human, controlled phone , car and everything in targets life including , doctors, attorneys, hospitals. It\u2019s always been clear to coming us that Anonymous and Lazarus are the police, judge , lawyer, ransom racist.\nThis group alone has cost the US billions! Responsible for 2014 Sony hack , FMOE.\nDirect Link. by phone , email in person contact , forced settlement hearing,. Adversarial Christopher P. Ahmann , relationship w / Lazarus group, hitmen , cyber crime and other crimes against persons.\n #rip #christopher_ahmann #palantir #lazarus #target_tsara_brashears",
"modified": "2025-12-09T17:03:48.645000",
"created": "2025-11-09T17:10:19.498000",
"tags": [
"url http",
"apple",
"california",
"apple public",
"server rsa",
"organization",
"stateprovince",
"ocsp",
"nids united",
"files",
"united",
"unknown ns",
"ip address",
"domain",
"urls files",
"passive dns",
"found title",
"sf hello",
"myriad set",
"pro myriad",
"set lucida",
"grande arial",
"sf mono",
"ipv4",
"location united",
"america flag",
"america asn",
"verdict",
"files ip",
"address",
"as42 woodynet",
"domain add",
"ipv4 add",
"reverse dns",
"trojan",
"name servers",
"emails",
"for privacy",
"ltd dba",
"com laude",
"servers",
"expiration date",
"urls",
"meta",
"a domains",
"country code",
"store home",
"title",
"accept",
"espaol",
"english",
"evil corp",
"see all",
"cyber hack",
"republic",
"canada",
"season",
"joe tidy",
"sarah rainsford",
"podcast",
"bank",
"ukraine",
"dead",
"indonesia",
"police",
"premium",
"napoleon",
"revolution",
"michelangelo",
"mozart",
"global",
"solid",
"lazarus",
"jabber zeus",
"harrods",
"ta markmonitor",
"markmonitor",
"search",
"present aug",
"unknown aaaa",
"unknown soa",
"win32",
"invalid url",
"trojanspy",
"mtb apr",
"backdoor",
"next associated",
"win64",
"trojandropper",
"twitter",
"virtool",
"ransom",
"worm",
"dynamicloader",
"tlsv1",
"high",
"globalc",
"medium",
"windows",
"cmd c",
"delete c",
"stream",
"write",
"next",
"process32nextw",
"http host",
"dns query",
"likely gandcrab",
"et trojan",
"windows nt",
"wow64",
"malware",
"ms windows",
"as16509",
"as54113",
"yara rule",
"pe32 executable",
"as15169",
"powershell",
"unknown",
"response ip",
"address google",
"safe browsing",
"hostname add",
"port",
"destination",
"pe32",
"intel",
"error",
"show",
"delphi",
"dcom",
"form",
"canvas",
"united kingdom",
"content type",
"security",
"moved",
"great britain",
"unknown a",
"body doctype",
"html public",
"ietfdtd html",
"showing",
"packing t1045",
"bytes",
"read",
"default",
"christoper p ahmann",
"target",
"victims",
"tsara brashears",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"present nov",
"present oct",
"date",
"tcpmemhit",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"sha256",
"sha1",
"mitre att",
"pattern match",
"show technique",
"ck matrix",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"palantir",
"foundry",
"hitmen",
"quasi",
"government contracts",
"jeffrey reimer",
"hallrender",
"workers compensation",
"record value",
"certificate"
],
"references": [
"apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC",
"https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"bpc-old.palantirfoundry.com",
"OTX auto populated targeted groups.",
"You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists",
"Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint",
"Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support",
"Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.",
"They blatantly steal from citizens , blame foreign entities.",
"This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents."
],
"public": 1,
"adversary": "Lazarus",
"targeted_countries": [
"Bangladesh",
"Japan",
"United States of America"
],
"malware_families": [
{
"id": "ALF:SpikeAexR.PEVPSZL",
"display_name": "ALF:SpikeAexR.PEVPSZL",
"target": null
},
{
"id": "Ransom:MSIL/GandCrab",
"display_name": "Ransom:MSIL/GandCrab",
"target": "/malware/Ransom:MSIL/GandCrab"
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Ransom:Win32/Gandcrab.H!MTB",
"display_name": "Ransom:Win32/Gandcrab.H!MTB",
"target": "/malware/Ransom:Win32/Gandcrab.H!MTB"
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [
"Banks",
"Crypto",
"Entertainment",
"Bank"
],
"TLP": "white",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4572,
"FileHash-MD5": 196,
"domain": 1523,
"hostname": 1393,
"FileHash-SHA256": 2400,
"FileHash-SHA1": 175,
"email": 18,
"SSLCertFingerprint": 8
},
"indicator_count": 10285,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "130 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69138a8144a8bf8040a92711",
"name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Counsel for egregious criminal acts \u2022 Christopher P. Ahmann attorney at Large",
"description": "",
"modified": "2025-12-09T17:03:48.645000",
"created": "2025-11-11T19:12:01.843000",
"tags": [
"url http",
"apple",
"california",
"apple public",
"server rsa",
"organization",
"stateprovince",
"ocsp",
"nids united",
"files",
"united",
"unknown ns",
"ip address",
"domain",
"urls files",
"passive dns",
"found title",
"sf hello",
"myriad set",
"pro myriad",
"set lucida",
"grande arial",
"sf mono",
"ipv4",
"location united",
"america flag",
"america asn",
"verdict",
"files ip",
"address",
"as42 woodynet",
"domain add",
"ipv4 add",
"reverse dns",
"trojan",
"name servers",
"emails",
"for privacy",
"ltd dba",
"com laude",
"servers",
"expiration date",
"urls",
"meta",
"a domains",
"country code",
"store home",
"title",
"accept",
"espaol",
"english",
"evil corp",
"see all",
"cyber hack",
"republic",
"canada",
"season",
"joe tidy",
"sarah rainsford",
"podcast",
"bank",
"ukraine",
"dead",
"indonesia",
"police",
"premium",
"napoleon",
"revolution",
"michelangelo",
"mozart",
"global",
"solid",
"lazarus",
"jabber zeus",
"harrods",
"ta markmonitor",
"markmonitor",
"search",
"present aug",
"unknown aaaa",
"unknown soa",
"win32",
"invalid url",
"trojanspy",
"mtb apr",
"backdoor",
"next associated",
"win64",
"trojandropper",
"twitter",
"virtool",
"ransom",
"worm",
"dynamicloader",
"tlsv1",
"high",
"globalc",
"medium",
"windows",
"cmd c",
"delete c",
"stream",
"write",
"next",
"process32nextw",
"http host",
"dns query",
"likely gandcrab",
"et trojan",
"windows nt",
"wow64",
"malware",
"ms windows",
"as16509",
"as54113",
"yara rule",
"pe32 executable",
"as15169",
"powershell",
"unknown",
"response ip",
"address google",
"safe browsing",
"hostname add",
"port",
"destination",
"pe32",
"intel",
"error",
"show",
"delphi",
"dcom",
"form",
"canvas",
"united kingdom",
"content type",
"security",
"moved",
"great britain",
"unknown a",
"body doctype",
"html public",
"ietfdtd html",
"showing",
"packing t1045",
"bytes",
"read",
"default",
"christoper p ahmann",
"target",
"victims",
"tsara brashears",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"present nov",
"present oct",
"date",
"tcpmemhit",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"sha256",
"sha1",
"mitre att",
"pattern match",
"show technique",
"ck matrix",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"palantir",
"foundry",
"hitmen",
"quasi",
"government contracts",
"jeffrey reimer",
"hallrender",
"workers compensation",
"record value",
"certificate"
],
"references": [
"apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC",
"https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"bpc-old.palantirfoundry.com",
"OTX auto populated targeted groups.",
"You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists",
"Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint",
"Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support",
"Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.",
"They blatantly steal from citizens , blame foreign entities.",
"This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents."
],
"public": 1,
"adversary": "Lazarus",
"targeted_countries": [
"Bangladesh",
"Japan",
"United States of America"
],
"malware_families": [
{
"id": "ALF:SpikeAexR.PEVPSZL",
"display_name": "ALF:SpikeAexR.PEVPSZL",
"target": null
},
{
"id": "Ransom:MSIL/GandCrab",
"display_name": "Ransom:MSIL/GandCrab",
"target": "/malware/Ransom:MSIL/GandCrab"
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Ransom:Win32/Gandcrab.H!MTB",
"display_name": "Ransom:Win32/Gandcrab.H!MTB",
"target": "/malware/Ransom:Win32/Gandcrab.H!MTB"
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [
"Banks",
"Crypto",
"Entertainment",
"Bank"
],
"TLP": "white",
"cloned_from": "6910cafb096eae0dcb39a800",
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4572,
"FileHash-MD5": 196,
"domain": 1523,
"hostname": 1393,
"FileHash-SHA256": 2400,
"FileHash-SHA1": 175,
"email": 18,
"SSLCertFingerprint": 8
},
"indicator_count": 10285,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "130 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6892e73b32af18aa302df0dc",
"name": "Part 1.5",
"description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]",
"modified": "2025-09-05T04:03:06.929000",
"created": "2025-08-06T05:25:15.369000",
"tags": [
"chromeua",
"optout",
"object",
"path",
"value",
"access type",
"setval",
"windir",
"localappdata",
"null",
"win64",
"error",
"generator",
"close",
"roboto",
"date",
"format",
"light",
"span",
"template",
"void",
"android",
"body",
"trident",
"mexico",
"sonic",
"black",
"critical",
"desktop",
"dark",
"meta",
"this",
"june",
"hybrid",
"apache",
"write",
"crypto",
"autodetect",
"face",
"courier",
"gigi",
"impact",
"shadow",
"click",
"strings",
"cray",
"smwg",
"eret",
"footer",
"infinity",
"window",
"canvas",
"legend",
"nuke",
"lion",
"4629",
"ahav",
"olsa",
"false",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"defense evasion",
"t1480 execution",
"file defense",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"script",
"mitre att",
"pattern match",
"show technique",
"iframe",
"refresh",
"august",
"general",
"local",
"tools",
"demo",
"look",
"verify",
"restart",
"url http",
"small",
"pulses url",
"tellyoun",
"showing",
"entries",
"url https",
"indicator role",
"title added",
"active related",
"type indicator",
"role title",
"added active",
"related pulses",
"cc08",
"f06a6b",
"sfurl",
"filehashsha256",
"types",
"indicators show",
"search",
"pulses",
"filehashsha1",
"adversaries",
"found",
"webp image",
"ascii text",
"riff",
"size",
"encrypt",
"legacy",
"filehashmd5",
"united",
"flag",
"server",
"markmonitor",
"name server",
"llc name",
"overview dns",
"requests domain",
"country",
"win32",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"medium risk",
"yara",
"detections",
"malware",
"copy",
"show",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"extraction",
"data upload",
"enter sc",
"type",
"extra data",
"please",
"failed",
"review",
"exclude data",
"included review",
"ic data",
"suggeste",
"stop",
"type onow",
"domain",
"passive dns",
"urls",
"files related",
"pulses none",
"related tags",
"none google",
"safe browsing",
"sc data",
"extr amanuav",
"review included",
"manualy",
"sugges excluded",
"filehash",
"md5 add",
"pulse pulses",
"url add",
"http",
"hostname",
"files domain",
"pulses otx",
"virustotal",
"hsmi192547107",
"pulses hostname",
"r dec",
"customer dec",
"iski dec",
"decision dec",
"va dec",
"bitcoin",
"bitcoin dec",
"petra",
"torstatus dec",
"paul dec",
"sodesc",
"planet dec",
"emilia",
"heroin dec",
"difference dec",
"palantir dec",
"loraxlive dec",
"chaturbate dec",
"sandra",
"free dec",
"marvel dec",
"benjis dec",
"fresh dec",
"sodesc dec",
"srdirport",
"srhostname",
"link dec",
"types of",
"italy",
"china",
"australia",
"france",
"turkey",
"discovery",
"information",
"ck ids",
"t1005",
"local system",
"t1007",
"system service",
"part",
"track",
"locate",
"political",
"civil society",
"news",
"created",
"hours ago",
"report spam",
"t1555",
"password",
"t1560",
"collected data",
"t1573",
"channel",
"t1574",
"execution flow",
"scan",
"iocs",
"t1497",
"u0lhmq",
"mtawmq",
"t1480",
"guardrails",
"t1486",
"data encrypted",
"learn more",
"unsubscribe aug",
"protocol",
"t1074",
"staged",
"t1083",
"t1102",
"web service",
"t1105",
"tool transfer",
"t1140",
"data engineer",
"candidate",
"tlsv1",
"odigicert inc",
"stcalifornia",
"lsan jose",
"oadobe systems",
"incorporated",
"cndigicert sha2",
"push",
"next",
"high",
"write c",
"ireland as16509",
"delete",
"dirty",
"tags",
"t1012",
"flow endpoint",
"security scan",
"t1106",
"copyright",
"levelblue"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1120",
"name": "Peripheral Device Discovery",
"display_name": "T1120 - Peripheral Device Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 608,
"FileHash-SHA1": 433,
"FileHash-SHA256": 3663,
"URL": 17104,
"domain": 1316,
"email": 39,
"hostname": 4208,
"SSLCertFingerprint": 17
},
"indicator_count": 27388,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "226 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67f5555b6ce863d998e83e26",
"name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net",
"description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.",
"modified": "2025-05-11T19:03:59.885000",
"created": "2025-04-08T16:56:59.641000",
"tags": [
"generated from",
"do not",
"edit uri",
"urls",
"edit",
"rewriteengine",
"rewritecond",
"rewriterule",
"r301",
"xml2encalias",
"beralloct",
"berbvarrayadd",
"berbvarrayfree",
"berbvdup",
"berbvecadd",
"berbvecfree",
"berbvfree",
"berdump",
"berdup",
"berdupbv",
"laerrordomain",
"laerrornoncekey",
"lamechanismtree",
"lacontext",
"ladomainstate",
"laenvironment",
"lanotification",
"laprivatekey",
"lapublickey",
"laright",
"apple swift",
"o librarylevel",
"combine import",
"foundation",
"swift import",
"mcpeerid",
"mcsession",
"property",
"copyright",
"protocol",
"class",
"bonjour",
"ascii lowercase",
"abc company",
"section",
"bonjour txt",
"note",
"ui element",
"utf8 encoding",
"nscopying",
"nsdictionary",
"nsstring",
"mcextern",
"attribute",
"mcextern extern",
"mcexternweak",
"nsenum",
"nsinteger",
"mcerrorcode",
"mcerrorunknown",
"mcerrortimedout",
"peer",
"example",
"bonjour apis",
"stop",
"tags",
"session",
"nsprogress",
"nserror",
"nsurl",
"nsarray",
"create",
"nsuinteger",
"notifies",
"mcsession api",
"interface",
"dbictrace",
"dbivporth",
"dbictracelevel",
"dbdtffoo",
"dbihseterrchar",
"dbicstate",
"dbictraceflags",
"provides macros",
"dbi release",
"only",
"sqlsuccess",
"odbc",
"sqlok",
"tim bunce",
"england",
"sql cli",
"sql datatype",
"sqlguid",
"sqlwlongvarchar",
"main",
"beware",
"sv sth",
"sv dbh",
"impsth",
"impdbh",
"sv keysv",
"sv params",
"sv attr",
"sv attribs",
"sv drh",
"void",
"fri jul",
"mixed",
"dbixsrevision",
"plsvundef",
"license",
"spagain",
"perlioprintf",
"dbiclogpio",
"putback",
"ireland",
"gnu general",
"super",
"magic",
"dbicflags",
"dbis",
"svrv",
"null",
"imp2com",
"dbicactivekids",
"dbicfiadestroy",
"sv h",
"dbicdbistate",
"code",
"copy",
"refer",
"trace",
"error",
"unknown",
"hookopcheckh",
"startexternc",
"hookopcheckcb",
"userdata",
"endexternc",
"isinternalbuild",
"kickmcxdforuid",
"loadappkit",
"ardconfig",
"authenticator",
"dsauthenticator",
"dsnode",
"dsrecord",
"group",
"hostconfig",
"apfsvolumelock",
"apfsvolumerole",
"aoskgetosinfo",
"aoskgetuserinfo",
"aosaddappleid",
"aosdisablepcs",
"aosenablepcs",
"aoslog",
"aoslogforce",
"aosrelaycookie",
"didfailcallback",
"kaosaccountkey",
"kapcsbundle",
"kapcspath",
"kjsonextension",
"apcsbucketid",
"apcsreports",
"apconfiguration",
"apversiondata",
"apversionhelper",
"systemvolumesvm",
"name size",
"identifier",
"gb disk0s3",
"devdisk3",
"apfs container",
"scheme",
"physical store",
"macintosh hd",
"apfs snapshot",
"preboot",
"refs address",
"size wired",
"name",
"version",
"uuid",
"linked against",
"renderer",
"helper",
"chrome helper",
"contains",
"cloud ui",
"macintosh",
"khtml",
"gecko",
"ui helper",
"plugin",
"service",
"good",
"battery power",
"apfs encryption",
"jumpcloud go",
"chrome web",
"store",
"privacy badger",
"flowcrypt",
"encrypt gmail",
"simple",
"google",
"b2b phone",
"number",
"apollo",
"future",
"exccrash",
"sigkill",
"code signature",
"invalid",
"sigabrt",
"protonvpn",
"excguard",
"excbreakpoint",
"sigtrap",
"excbadaccess",
"appl",
"english",
"adobe crash",
"adobe",
"acrobat dcadobe",
"processor",
"uninstaller",
"assistant",
"install",
"cloud",
"dock",
"calendar",
"music",
"terminal",
"tips",
"installer",
"updater",
"proton",
"tools",
"stub",
"python",
"clock",
"powershell",
"team",
"rave scout",
"cookies",
"public folder",
"key cert",
"sign",
"crl sign",
"root ca",
"authority",
"public primary",
"global root",
"verisign",
"academic",
"premium",
"adaptive",
"interactive",
"background",
"standard",
"launchd sandbox",
"s mdworker",
"agent",
"command line",
"progress",
"yubico",
"macos13action",
"disableoverride",
"disableairdrop",
"denyactivation",
"enable",
"loginwindowtext",
"jumpcloud",
"autoupdate",
"loggingoption",
"enablefirewall",
"arm64e",
"apple m2",
"mac142",
"kjqqtw7pqt",
"daemon",
"server",
"open directory",
"user",
"account",
"kerberos admin",
"kerberos change",
"device daemon",
"network",
"desktop",
"screensaver",
"bridge",
"aesxtsarm",
"aesecbarm",
"sha512vngarmhw",
"sha384vngarmhw",
"sha256vngarm",
"sha1vngarm",
"darwin kernel",
"wed mar",
"wkarraycreate",
"wkbooleancreate",
"wkcontextcreate",
"wkdatacreate",
"wkdatagettypeid",
"wkdoublecreate",
"wkframecopyurl",
"wkgettypeid",
"wkimagecreate",
"wkpagecandelete",
"webview",
"notice",
"this software",
"including",
"but not",
"limited to",
"redistribution",
"is provided",
"by apple",
"direct",
"damage",
"apiavailable",
"webkit",
"nsswiftname",
"document",
"a block",
"as is",
"hasinclude",
"wkdownload",
"abstract",
"wkerrorcode",
"wkerrorunknown",
"discussion",
"bool",
"whether",
"wkcontentworld",
"wkwebview",
"javascript",
"nsunavailable",
"vaargs",
"nsswiftasync",
"wkswiftasync",
"wkcookiepolicy",
"wkswiftuiactor",
"nshttpcookie",
"targetosiphone",
"wknavigation",
"decides",
"boolean value",
"apideprecated",
"methodkind",
"wkerrordomain",
"wkscriptmessage",
"promise",
"fulfill",
"const",
"url scheme",
"mark",
"wkuserscript",
"targetosvision",
"param",
"wkframeinfo",
"targetosios",
"pass",
"window",
"mime type",
"link",
"nsimage",
"returns",
"nsset",
"checks",
"matches",
"a boolean",
"defaults",
"wkwebextension",
"cgsize",
"uiimage",
"apis",
"nsdate",
"wkcontentmode",
"wkextern",
"possible",
"cgfloat",
"media",
"cgrect",
"apiunavailable",
"framework",
"nsswiftuiactor",
"targetoswatch",
"confirms",
"apple upgrade",
"nsstring user",
"nsobject",
"provider",
"apple",
"password",
"uicontrol",
"nscontrol",
"asuseragerange",
"check",
"opaque user",
"apple id",
"initiate",
"asauthorization",
"operation",
"state",
"nserrorenum",
"nsdata",
"relying party",
"asapiavailable",
"perform",
"realm",
"http response",
"authorization",
"http",
"oauth",
"saml",
"a byte",
"nsdata userid",
"relying",
"a string",
"nsdata readdata",
"bool didwrite",
"a cose",
"nsdata first",
"nsdata second",
"nsstring name",
"bool appid",
"targetosxr",
"nsstring appid",
"bluetooth",
"mdm profile",
"nsurl url",
"returns yes",
"a state",
"a json",
"web token",
"private seckeys",
"enables",
"keychain",
"asswiftsendable",
"cose algorithm",
"ecdsa",
"sha256",
"cose curve",
"p256",
"nullable",
"bool success",
"remove",
"call",
"complete",
"initializes",
"time code",
"extensions",
"asextern extern",
"asextern",
"nsswiftsendable",
"prepare",
"list",
"nsextension",
"attempt",
"nsstring label",
"creates",
"nsstring code",
"a key",
"webauthn",
"nssecurecoding",
"input",
"output",
"initialize",
"nsinteger rank",
"json",
"inputs",
"hash",
"nsstring origin",
"settings app",
"extension",
"https urls",
"safari",
"cancel",
"nsuuid uuid",
"r uftpexu",
"nsmutabledata",
"vnsdate",
"mprcjy",
"postfix",
"domain",
"canonical",
"tables",
"ldap",
"post",
"replace user",
"address",
"wietse venema",
"bugs",
"mail",
"aliases",
"postfix version",
"restrict",
"sample",
"person",
"basic system",
"general",
"reject empty",
"postfix smtp",
"ipv6 host",
"reject",
"reply",
"access",
"prior",
"hold",
"info",
"mail delivery",
"charset",
"system",
"report",
"postfix dsn",
"mail returned",
"this",
"generic",
"smtp",
"isp mail",
"mime",
"headerchecks",
"readme files",
"filters while",
"posix",
"empty",
"body",
"write",
"date",
"smtp server",
"specify",
"mx host",
"unix password",
"user unknown",
"pathbin",
"postfix queue",
"unix",
"cyrus",
"path",
"uucp",
"shell",
"local",
"program",
"agreement",
"contributor",
"recipient",
"contribution",
"the program",
"corporation",
"contributors",
"product x",
"as expressly",
"arch",
"arch x8664",
"pipe wall",
"wimplicit",
"ranlib",
"warn",
"switch",
"start",
"systype",
"outlook",
"postfix master",
"begin",
"server admin",
"mail backend",
"modern smtp",
"iana",
"many",
"postfix pipe",
"recent cyrus",
"amos gouaux",
"old example",
"or even",
"lutz jaenicke",
"technology",
"cottbus",
"germany",
"openssl package",
"openssl project",
"europe",
"remember that",
"use of",
"file",
"update",
"usrsbin",
"file format",
"no group",
"daemondirectory",
"deliver mail",
"transport",
"description",
"result format",
"virtual",
"virtual alias",
"redirect mail",
"relocated",
"matches user",
"synopsis",
"lastname",
"firstname",
"apple computer",
"tcpip",
"supported",
"quantum",
"facility",
"level",
"level info",
"broadcast",
"ignore",
"rules",
"sender",
"automounter map",
"use directory",
"get home",
"home autohome",
"true",
"t option",
"mount",
"force",
"environment",
"automountdenv",
"promptcommand",
"shellsessiondir",
"histfile",
"histfilesize",
"myvar",
"histtimeformat",
"arrange",
"bashrematch",
"tell",
"ps1h",
"make bash",
"s checkwinsize",
"etcbashrc",
"termprogram",
"inpck",
"nnnbaud",
"berkeley",
"parity",
"pc entry",
"pass8",
"parenb istrip",
"fixed speed",
"entry",
"clocal mode",
"maxhistsize",
"promptmode",
"verbose end",
"etcirbrcloaded",
"default",
"setup",
"history file",
"kernel",
"readline",
"jabber",
"group database",
"dovecot",
"postfix scsd",
"networkd",
"searchpaths",
"freebsd",
"tmpdir",
"fcodes",
"prunepaths",
"vartmp",
"prunedirs",
"filesystems",
"nroff",
"manpath",
"uncomment",
"manpager",
"whatispager",
"manlocale",
"every",
"manpath optman",
"maybe",
"troff",
"status mailfrom",
"returnpath via",
"pidfile",
"flags",
"bcgjnuwz",
"bin usrsbin",
"sbin",
"default pf",
"care",
"audio",
"user database",
"unix copy",
"gate daemon",
"bashno",
"r etcbashrc",
"rfc1323",
"m1460",
"macos x",
"signature",
"linux",
"opera",
"xp sp1",
"windows sp1",
"nmap syn",
"m265",
"synack",
"mind",
"macos",
"warp",
"ipv6",
"internet",
"icmp",
"cisco",
"monitoring",
"argus",
"chaos",
"rsvp",
"encapsulation",
"aris",
"isis",
"netbootmount",
"netbootshadow",
"computername",
"localonly",
"localnetbootdir",
"netboot",
"define",
"purpose",
"networkonly",
"waiting",
"networkup",
"term",
"devnull",
"common setup",
"configure",
"set command",
"dns hostname",
"dns query",
"see also",
"kame",
"sunnet manager",
"rpcsrc",
"netlicense",
"ftpd",
"bindash binksh",
"binsh bintcsh",
"jumpcloud ldap",
"smb2",
"security",
"workgroup",
"standalone",
"samba server",
"enforce",
"smb3",
"example share",
"improper use",
"ctrlc",
"none",
"fax reception",
"hardwired",
"0007",
"must",
"visudo",
"blocksize",
"charset lang",
"language lcall",
"lines columns",
"lscolors",
"sshauthsock",
"orion",
"setup user",
"home",
"zdotdir",
"delete",
"beep",
"vendor",
"kf10",
"kf11",
"kf12",
"kf13",
"backspace",
"insert",
"resume",
"termsessionid",
"savehist",
"sharehistory",
"h do",
"volume",
"de l",
"l uuid",
"m tra",
"n est",
"suuid",
"prfen",
"fusion",
"syst",
"look",
"executant",
"alla",
"over",
"test",
"overie",
"zapis",
"rapid",
"disco usa",
"de macos",
"nie s",
"i denne",
"adgjmpsvx",
"diskgthis disk",
"01k8x j",
"34disk",
"levy kytt",
"dict",
"array",
"plist",
"apple root",
"code signing",
"inode64r",
"xofkoxzh",
"integer",
"doctype",
"brain",
"abcd",
"ogwo",
"boaw",
"cobwa",
"uhawavauatsh",
"ip bitmap",
"foewdc",
"could",
"ip block",
"funcs",
"cogwo",
"trash",
"double",
"hunt",
"affa",
"carr",
"crypto",
"docwbac",
"q1b0",
"q1 0",
"h h5",
"docwbag",
"slice",
"format",
"zero",
"alfa",
"hera",
"lelei",
"hehe",
"hisp",
"fail",
"katy",
"zakk",
"eodwcbgao",
"hhk8di",
"alma",
"topo",
"open",
"huhk",
"piper",
"hehx",
"eh ui",
"h20hph",
"hif h",
"hmhhihqhyla hq",
"r11b0",
"target",
"uus10u",
"hifh",
"loghookfailed",
"loghook",
"hell",
"q1b 0",
"f duh",
"aqw1",
"1160"
],
"references": [
"index.html.en",
"bind.html",
"caching.html",
"BUILDING",
"configuring.html",
"content-negotiation.html",
"custom-error.html",
"convenience.map",
"LDAP.tbd",
"lber.h",
"ldap.h",
"LocalAuthentication.tbd",
"arm64e-apple-macos.swiftinterface",
"x86_64-apple-ios-macabi.swiftinterface",
"arm64e-apple-ios-macabi.swiftinterface",
"x86_64-apple-macos.swiftinterface",
"MultipeerConnectivity.tbd",
"module.modulemap",
"MCNearbyServiceAdvertiser.h",
"MCPeerID.h",
"MCError.h",
"MCNearbyServiceBrowser.h",
"MCAdvertiserAssistant.h",
"MultipeerConnectivity.apinotes",
"MultipeerConnectivity.h",
"MCSession.h",
"MCBrowserViewController.h",
"dbivport.h",
"dbi_sql.h",
"dbd_xsh.h",
"dbixs_rev.h",
"Driver_xst.h",
"DBIXS.h",
"hook_op_check.h",
"Admin.tbd",
"AirPlayReceiver.tbd",
"apfs_boot_mount.tbd",
"AOSKit.tbd",
"APConfigurationSystem.tbd",
"AppleFirmwareUpdate.tbd",
"launchdaemons.txt",
"preboot_archive_errors.log",
"mounts.txt",
"launchagents.txt",
"disk_structure.txt",
"user_launchagents.txt",
"security_status.txt",
"kexts.txt",
"process_list.txt",
"battery.csv",
"diskEncryption.csv",
"chromeExtensions.csv",
"crashes.csv",
"interfaceAddrs.csv",
"kernel.csv",
"interfaceDetails.csv",
"etcHosts.csv",
"applications.csv",
"mounts.csv",
"sharedFolders.csv",
"certificates.csv",
"sharingPreferences.csv",
"launchD.csv",
"usbDevices.csv",
"managedPolicies.csv",
"systemInfo.csv",
"users.csv",
"sipConfig.csv",
"systemControls.csv",
"canonical",
"aliases",
"custom_header_checks",
"access",
"bounce.cf.default",
"generic",
"header_checks",
"main.cf.default",
"LICENSE",
"makedefs.out",
"main.cf",
"master.cf.default",
"main.cf.proto",
"master.cf.proto",
"master.cf",
"TLS_LICENSE",
"postfix-files",
"transport",
"virtual",
"relocated",
"afpovertcp.cfg",
"asl.conf",
"auto_home",
"auto_master",
"autofs.conf",
"bashrc_Apple_Terminal",
"com.apple.screensharing.agent.launchd",
"bashrc",
"command_args.json",
"csh.cshrc",
"csh.login",
"find.codes",
"csh.logout",
"ftpusers",
"gettytab",
"irbrc",
"kern_loader.conf",
"group",
"locate.rc",
"man.conf",
"mail.rc",
"manpaths",
"networks",
"nfs.conf",
"newsyslog.conf",
"ntp_opendirectory.conf",
"ntp.conf",
"notify.conf",
"paths",
"pf.conf",
"passwd",
"profile",
"pf.os",
"protocols",
"rc.netboot",
"rc.common",
"rmtab",
"resolv.conf",
"rtadvd.conf",
"rpc",
"shells",
"smb.conf",
"sudo_lecture",
"ttys",
"syslog.conf",
"xtab",
"sudoers",
"zprofile",
"zshrc",
"zshrc_Apple_Terminal",
"CodeResources",
"version.plist",
"Info.plist"
],
"public": 1,
"adversary": "DragonForce Malaysia Hacker Group",
"targeted_countries": [],
"malware_families": [
{
"id": "Lastname",
"display_name": "Lastname",
"target": null
},
{
"id": "Firstname",
"display_name": "Firstname",
"target": null
}
],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 66,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ilyailya",
"id": "298851",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 4449,
"domain": 3847,
"URL": 14263,
"FileHash-SHA256": 2356,
"FileHash-MD5": 223,
"FileHash-SHA1": 523,
"email": 223,
"CVE": 40,
"CIDR": 12,
"SSLCertFingerprint": 302
},
"indicator_count": 26238,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 35,
"modified_text": "342 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6768cd2fdfe372564f3b3345",
"name": "Jane Doe is Targeted by DragonForce.io",
"description": "Apple has released details of a virus that can be traced to a server in the US, but which has not yet been identified or detected.. and the full list of details has been revealed.",
"modified": "2025-02-21T00:58:00.403000",
"created": "2024-12-23T02:38:39.269000",
"tags": [
"summary",
"engine version",
"mb data",
"start date",
"movies",
"pictures",
"export",
"ipv6s",
"importcsv",
"psobject",
"filehashwl",
"notin",
"select",
"date",
"write"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ilyailya",
"id": "298851",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 18,
"URL": 166,
"hostname": 34,
"FileHash-SHA256": 143,
"FileHash-MD5": 20,
"FileHash-SHA1": 20
},
"indicator_count": 401,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 31,
"modified_text": "422 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6523344e4adc85389899504c",
"name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]",
"description": "",
"modified": "2024-10-13T03:00:28.081000",
"created": "2023-10-08T22:59:26.040000",
"tags": [
"united",
"contacted urls",
"whois record",
"contacted",
"malicious site",
"malware",
"phishing site",
"anonymizer",
"heur",
"control server",
"facebook",
"cobalt strike",
"execution",
"installcore",
"phishing",
"service",
"core",
"metro",
"icmp",
"hacktool",
"download",
"relic",
"monitoring",
"installer",
"steam",
"bank",
"dnspionage",
"crack",
"unsafe",
"ramnit",
"emotet",
"malware site",
"proxy",
"exploit",
"fakealert",
"team",
"redline stealer",
"laplasclipper",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"alexa",
"downloader",
"opencandy",
"generic",
"presenoker",
"maltiverse",
"trojanspy",
"date",
"unknown",
"windir",
"markmonitor",
"name server",
"av detection",
"september",
"default browser",
"guest system",
"hybrid",
"general",
"click",
"strings",
"class",
"critical",
"blacklist",
"union",
"Embarcadero Delphi",
"whois whois",
"referrer",
"ssl certificate",
"communicating",
"resolutions",
"parent parent",
"dropped",
"stealer",
"banker",
"keylogger",
"attack",
"apple",
"detection list",
"ip address",
"netsky",
"firehol proxy",
"noname057",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"FireHol",
"Proxy",
"Pexee",
"Bank of America Corporation Malware Download",
"CVE-2017-11882",
"Alexa SANS Internet Storm Center",
"MCI Verizon Block",
"NaN"
],
"references": [
"http://ww1.tsx.org/_fd",
"https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)",
"Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)",
"http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)",
"http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)",
"Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)",
"https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)",
"firebaseremoteconfig.googleapis.com (remote hacking)",
"remote.telegrafix.com (remote hacking)",
"fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d",
"remote.haverhillcc.com (remote hacking)",
"http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml",
"http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409",
"http://init-p01st.push.apple.com/bag (remote hacking)",
"https://support.apple.com/en-us/HT201265. Targets (iOS ID)",
"apple.com. (malicious version/header)",
"https://www.apple.com/sitemap/",
"https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)",
"http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409",
"init.ess.apple.com (remote hacking)",
"applepaydayloans.com",
"www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)",
"https://applepaydayloans.com/",
"https://sinister.ly/Thread-Apple-empty-box?page=13",
"7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)",
"https://support.Apple.com/de",
"http://www.Apple.com/quicktime/download",
"http://www.Apple.com/quicktime/download/standalone.html",
"https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05",
"https://www.roseoubleu.fr/panier (phishing)",
"Roksit.net",
"stagelight.pl (malicious/ pattern match)",
"www.jamesbgriffinlaw.com (malicious host)",
"Data Analytics",
"Behavior Pattern Match Analysis",
"45.159.189.105 (Command and Control)",
"http://45.159.189.105/bot/regex (Bot Command)",
"151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21",
"AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server",
"DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data",
"(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "TEL:Delphi/Obfuscator",
"display_name": "TEL:Delphi/Obfuscator",
"target": "/malware/TEL:Delphi/Obfuscator"
},
{
"id": "LaplasClipper",
"display_name": "LaplasClipper",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"target": null
},
{
"id": "SLFPER:InstallCore",
"display_name": "SLFPER:InstallCore",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "ALF:Program:OpenCandy:Remnant",
"display_name": "ALF:Program:OpenCandy:Remnant",
"target": null
},
{
"id": "Ramnit",
"display_name": "Ramnit",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "generic.malware",
"display_name": "generic.malware",
"target": null
},
{
"id": "Anonymizer",
"display_name": "Anonymizer",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/Mimikatz",
"display_name": "#HSTR:HackTool:Win32/Mimikatz",
"target": null
},
{
"id": "PWS:MSIL/Steam",
"display_name": "PWS:MSIL/Steam",
"target": "/malware/PWS:MSIL/Steam"
},
{
"id": "Trojan.HTML.Agent",
"display_name": "Trojan.HTML.Agent",
"target": null
},
{
"id": "Gen:Variant.Zusy",
"display_name": "Gen:Variant.Zusy",
"target": null
},
{
"id": "Worm:Win32/Netsky",
"display_name": "Worm:Win32/Netsky",
"target": "/malware/Worm:Win32/Netsky"
},
{
"id": "Sodin Ransomware",
"display_name": "Sodin Ransomware",
"target": null
},
{
"id": "Keyloggers",
"display_name": "Keyloggers",
"target": null
},
{
"id": "Proxy",
"display_name": "Proxy",
"target": null
},
{
"id": "TEL:Trojan:Win32/Emotet",
"display_name": "TEL:Trojan:Win32/Emotet",
"target": null
},
{
"id": "Cobalt Strike - S0154",
"display_name": "Cobalt Strike - S0154",
"target": null
},
{
"id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat",
"display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat",
"target": null
},
{
"id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar",
"display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar",
"target": null
},
{
"id": "AdwareSig [Adw] ml.Generic",
"display_name": "AdwareSig [Adw] ml.Generic",
"target": null
},
{
"id": "W32.Hack.Generic",
"display_name": "W32.Hack.Generic",
"target": null
},
{
"id": "Trojan.Ole2.Vbs",
"display_name": "Trojan.Ole2.Vbs",
"target": null
},
{
"id": "QVM20.1.8D80.Malware",
"display_name": "QVM20.1.8D80.Malware",
"target": null
},
{
"id": "Generic.Malware",
"display_name": "Generic.Malware",
"target": null
},
{
"id": "Backdoor.Mokes",
"display_name": "Backdoor.Mokes",
"target": null
},
{
"id": "AdWare.DropWare",
"display_name": "AdWare.DropWare",
"target": null
},
{
"id": "Gen:Variant.Razy",
"display_name": "Gen:Variant.Razy",
"target": null
},
{
"id": "Generic.31fcc75f",
"display_name": "Generic.31fcc75f",
"target": null
},
{
"id": "Trojan.Generic",
"display_name": "Trojan.Generic",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "malware.generic",
"display_name": "malware.generic",
"target": null
},
{
"id": "Gen:Variant.Bulz",
"display_name": "Gen:Variant.Bulz",
"target": null
},
{
"id": "GameHack.DR",
"display_name": "GameHack.DR",
"target": null
},
{
"id": "Dropper.Binder",
"display_name": "Dropper.Binder",
"target": null
},
{
"id": "malicious.22a4c0",
"display_name": "malicious.22a4c0",
"target": null
},
{
"id": "SdBot.CAOC",
"display_name": "SdBot.CAOC",
"target": null
},
{
"id": "ml.Generic",
"display_name": "ml.Generic",
"target": null
},
{
"id": "Trojan.Ransom.GenericKD",
"display_name": "Trojan.Ransom.GenericKD",
"target": null
},
{
"id": "Phish.AB",
"display_name": "Phish.AB",
"target": null
},
{
"id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea",
"display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6506b48d699080b4bfd334c5",
"export_count": 74,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7761,
"CVE": 6,
"FileHash-MD5": 285,
"FileHash-SHA1": 165,
"FileHash-SHA256": 5059,
"domain": 987,
"hostname": 2399
},
"indicator_count": 16662,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "553 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b5cbbbcb7a479db222f053",
"name": "NSO Group Pegasus spyware used nefariously",
"description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.",
"modified": "2024-03-27T00:05:34.925000",
"created": "2024-01-28T03:36:27.745000",
"tags": [
"whois record",
"ssl certificate",
"threat roundup",
"october",
"august",
"september",
"november",
"april",
"march",
"tsara brashears",
"copy",
"execution",
"metro",
"awful",
"attack",
"quasar",
"malicious",
"crypto",
"contact",
"contacted",
"pe resource",
"communicating",
"pegasus",
"bundled",
"historical ssl",
"cellbrite",
"core",
"startpage",
"ursnif",
"amadey",
"probe",
"targets sa",
"survivor",
"referrer",
"whois whois",
"whois ssl",
"apple",
"status",
"creation date",
"passive dns",
"urls",
"search",
"expiration date",
"name servers",
"scan endpoints",
"all octoseek",
"pulse submit",
"date",
"next",
"et exploit",
"probe ms17010",
"smbds ipc",
"show",
"service",
"entries",
"msf style",
"generic flags",
"pe32",
"exploit",
"malware",
"dock",
"push",
"write",
"win32",
"eternalblue",
"playgame",
"bitcoin",
"virgin islands",
"as19905",
"record value",
"unknown",
"body",
"meta",
"error",
"united",
"as7922 comcast",
"x ua",
"ipv4",
"pulse pulses",
"files",
"moved",
"title",
"gmt content",
"cookie",
"as15169 google",
"mtb jan",
"otx telemetry",
"query",
"trojan",
"msr jan",
"as29580 a1",
"domain",
"showing",
"as8866",
"cellebrite",
"aaaa",
"russia unknown",
"dnssec",
"nxdomain",
"a domains",
"download",
"accept",
"url https",
"http",
"ip address",
"related nids",
"files location",
"ios",
"ireland",
"servers",
"as4808 china",
"china",
"reverse dns",
"asnone united",
"as54113",
"cname",
"domain name",
"emails",
"as23724",
"as4812 china",
"win32mydoom jan",
"ransom",
"worm",
"browse scan",
"endpoints all",
"login",
"sign up",
"cellebrite",
"algorithm",
"data",
"v3 serial",
"number",
"cus cnr3",
"olet",
"subject public",
"key info",
"key algorithm",
"ec oid",
"server",
"domain status",
"registrar abuse",
"whois lookup",
"contact email",
"contact phone",
"popularity",
"rank position",
"ingestion time",
"cisco umbrella",
"record type",
"ttl value",
"sa victim",
"assaulter",
"privilege https",
"tulach"
],
"references": [
"enterprise.cellebrite.com [ digitalclues.com]",
"http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS",
"https://tulach.cc/ [malware engineering | phishing]",
"deviceinbox.com [malware hosting]",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu",
"https://timersys.com/ [ phishing | deb opera.com]",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]",
"message.htm.com [ message stealer]",
"https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]",
"https://www.nsogroup.com",
"https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]",
"https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]",
"https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]",
"Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]",
"https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf",
"https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]",
"training001.blackbagtech.com [opportunity?]",
"https://otx.alienvault.com/indicator/hostname/apptree.comcast.net",
"nr-data.net [Apple Private Data Collection] data.net points to aps.net",
"Tracking: 8.8.4.4 [ NOT a false.positive]",
"https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b",
"Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands",
"Germany",
"Virgin Islands, British"
],
"malware_families": [
{
"id": "Amadey",
"display_name": "Amadey",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Backdoor:Win32/Mydoom",
"display_name": "Backdoor:Win32/Mydoom",
"target": "/malware/Backdoor:Win32/Mydoom"
},
{
"id": "ETERNALBLUE",
"display_name": "ETERNALBLUE",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [
"Civil Society",
"Healthcare"
],
"TLP": "green",
"cloned_from": null,
"export_count": 31,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 4226,
"URL": 9996,
"FileHash-MD5": 241,
"FileHash-SHA1": 235,
"FileHash-SHA256": 6882,
"hostname": 4402,
"CVE": 2,
"email": 13,
"BitcoinAddress": 3
},
"indicator_count": 26000,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "753 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b5cbadc21b9891c459b9d2",
"name": "NSO Group Pegasus spyware used nefariously",
"description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.",
"modified": "2024-03-27T00:05:34.925000",
"created": "2024-01-28T03:36:13.975000",
"tags": [
"whois record",
"ssl certificate",
"threat roundup",
"october",
"august",
"september",
"november",
"april",
"march",
"tsara brashears",
"copy",
"execution",
"metro",
"awful",
"attack",
"quasar",
"malicious",
"crypto",
"contact",
"contacted",
"pe resource",
"communicating",
"pegasus",
"bundled",
"historical ssl",
"cellbrite",
"core",
"startpage",
"ursnif",
"amadey",
"probe",
"targets sa",
"survivor",
"referrer",
"whois whois",
"whois ssl",
"apple",
"status",
"creation date",
"passive dns",
"urls",
"search",
"expiration date",
"name servers",
"scan endpoints",
"all octoseek",
"pulse submit",
"date",
"next",
"et exploit",
"probe ms17010",
"smbds ipc",
"show",
"service",
"entries",
"msf style",
"generic flags",
"pe32",
"exploit",
"malware",
"dock",
"push",
"write",
"win32",
"eternalblue",
"playgame",
"bitcoin",
"virgin islands",
"as19905",
"record value",
"unknown",
"body",
"meta",
"error",
"united",
"as7922 comcast",
"x ua",
"ipv4",
"pulse pulses",
"files",
"moved",
"title",
"gmt content",
"cookie",
"as15169 google",
"mtb jan",
"otx telemetry",
"query",
"trojan",
"msr jan",
"as29580 a1",
"domain",
"showing",
"as8866",
"cellebrite",
"aaaa",
"russia unknown",
"dnssec",
"nxdomain",
"a domains",
"download",
"accept",
"url https",
"http",
"ip address",
"related nids",
"files location",
"ios",
"ireland",
"servers",
"as4808 china",
"china",
"reverse dns",
"asnone united",
"as54113",
"cname",
"domain name",
"emails",
"as23724",
"as4812 china",
"win32mydoom jan",
"ransom",
"worm",
"browse scan",
"endpoints all",
"login",
"sign up",
"cellebrite",
"algorithm",
"data",
"v3 serial",
"number",
"cus cnr3",
"olet",
"subject public",
"key info",
"key algorithm",
"ec oid",
"server",
"domain status",
"registrar abuse",
"whois lookup",
"contact email",
"contact phone",
"popularity",
"rank position",
"ingestion time",
"cisco umbrella",
"record type",
"ttl value",
"sa victim",
"assaulter",
"privilege https",
"tulach"
],
"references": [
"enterprise.cellebrite.com [ digitalclues.com]",
"http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS",
"https://tulach.cc/ [malware engineering | phishing]",
"deviceinbox.com [malware hosting]",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu",
"https://timersys.com/ [ phishing | deb opera.com]",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]",
"message.htm.com [ message stealer]",
"https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]",
"https://www.nsogroup.com",
"https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]",
"https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]",
"https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]",
"Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]",
"https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf",
"https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]",
"training001.blackbagtech.com [opportunity?]",
"https://otx.alienvault.com/indicator/hostname/apptree.comcast.net",
"nr-data.net [Apple Private Data Collection] data.net points to aps.net",
"Tracking: 8.8.4.4 [ NOT a false.positive]",
"https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b",
"Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands",
"Germany",
"Virgin Islands, British"
],
"malware_families": [
{
"id": "Amadey",
"display_name": "Amadey",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Backdoor:Win32/Mydoom",
"display_name": "Backdoor:Win32/Mydoom",
"target": "/malware/Backdoor:Win32/Mydoom"
},
{
"id": "ETERNALBLUE",
"display_name": "ETERNALBLUE",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [
"Civil Society",
"Healthcare"
],
"TLP": "green",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 4226,
"URL": 9995,
"FileHash-MD5": 241,
"FileHash-SHA1": 235,
"FileHash-SHA256": 6882,
"hostname": 4402,
"CVE": 2,
"email": 13,
"BitcoinAddress": 3
},
"indicator_count": 25999,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "753 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b5c5ebba25ca46fc5b36bc",
"name": "NSO Group Pegasus spyware found attack a US citizen. Silencing",
"description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\n\u2022NSO Group develops best-in-class technology to help government agencies detect and prevent terrorism and crime.\n\u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. \nNon terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.",
"modified": "2024-03-27T00:05:34.925000",
"created": "2024-01-28T03:11:39.752000",
"tags": [
"whois record",
"ssl certificate",
"threat roundup",
"october",
"august",
"september",
"november",
"april",
"march",
"tsara brashears",
"copy",
"execution",
"metro",
"awful",
"attack",
"quasar",
"malicious",
"crypto",
"contact",
"contacted",
"pe resource",
"communicating",
"pegasus",
"bundled",
"historical ssl",
"cellbrite",
"core",
"startpage",
"ursnif",
"amadey",
"probe",
"targets sa",
"survivor",
"referrer",
"whois whois",
"whois ssl",
"apple",
"status",
"creation date",
"passive dns",
"urls",
"search",
"expiration date",
"name servers",
"scan endpoints",
"all octoseek",
"pulse submit",
"date",
"next",
"et exploit",
"probe ms17010",
"smbds ipc",
"show",
"service",
"entries",
"msf style",
"generic flags",
"pe32",
"exploit",
"malware",
"dock",
"push",
"write",
"win32",
"eternalblue",
"playgame",
"bitcoin",
"virgin islands",
"as19905",
"record value",
"unknown",
"body",
"meta",
"error",
"united",
"as7922 comcast",
"x ua",
"ipv4",
"pulse pulses",
"files",
"moved",
"title",
"gmt content",
"cookie",
"as15169 google",
"mtb jan",
"otx telemetry",
"query",
"trojan",
"msr jan",
"as29580 a1",
"domain",
"showing",
"as8866",
"cellebrite",
"aaaa",
"russia unknown",
"dnssec",
"nxdomain",
"a domains",
"download",
"accept",
"url https",
"http",
"ip address",
"related nids",
"files location",
"ios",
"ireland",
"servers",
"msie",
"chrome",
"certificate",
"hostname",
"url analysis",
"http response",
"final url",
"status code",
"body length",
"b body",
"sha256",
"headers date",
"connection",
"date sat",
"html info",
"forbidden",
"google tag",
"utc aw741566034",
"utc redirection",
"asnone united",
"as54113",
"cname",
"script urls",
"as19527 google",
"as35280 acorus",
"encrypt",
"reverse dns",
"location dublin",
"domain name",
"emails",
"as23724",
"as4812 china",
"china",
"win32mydoom jan",
"ransom",
"worm",
"as4808 china",
"browse scan",
"endpoints all",
"login",
"sign up",
"tulach",
"c-67-181-73-197.hsd1.ca.comcast.net",
"social engineering",
"contact made by mark brian sabey",
"contact made by o'dea",
"benjamin c"
],
"references": [
"enterprise.cellebrite.com [ digitalclues.com]",
"http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS",
"https://tulach.cc/ [malware engineering | phishing]",
"deviceinbox.com [malware hosting]",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu",
"https://timersys.com/ [ phishing | deb opera.com]",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]",
"message.htm.com [ message stealer]",
"https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]",
"https://www.nsogroup.com",
"https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]",
"https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]",
"https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]",
"Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]",
"https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf",
"https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]",
"training001.blackbagtech.com [opportunity?]",
"https://otx.alienvault.com/indicator/hostname/apptree.comcast.net",
"nr-data.net [Apple Private Data Collection] data.net points to aps.net",
"Tracking: 8.8.4.4 [ NOT a false.positive]",
"https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b",
"Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net"
],
"public": 1,
"adversary": "NSO Group",
"targeted_countries": [
"United States of America",
"Netherlands",
"Germany",
"Virgin Islands, British"
],
"malware_families": [
{
"id": "Amadey",
"display_name": "Amadey",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "ETERNALBLUE",
"display_name": "ETERNALBLUE",
"target": null
},
{
"id": "Backdoor:Win32/Mydoom",
"display_name": "Backdoor:Win32/Mydoom",
"target": "/malware/Backdoor:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 28,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 4655,
"URL": 9981,
"FileHash-MD5": 219,
"FileHash-SHA1": 213,
"FileHash-SHA256": 6722,
"hostname": 4341,
"CVE": 2,
"email": 12,
"BitcoinAddress": 3
},
"indicator_count": 26148,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "753 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65bc0d302007152543202bac",
"name": "WannaCry",
"description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money",
"modified": "2024-03-02T21:02:32.756000",
"created": "2024-02-01T21:29:20.375000",
"tags": [
"contacted",
"tsara brashears",
"urls url",
"files",
"pegasus",
"domains",
"cellbrite",
"targets sa",
"survivor",
"apple ios",
"execution",
"lockbit",
"malware",
"core",
"awful",
"hacktool",
"crypto",
"ransomexx",
"quasar",
"asyncrat",
"bot network",
"loader",
"ransomware",
"wannacry",
"cryptor",
"encoder",
"compiler",
"win32 dll",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 compiler",
"vs98",
"contained",
"w english",
"info compiler",
"products",
"header intel",
"name md5",
"type",
"language",
"overlay",
"as133618",
"unknown",
"cname",
"united",
"germany unknown",
"ukraine unknown",
"ireland unknown",
"virgin islands",
"as47846",
"as39084 rinet",
"date",
"encrypt",
"next",
"microsoft visual c++ v6.0",
"as133618 trellian pty. limited",
"dynamicloader",
"high",
"t1063",
"yara rule",
"medium",
"spoofs",
"high security",
"software",
"discovery",
"attempts",
"april",
"dropper",
"reads self",
"bots",
"connect",
"botnet",
"sabey",
"libel",
"menacing",
"brother sabey",
"as15169 google",
"aaaa",
"search",
"name servers",
"as29182 jsc",
"russia unknown",
"found",
"error"
],
"references": [
"https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)",
"cellebrite.com | enterprise.cellebrite.com",
"http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne",
"deviceinbox.com",
"671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3",
"c1a99e3bde9bad27e463c32b96311312.virus",
"CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)",
"CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
"CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited",
"CS IDS rule: (port_scan) TCP filtered portsweep",
"CS IDS rule: (stream_tcp) data sent on stream after TCP reset received",
"CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14",
"CS Sigma Rule: Creation of an Executable by an Executable by frack113",
"Trojan:Win32/WannaCry.350",
"https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]",
"angebot.staude.de",
"https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e",
"https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://pin.it/ [Pinterest BotNetwork for Pegasus]",
"http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/"
],
"public": 1,
"adversary": "NSO Group - Pegasus",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/WannaCry.350",
"display_name": "Trojan:Win32/WannaCry.350",
"target": "/malware/Trojan:Win32/WannaCry.350"
}
],
"attack_ids": [
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 310,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 67,
"FileHash-SHA1": 62,
"FileHash-SHA256": 2864,
"domain": 1401,
"URL": 5523,
"hostname": 1766,
"FilePath": 1,
"CVE": 2,
"email": 5
},
"indicator_count": 11691,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "777 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65bc0d2518a7ef9bb17df1b9",
"name": "WannaCry",
"description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money",
"modified": "2024-03-02T21:02:32.756000",
"created": "2024-02-01T21:29:09.832000",
"tags": [
"contacted",
"tsara brashears",
"urls url",
"files",
"pegasus",
"domains",
"cellbrite",
"targets sa",
"survivor",
"apple ios",
"execution",
"lockbit",
"malware",
"core",
"awful",
"hacktool",
"crypto",
"ransomexx",
"quasar",
"asyncrat",
"bot network",
"loader",
"ransomware",
"wannacry",
"cryptor",
"encoder",
"compiler",
"win32 dll",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 compiler",
"vs98",
"contained",
"w english",
"info compiler",
"products",
"header intel",
"name md5",
"type",
"language",
"overlay",
"as133618",
"unknown",
"cname",
"united",
"germany unknown",
"ukraine unknown",
"ireland unknown",
"virgin islands",
"as47846",
"as39084 rinet",
"date",
"encrypt",
"next",
"microsoft visual c++ v6.0",
"as133618 trellian pty. limited",
"dynamicloader",
"high",
"t1063",
"yara rule",
"medium",
"spoofs",
"high security",
"software",
"discovery",
"attempts",
"april",
"dropper",
"reads self",
"bots",
"connect",
"botnet",
"sabey",
"libel",
"menacing",
"brother sabey",
"as15169 google",
"aaaa",
"search",
"name servers",
"as29182 jsc",
"russia unknown",
"found",
"error"
],
"references": [
"https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)",
"cellebrite.com | enterprise.cellebrite.com",
"http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne",
"deviceinbox.com",
"671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3",
"c1a99e3bde9bad27e463c32b96311312.virus",
"CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)",
"CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
"CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited",
"CS IDS rule: (port_scan) TCP filtered portsweep",
"CS IDS rule: (stream_tcp) data sent on stream after TCP reset received",
"CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14",
"CS Sigma Rule: Creation of an Executable by an Executable by frack113",
"Trojan:Win32/WannaCry.350",
"https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]",
"angebot.staude.de",
"https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e",
"https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://pin.it/ [Pinterest BotNetwork for Pegasus]",
"http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/"
],
"public": 1,
"adversary": "NSO Group - Pegasus",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/WannaCry.350",
"display_name": "Trojan:Win32/WannaCry.350",
"target": "/malware/Trojan:Win32/WannaCry.350"
}
],
"attack_ids": [
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 67,
"FileHash-SHA1": 62,
"FileHash-SHA256": 2864,
"domain": 1401,
"URL": 5523,
"hostname": 1766,
"FilePath": 1,
"CVE": 2,
"email": 5
},
"indicator_count": 11691,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "777 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65bc0cfda433eb05bde3827b",
"name": "WannaCry",
"description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money",
"modified": "2024-03-02T21:02:32.756000",
"created": "2024-02-01T21:28:29.606000",
"tags": [
"contacted",
"tsara brashears",
"urls url",
"files",
"pegasus",
"domains",
"cellbrite",
"targets sa",
"survivor",
"apple ios",
"execution",
"lockbit",
"malware",
"core",
"awful",
"hacktool",
"crypto",
"ransomexx",
"quasar",
"asyncrat",
"bot network",
"loader",
"ransomware",
"wannacry",
"cryptor",
"encoder",
"compiler",
"win32 dll",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 compiler",
"vs98",
"contained",
"w english",
"info compiler",
"products",
"header intel",
"name md5",
"type",
"language",
"overlay",
"as133618",
"unknown",
"cname",
"united",
"germany unknown",
"ukraine unknown",
"ireland unknown",
"virgin islands",
"as47846",
"as39084 rinet",
"date",
"encrypt",
"next",
"microsoft visual c++ v6.0",
"as133618 trellian pty. limited",
"dynamicloader",
"high",
"t1063",
"yara rule",
"medium",
"spoofs",
"high security",
"software",
"discovery",
"attempts",
"april",
"dropper",
"reads self",
"bots",
"connect",
"botnet",
"sabey",
"libel",
"menacing",
"brother sabey",
"as15169 google",
"aaaa",
"search",
"name servers",
"as29182 jsc",
"russia unknown",
"found",
"error"
],
"references": [
"https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)",
"cellebrite.com | enterprise.cellebrite.com",
"http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne",
"deviceinbox.com",
"671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3",
"c1a99e3bde9bad27e463c32b96311312.virus",
"CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)",
"CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
"CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited",
"CS IDS rule: (port_scan) TCP filtered portsweep",
"CS IDS rule: (stream_tcp) data sent on stream after TCP reset received",
"CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14",
"CS Sigma Rule: Creation of an Executable by an Executable by frack113",
"Trojan:Win32/WannaCry.350",
"https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]",
"angebot.staude.de",
"https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e",
"https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://pin.it/ [Pinterest BotNetwork for Pegasus]",
"http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/"
],
"public": 1,
"adversary": "NSO Group - Pegasus",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/WannaCry.350",
"display_name": "Trojan:Win32/WannaCry.350",
"target": "/malware/Trojan:Win32/WannaCry.350"
}
],
"attack_ids": [
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 67,
"FileHash-SHA1": 62,
"FileHash-SHA256": 2864,
"domain": 1401,
"URL": 5523,
"hostname": 1766,
"FilePath": 1,
"CVE": 2,
"email": 5
},
"indicator_count": 11691,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "777 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65bc0cf9b0dac1aa7f9046cf",
"name": "WannaCry",
"description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money",
"modified": "2024-03-02T21:02:32.756000",
"created": "2024-02-01T21:28:25.092000",
"tags": [
"contacted",
"tsara brashears",
"urls url",
"files",
"pegasus",
"domains",
"cellbrite",
"targets sa",
"survivor",
"apple ios",
"execution",
"lockbit",
"malware",
"core",
"awful",
"hacktool",
"crypto",
"ransomexx",
"quasar",
"asyncrat",
"bot network",
"loader",
"ransomware",
"wannacry",
"cryptor",
"encoder",
"compiler",
"win32 dll",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 compiler",
"vs98",
"contained",
"w english",
"info compiler",
"products",
"header intel",
"name md5",
"type",
"language",
"overlay",
"as133618",
"unknown",
"cname",
"united",
"germany unknown",
"ukraine unknown",
"ireland unknown",
"virgin islands",
"as47846",
"as39084 rinet",
"date",
"encrypt",
"next",
"microsoft visual c++ v6.0",
"as133618 trellian pty. limited",
"dynamicloader",
"high",
"t1063",
"yara rule",
"medium",
"spoofs",
"high security",
"software",
"discovery",
"attempts",
"april",
"dropper",
"reads self",
"bots",
"connect",
"botnet",
"sabey",
"libel",
"menacing",
"brother sabey",
"as15169 google",
"aaaa",
"search",
"name servers",
"as29182 jsc",
"russia unknown",
"found",
"error"
],
"references": [
"https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)",
"cellebrite.com | enterprise.cellebrite.com",
"http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne",
"deviceinbox.com",
"671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3",
"c1a99e3bde9bad27e463c32b96311312.virus",
"CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)",
"CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
"CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited",
"CS IDS rule: (port_scan) TCP filtered portsweep",
"CS IDS rule: (stream_tcp) data sent on stream after TCP reset received",
"CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14",
"CS Sigma Rule: Creation of an Executable by an Executable by frack113",
"Trojan:Win32/WannaCry.350",
"https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]",
"angebot.staude.de",
"https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e",
"https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://pin.it/ [Pinterest BotNetwork for Pegasus]",
"http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/"
],
"public": 1,
"adversary": "NSO Group - Pegasus",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/WannaCry.350",
"display_name": "Trojan:Win32/WannaCry.350",
"target": "/malware/Trojan:Win32/WannaCry.350"
}
],
"attack_ids": [
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 67,
"FileHash-SHA1": 62,
"FileHash-SHA256": 2864,
"domain": 1401,
"URL": 5523,
"hostname": 1766,
"FilePath": 1,
"CVE": 2,
"email": 5
},
"indicator_count": 11691,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "777 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b8071976a7e6dccaabbada",
"name": "NSO Group Pegasus",
"description": "",
"modified": "2024-02-28T15:01:20.140000",
"created": "2024-01-29T20:14:17.001000",
"tags": [
"ssl certificate",
"whois record",
"whois whois",
"communicating",
"cellbrite",
"urls http",
"referrer",
"historical ssl",
"nullmixer",
"smokeloader",
"redline stealer",
"installer",
"hiddentear",
"probe",
"nso group",
"pegasus",
"community",
"xcitium verdict",
"cloud",
"bitdefender",
"history",
"utc http",
"response final",
"url final",
"ip address",
"status code",
"compiler",
"basic",
"pe32",
"intel",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"pe32 compiler",
"rticon russian",
"info header",
"name md5",
"contained",
"type",
"language",
"ico rtgroupicon",
"russian",
"overlay",
"urls",
"domains",
"gandi sas",
"contacted",
"markmonitor",
"ip detections",
"country",
"pe resource",
"children",
"file type",
"ico mainicon",
"linkid252669",
"win32 dll",
"ms visual",
"win32 dynamic",
"win32 exe",
"files",
"afrefhttp",
"execution",
"highly targeted",
"http",
"agent tesla",
"blackbag",
"relations most",
"core",
"malware",
"emotet",
"critical",
"copy",
"qakbot",
"trojan",
"ransomexx",
"ryuk",
"ransomware",
"matanbuchus",
"cobalt strike",
"bazarloader",
"as15169 google",
"united",
"passive dns",
"aaaa",
"title",
"a domains",
"body html",
"head meta",
"moved title",
"tsara brashears",
"offender",
"Robert neill",
"jeffery scott reimer",
"assaulted",
"sci",
"warning",
"denver",
"death threats",
"porn malvertizing",
"bomb",
"bomb threats"
],
"references": [
"https://www.nsogroup.com/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"ww.google.com.uy",
"321Survive.exe",
"https://en.m.wikipedia.org \u203a wiki NSO Group"
],
"public": 1,
"adversary": "NSO Group",
"targeted_countries": [],
"malware_families": [
{
"id": "trojan.wanna/wannacry",
"display_name": "trojan.wanna/wannacry",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "65b7e406028ca6f363f41315",
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 570,
"URL": 2908,
"FileHash-MD5": 98,
"FileHash-SHA1": 84,
"FileHash-SHA256": 2241,
"hostname": 1043,
"CVE": 3,
"email": 1
},
"indicator_count": 6948,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "781 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b7e406028ca6f363f41315",
"name": "NSO Group Pegasus",
"description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.",
"modified": "2024-02-28T15:01:20.140000",
"created": "2024-01-29T17:44:38.424000",
"tags": [
"ssl certificate",
"whois record",
"whois whois",
"communicating",
"cellbrite",
"urls http",
"referrer",
"historical ssl",
"nullmixer",
"smokeloader",
"redline stealer",
"installer",
"hiddentear",
"probe",
"nso group",
"pegasus",
"community",
"xcitium verdict",
"cloud",
"bitdefender",
"history",
"utc http",
"response final",
"url final",
"ip address",
"status code",
"compiler",
"basic",
"pe32",
"intel",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"pe32 compiler",
"rticon russian",
"info header",
"name md5",
"contained",
"type",
"language",
"ico rtgroupicon",
"russian",
"overlay",
"urls",
"domains",
"gandi sas",
"contacted",
"markmonitor",
"ip detections",
"country",
"pe resource",
"children",
"file type",
"ico mainicon",
"linkid252669",
"win32 dll",
"ms visual",
"win32 dynamic",
"win32 exe",
"files",
"afrefhttp",
"execution",
"highly targeted",
"http",
"agent tesla",
"blackbag",
"relations most",
"core",
"malware",
"emotet",
"critical",
"copy",
"qakbot",
"trojan",
"ransomexx",
"ryuk",
"ransomware",
"matanbuchus",
"cobalt strike",
"bazarloader",
"as15169 google",
"united",
"passive dns",
"aaaa",
"title",
"a domains",
"body html",
"head meta",
"moved title",
"tsara brashears",
"offender",
"Robert neill",
"jeffery scott reimer",
"assaulted",
"sci",
"warning",
"denver",
"death threats",
"porn malvertizing",
"bomb",
"bomb threats"
],
"references": [
"https://www.nsogroup.com/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"ww.google.com.uy",
"321Survive.exe",
"https://en.m.wikipedia.org \u203a wiki NSO Group"
],
"public": 1,
"adversary": "NSO Group",
"targeted_countries": [],
"malware_families": [
{
"id": "trojan.wanna/wannacry",
"display_name": "trojan.wanna/wannacry",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 570,
"URL": 2908,
"FileHash-MD5": 98,
"FileHash-SHA1": 84,
"FileHash-SHA256": 2241,
"hostname": 1043,
"CVE": 3,
"email": 1
},
"indicator_count": 6948,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "781 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b7e4017a14cda8d09c9bf8",
"name": "NSO Group Pegasus",
"description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.",
"modified": "2024-02-28T15:01:20.140000",
"created": "2024-01-29T17:44:33.270000",
"tags": [
"ssl certificate",
"whois record",
"whois whois",
"communicating",
"cellbrite",
"urls http",
"referrer",
"historical ssl",
"nullmixer",
"smokeloader",
"redline stealer",
"installer",
"hiddentear",
"probe",
"nso group",
"pegasus",
"community",
"xcitium verdict",
"cloud",
"bitdefender",
"history",
"utc http",
"response final",
"url final",
"ip address",
"status code",
"compiler",
"basic",
"pe32",
"intel",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"pe32 compiler",
"rticon russian",
"info header",
"name md5",
"contained",
"type",
"language",
"ico rtgroupicon",
"russian",
"overlay",
"urls",
"domains",
"gandi sas",
"contacted",
"markmonitor",
"ip detections",
"country",
"pe resource",
"children",
"file type",
"ico mainicon",
"linkid252669",
"win32 dll",
"ms visual",
"win32 dynamic",
"win32 exe",
"files",
"afrefhttp",
"execution",
"highly targeted",
"http",
"agent tesla",
"blackbag",
"relations most",
"core",
"malware",
"emotet",
"critical",
"copy",
"qakbot",
"trojan",
"ransomexx",
"ryuk",
"ransomware",
"matanbuchus",
"cobalt strike",
"bazarloader",
"as15169 google",
"united",
"passive dns",
"aaaa",
"title",
"a domains",
"body html",
"head meta",
"moved title",
"tsara brashears",
"offender",
"Robert neill",
"jeffery scott reimer",
"assaulted",
"sci",
"warning",
"denver",
"death threats",
"porn malvertizing",
"bomb",
"bomb threats"
],
"references": [
"https://www.nsogroup.com/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"ww.google.com.uy",
"321Survive.exe",
"https://en.m.wikipedia.org \u203a wiki NSO Group"
],
"public": 1,
"adversary": "NSO Group",
"targeted_countries": [],
"malware_families": [
{
"id": "trojan.wanna/wannacry",
"display_name": "trojan.wanna/wannacry",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 570,
"URL": 2908,
"FileHash-MD5": 98,
"FileHash-SHA1": 84,
"FileHash-SHA256": 2241,
"hostname": 1043,
"CVE": 3,
"email": 1
},
"indicator_count": 6948,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "781 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b7e3fe934ae9d391614c0d",
"name": "NSO Group Pegasus",
"description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.",
"modified": "2024-02-28T15:01:20.140000",
"created": "2024-01-29T17:44:30.585000",
"tags": [
"ssl certificate",
"whois record",
"whois whois",
"communicating",
"cellbrite",
"urls http",
"referrer",
"historical ssl",
"nullmixer",
"smokeloader",
"redline stealer",
"installer",
"hiddentear",
"probe",
"nso group",
"pegasus",
"community",
"xcitium verdict",
"cloud",
"bitdefender",
"history",
"utc http",
"response final",
"url final",
"ip address",
"status code",
"compiler",
"basic",
"pe32",
"intel",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"pe32 compiler",
"rticon russian",
"info header",
"name md5",
"contained",
"type",
"language",
"ico rtgroupicon",
"russian",
"overlay",
"urls",
"domains",
"gandi sas",
"contacted",
"markmonitor",
"ip detections",
"country",
"pe resource",
"children",
"file type",
"ico mainicon",
"linkid252669",
"win32 dll",
"ms visual",
"win32 dynamic",
"win32 exe",
"files",
"afrefhttp",
"execution",
"highly targeted",
"http",
"agent tesla",
"blackbag",
"relations most",
"core",
"malware",
"emotet",
"critical",
"copy",
"qakbot",
"trojan",
"ransomexx",
"ryuk",
"ransomware",
"matanbuchus",
"cobalt strike",
"bazarloader",
"as15169 google",
"united",
"passive dns",
"aaaa",
"title",
"a domains",
"body html",
"head meta",
"moved title",
"tsara brashears",
"offender",
"Robert neill",
"jeffery scott reimer",
"assaulted",
"sci",
"warning",
"denver",
"death threats",
"porn malvertizing",
"bomb",
"bomb threats"
],
"references": [
"https://www.nsogroup.com/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"ww.google.com.uy",
"321Survive.exe",
"https://en.m.wikipedia.org \u203a wiki NSO Group"
],
"public": 1,
"adversary": "NSO Group",
"targeted_countries": [],
"malware_families": [
{
"id": "trojan.wanna/wannacry",
"display_name": "trojan.wanna/wannacry",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 570,
"URL": 2908,
"FileHash-MD5": 98,
"FileHash-SHA1": 84,
"FileHash-SHA256": 2241,
"hostname": 1043,
"CVE": 3,
"email": 1
},
"indicator_count": 6948,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "781 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b7e3fe91a1aceb955e54f6",
"name": "NSO Group Pegasus",
"description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.",
"modified": "2024-02-28T15:01:20.140000",
"created": "2024-01-29T17:44:30.147000",
"tags": [
"ssl certificate",
"whois record",
"whois whois",
"communicating",
"cellbrite",
"urls http",
"referrer",
"historical ssl",
"nullmixer",
"smokeloader",
"redline stealer",
"installer",
"hiddentear",
"probe",
"nso group",
"pegasus",
"community",
"xcitium verdict",
"cloud",
"bitdefender",
"history",
"utc http",
"response final",
"url final",
"ip address",
"status code",
"compiler",
"basic",
"pe32",
"intel",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"pe32 compiler",
"rticon russian",
"info header",
"name md5",
"contained",
"type",
"language",
"ico rtgroupicon",
"russian",
"overlay",
"urls",
"domains",
"gandi sas",
"contacted",
"markmonitor",
"ip detections",
"country",
"pe resource",
"children",
"file type",
"ico mainicon",
"linkid252669",
"win32 dll",
"ms visual",
"win32 dynamic",
"win32 exe",
"files",
"afrefhttp",
"execution",
"highly targeted",
"http",
"agent tesla",
"blackbag",
"relations most",
"core",
"malware",
"emotet",
"critical",
"copy",
"qakbot",
"trojan",
"ransomexx",
"ryuk",
"ransomware",
"matanbuchus",
"cobalt strike",
"bazarloader",
"as15169 google",
"united",
"passive dns",
"aaaa",
"title",
"a domains",
"body html",
"head meta",
"moved title",
"tsara brashears",
"offender",
"Robert neill",
"jeffery scott reimer",
"assaulted",
"sci",
"warning",
"denver",
"death threats",
"porn malvertizing",
"bomb",
"bomb threats"
],
"references": [
"https://www.nsogroup.com/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"ww.google.com.uy",
"321Survive.exe",
"https://en.m.wikipedia.org \u203a wiki NSO Group"
],
"public": 1,
"adversary": "NSO Group",
"targeted_countries": [],
"malware_families": [
{
"id": "trojan.wanna/wannacry",
"display_name": "trojan.wanna/wannacry",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 570,
"URL": 2908,
"FileHash-MD5": 98,
"FileHash-SHA1": 84,
"FileHash-SHA256": 2241,
"hostname": 1043,
"CVE": 3,
"email": 1
},
"indicator_count": 6948,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "781 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b80944a3d1c9e36346e0c1",
"name": "NSO Group Pegasus spyware used nefariously",
"description": "",
"modified": "2024-02-27T03:01:21.421000",
"created": "2024-01-29T20:23:32.737000",
"tags": [
"whois record",
"ssl certificate",
"threat roundup",
"october",
"august",
"september",
"november",
"april",
"march",
"tsara brashears",
"copy",
"execution",
"metro",
"awful",
"attack",
"quasar",
"malicious",
"crypto",
"contact",
"contacted",
"pe resource",
"communicating",
"pegasus",
"bundled",
"historical ssl",
"cellbrite",
"core",
"startpage",
"ursnif",
"amadey",
"probe",
"targets sa",
"survivor",
"referrer",
"whois whois",
"whois ssl",
"apple",
"status",
"creation date",
"passive dns",
"urls",
"search",
"expiration date",
"name servers",
"scan endpoints",
"all octoseek",
"pulse submit",
"date",
"next",
"et exploit",
"probe ms17010",
"smbds ipc",
"show",
"service",
"entries",
"msf style",
"generic flags",
"pe32",
"exploit",
"malware",
"dock",
"push",
"write",
"win32",
"eternalblue",
"playgame",
"bitcoin",
"virgin islands",
"as19905",
"record value",
"unknown",
"body",
"meta",
"error",
"united",
"as7922 comcast",
"x ua",
"ipv4",
"pulse pulses",
"files",
"moved",
"title",
"gmt content",
"cookie",
"as15169 google",
"mtb jan",
"otx telemetry",
"query",
"trojan",
"msr jan",
"as29580 a1",
"domain",
"showing",
"as8866",
"cellebrite",
"aaaa",
"russia unknown",
"dnssec",
"nxdomain",
"a domains",
"download",
"accept",
"url https",
"http",
"ip address",
"related nids",
"files location",
"ios",
"ireland",
"servers",
"as4808 china",
"china",
"reverse dns",
"asnone united",
"as54113",
"cname",
"domain name",
"emails",
"as23724",
"as4812 china",
"win32mydoom jan",
"ransom",
"worm",
"browse scan",
"endpoints all",
"login",
"sign up",
"cellebrite",
"algorithm",
"data",
"v3 serial",
"number",
"cus cnr3",
"olet",
"subject public",
"key info",
"key algorithm",
"ec oid",
"server",
"domain status",
"registrar abuse",
"whois lookup",
"contact email",
"contact phone",
"popularity",
"rank position",
"ingestion time",
"cisco umbrella",
"record type",
"ttl value",
"sa victim",
"assaulter",
"privilege https",
"tulach"
],
"references": [
"enterprise.cellebrite.com [ digitalclues.com]",
"http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS",
"https://tulach.cc/ [malware engineering | phishing]",
"deviceinbox.com [malware hosting]",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu",
"https://timersys.com/ [ phishing | deb opera.com]",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]",
"message.htm.com [ message stealer]",
"https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]",
"https://www.nsogroup.com",
"https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]",
"https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]",
"https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]",
"Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]",
"https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf",
"https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]",
"training001.blackbagtech.com [opportunity?]",
"https://otx.alienvault.com/indicator/hostname/apptree.comcast.net",
"nr-data.net [Apple Private Data Collection] data.net points to aps.net",
"Tracking: 8.8.4.4 [ NOT a false.positive]",
"https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b",
"Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands",
"Germany",
"Virgin Islands, British"
],
"malware_families": [
{
"id": "Amadey",
"display_name": "Amadey",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Backdoor:Win32/Mydoom",
"display_name": "Backdoor:Win32/Mydoom",
"target": "/malware/Backdoor:Win32/Mydoom"
},
{
"id": "ETERNALBLUE",
"display_name": "ETERNALBLUE",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [
"Civil Society",
"Healthcare"
],
"TLP": "green",
"cloned_from": "65b5cbbbcb7a479db222f053",
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 4174,
"URL": 9617,
"FileHash-MD5": 241,
"FileHash-SHA1": 235,
"FileHash-SHA256": 6801,
"hostname": 4314,
"CVE": 2,
"email": 13,
"BitcoinAddress": 3
},
"indicator_count": 25400,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "782 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a9b81da64500aa609122",
"name": "APPLE CVE",
"description": "",
"modified": "2023-12-06T17:04:56.966000",
"created": "2023-12-06T17:04:56.966000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 705,
"FileHash-MD5": 171,
"domain": 242,
"hostname": 361,
"URL": 496,
"email": 3,
"FileHash-SHA1": 123,
"CVE": 1,
"SSLCertFingerprint": 4
},
"indicator_count": 2106,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 114,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a835fc0836f148fa45c8",
"name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]",
"description": "",
"modified": "2023-12-06T16:58:29.243000",
"created": "2023-12-06T16:58:29.243000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 6,
"URL": 7203,
"hostname": 2260,
"FileHash-SHA256": 4835,
"FileHash-MD5": 283,
"FileHash-SHA1": 163,
"domain": 915
},
"indicator_count": 15665,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a521974bdb5d6dbda092",
"name": "",
"description": "",
"modified": "2023-12-06T16:45:21.776000",
"created": "2023-12-06T16:45:21.776000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 6,
"URL": 7203,
"hostname": 2260,
"FileHash-SHA256": 4835,
"FileHash-MD5": 283,
"FileHash-SHA1": 163,
"domain": 915
},
"indicator_count": 15665,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"",
"systemInfo.csv",
"apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC",
"https://support.Apple.com/de",
"192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net",
"The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.",
"IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)",
"ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound",
"firebaseremoteconfig.googleapis.com (remote hacking)",
"IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden",
"Requires further research.",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
"main.cf.proto",
"OTX auto populated targeted groups.",
"http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/",
"Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..",
"CS IDS rule: (port_scan) TCP filtered portsweep",
"certificates.csv",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.",
"LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.",
"Mark Brian Sabey",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"I am unable to reach Level Blue regarding issues. Mailer Daemon only",
"virtual",
"AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server",
"master.cf.proto",
"https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]",
"TCP SYN packets were observed",
"main.cf",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"https://www.apple.com/sitemap/",
"MCPeerID.h",
"group",
"com.apple.screensharing.agent.launchd",
"https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
"This is a serious crime. I\u2019m certain God WILL pay them.",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne",
"Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim",
"Reimer was a PT. Unknown whereabouts , name or job description",
"content-negotiation.html",
"IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden",
"Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc",
"https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse",
"process_list.txt",
"generic",
"https://www.sweetheartvideo.com/tsara-brashears/",
"Issue! Team member found CVE-2023-22518 have origins from the State of Colorado",
"https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
"upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4",
"chromeExtensions.csv",
"Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX",
"http://init-p01st.push.apple.com/bag (remote hacking)",
"as15169",
"kernel.csv",
"45.159.189.105 (Command and Control)",
"File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:",
"version.plist",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt",
"pf.os",
"Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)",
"\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"I bring up the personal nature of the crime because a delete service has been used",
"Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options",
"canonical",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]",
"Same legal , and quasi governmental pattern identified",
"I did not clone my pulse to read Bit.io",
"https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]",
"oas-japac-domains-applecomputer.cn",
"apfs_boot_mount.tbd",
"Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net",
"https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/",
"IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193",
"https://www.datafoundry.com/data-center-contamination-control/",
"ldap.h",
"launchdaemons.txt",
"By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.",
"Suspicious User Agent | ETPRO POLICY Python Requests",
"kern_loader.conf",
"BUILDING",
"autofs.conf",
"https://www.roseoubleu.fr/panier (phishing)",
"cellebrite.com | enterprise.cellebrite.com",
"training001.blackbagtech.com [opportunity?]",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022",
"I typically follow targets who have truly dangerous situations who no longer pulse.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"managedPolicies.csv",
"index.html.en",
"All IoC\u2019s originate from sources named. There are some unknown attackers",
"aliases",
"Alerts: injection_process_search antivm_network_adapters privilege_luid_check",
"207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com",
"monitoring.eurovision.net",
"Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen",
"Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)",
"Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB",
"custom_header_checks",
"postfix-files",
"Denver Police let this attempted murder walk. Cited him as a ghost driver",
"Info.plist",
"Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.",
"CS IDS rule: (stream_tcp) data sent on stream after TCP reset received",
"https://l.us-1.a.mimecastprotect.com/l",
"https://applepaydayloans.com/",
"resolv.conf",
"CS Sigma Rule: Creation of an Executable by an Executable by frack113",
"disk_structure.txt",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"remote.haverhillcc.com (remote hacking)",
"Ronda Cordova",
"irbrc",
"Tracking: 8.8.4.4 [ NOT a false.positive]",
"Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com",
"Verification failure observed in automated verification handlers during sandbox replay.",
"Some may may find this content is very disturbing and offensive",
"caching.html",
"https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e",
"CodeResources",
"sharingPreferences.csv",
"div>
",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"MCNearbyServiceAdvertiser.h",
"ntp.conf",
"When your pulse says contacted, who is contacted besides OTX?",
"Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com",
"An earlier version contacted entities affected or affecting targets.",
"It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT",
"http://watchhers.net/index.php",
"users.csv",
"user_launchagents.txt",
"http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml",
"auto_home",
"remote.telegrafix.com (remote hacking)",
"https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.virustotal.com/gui/collection/49dc173bbaf3c632d46d614106ac72d2fba72444f14c618995b797757815d5b4/iocs",
"It\u2019s not just me. I have contacted from very secured emails, networks, devices",
"https://en.m.wikipedia.org \u203a wiki NSO Group",
"This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert",
"https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com",
"MCAdvertiserAssistant.h",
"mounts.csv",
"Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
"You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists",
"The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"\"ET WEB_SERVER WebShell Generic - wget http - POST",
"IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz",
"https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in",
"relocated",
"mounts.txt",
"https://webmail.police.govmm.org/owa/",
"https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf",
"Unknown Persons impersonating Private Investigators (plural)",
"Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer",
"Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"Issue! Multiple IoC\u2019s missing.",
"applepaydayloans.com",
"Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s",
"The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.",
"Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.",
"https://www.virustotal.com/graph/embed/g67beb17fa38042baaa378cde359bbf4ba510be6f4d5c4f40b2d39917c7f7b67c?theme=dark",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"module.modulemap",
"About pulse, found in peripheral.",
"http://www.icloud-sms-alert.com/",
"Alerts: checks_debugger has_pdb raises_exception",
"Has been present throughout a specific campaign",
"csh.logout",
"apple.com(-inc.cc)",
"I liked the tool. There is something strange happening with the pulses & IoC\u2019s",
"asl.conf",
"https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)",
"bounce.cf.default",
"x86_64-apple-ios-macabi.swiftinterface",
"Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication",
"src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105",
"security_status.txt",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"Pahamify Pegasus",
"209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com",
"Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"http://foundry2sdbl.dvr.dn2.n-helix.com/",
"Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A",
"networks",
"Data Analytics",
"deviceinbox.com",
"I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place",
"etcHosts.csv",
"enterprise.cellebrite.com [ digitalclues.com]",
"systemControls.csv",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]",
"https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
"sharedFolders.csv",
"https://timersys.com/ [ phishing | deb opera.com]",
"find.codes",
"http://foundry2-lbl.dvr.dn2.n-helix.com/",
"Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)",
"manpaths",
"Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora",
"http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409",
"Christopher P \u2018Buzz\u2019 Ahmann",
"http://www.Apple.com/quicktime/download",
"nr-data.net [Apple Private Data Collection] data.net points to aps.net",
"http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"launchagents.txt",
"Driver_xst.h",
"init.ess.apple.com (remote hacking)",
"CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
"This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents.",
"AirPlayReceiver.tbd",
"rc.netboot",
"LICENSE",
"Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject",
"newsyslog.conf",
"protocols",
"kexts.txt",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu",
"Victim silenced. Struck by Car Driven by male police let walk",
"ET WORM TheMoon.linksys.router",
"AOSKit.tbd",
"https://otx.alienvault.com/indicator/hostname/apptree.comcast.net",
"Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun",
"Redirect: schemas.microsoft.com",
"Obfuscation: XOR-based String Encryption (0x20)",
"MultipeerConnectivity.h",
"This would be sent in an email but \u2026.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"afpovertcp.cfg",
"sipConfig.csv",
"https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05",
"profile",
"IDS: TLS Handshake Failure",
"MCError.h",
"makedefs.out",
"http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS",
"http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com",
"T1110.001 (Brute Force: Password Guessing)",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"zshrc_Apple_Terminal",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]",
"Mirai",
"More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed",
"bashrc",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"MCNearbyServiceBrowser.h",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"dbivport.h",
"gettytab",
"convenience.map",
"LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.",
"The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/",
"By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.",
"tv.apple.com",
"access",
"https://sinister.ly/Thread-Apple-empty-box?page=13",
"Behavior Pattern Match Analysis",
"interfaceAddrs.csv",
"interfaceDetails.csv",
"iphonegermany.com",
"shells",
"Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.",
"IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
"c1a99e3bde9bad27e463c32b96311312.virus",
"locate.rc",
"AppleFirmwareUpdate.tbd",
"http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd",
"x86_64-apple-macos.swiftinterface",
"custom-error.html",
"Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b",
"configuring.html",
"usbDevices.csv",
"Google_Chrome_64bit_v136.0.7103.49.exe",
"fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d",
"Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f",
"http://palantirwww.sweetheartvideo.com/ (weirdness)",
"master.cf",
"207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com",
"They blatantly steal from citizens , blame foreign entities.",
"www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)",
"angebot.staude.de",
"robert-aebi.appleid.com",
"IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"mac.store",
"smb.conf",
"dbd_xsh.h",
"syslog.conf",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"stagelight.pl (malicious/ pattern match)",
"master.cf.default",
"IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96",
"https://207-207-25-201.fwd.datafoundry.com/",
"diskEncryption.csv",
"https://otx.alienvault.com/indicator/cve/CVE-2023-22518",
"https://icloud.ch/cn/ipod-touch/",
"http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com",
"notify.conf",
"Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process",
"http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)",
"A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more",
"pf.conf",
"arm64e-apple-ios-macabi.swiftinterface",
"I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.",
"ww.google.com.uy",
"command_args.json",
"321Survive.exe",
"MCSession.h",
"auto_master",
"Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?",
"crashes.csv",
"genealogytrails.com",
"https://support.apple.com/en-us/HT201265. Targets (iOS ID)",
"CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14",
"main.cf.default",
"https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com",
"Admin.tbd",
"https://www.datafoundry.com/category/news/press-releases/",
"Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs",
"https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
"Roksit.net",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)",
"hook_op_check.h",
"LocalAuthentication.tbd",
"CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited",
"rtadvd.conf",
"http://www.Apple.com/quicktime/download/standalone.html",
"zshrc",
"DBIXS.h",
"header_checks",
"Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"csh.cshrc",
"bpc-old.palantirfoundry.com",
"I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members",
"IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS",
"dbixs_rev.h",
"www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com",
"https://icloud.ch/",
"dbi_sql.h",
"ftpusers",
"ET INFO User-Agent (python-requests) Inbound to Webserver",
"www.jamesbgriffinlaw.com (malicious host)",
"deviceinbox.com [malware hosting]",
"LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.",
"https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl",
"MultipeerConnectivity.tbd",
"ntp_opendirectory.conf",
"Denver Police Department Major Crimes closed investigation",
"https://tulach.cc/ [malware engineering | phishing]",
"MCBrowserViewController.h",
"(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)",
"https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]",
"monitor.kyos.ninja",
"TLS_LICENSE",
"Melvin Sabey",
"There are serious researchers on here for a short time hoping to resolve serious cyber issues",
"his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.",
"bind.html",
"Sexual and Physical Assaulter - Jeffrey Scott Reimer",
"IPs Contacted: 149.56.240.31 172.66.136.209",
"mail.rc",
"Researching using an easy powerful tool like this has led to confrontations.",
"nfs.conf",
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Updated | What\u2019s left after theft",
"https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291",
"transport",
"APConfigurationSystem.tbd",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"bashrc_Apple_Terminal",
"Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,",
"rpc",
"https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]",
"LDAP.tbd",
"csh.login",
"https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215",
"arm64e-apple-macos.swiftinterface",
"ttys",
"sudo_lecture",
"IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
"https://www.virustotal.com/gui/collection/49dc173bbaf3c632d46d614106ac72d2fba72444f14c618995b797757815d5b4",
"Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint",
"7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)",
"smtp2.icl-privaterelay.appleid.com",
"Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186",
"https://www.nsogroup.com",
"It appears there are 5-7 known affected that I was able to find",
"IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin",
"launchD.csv",
"Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com",
"Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com",
"com.iobit.MacBooster-3",
"CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)",
"rc.common",
"MultipeerConnectivity.apinotes",
"http://212.33.237.86/images/1/report.php",
"rmtab",
"Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support",
"preboot_archive_errors.log",
"passwd",
"http://45.159.189.105/bot/regex (Bot Command)",
"lber.h",
"Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue",
"zprofile",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3",
"applications.csv",
"https://pin.it/ [Pinterest BotNetwork for Pegasus]",
"207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com",
"Quasi Government Case",
"Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/",
"http://ww1.tsx.org/_fd",
"https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE",
"Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.",
"Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.",
"xtab",
"https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)",
"https://rdweb.datafoundry.com/",
"Yara Detections BackdoorWin32Simda",
"Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur",
"http://audaxgroup.appleid.com/",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data",
"The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.",
"I apologize for the lack of reference.",
"https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx",
"Domains Contacted: c.statcounter.com sstatic1.histats.com",
"paths",
"man.conf",
"http://apple.support.com/ht***** redirect",
"https://www.nsogroup.com/",
"https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)",
"https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
"Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com",
"https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
"Trojan:Win32/WannaCry.350",
"WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.",
"message.htm.com [ message stealer]",
"sudoers",
"apple.com. (malicious version/header)",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq , aPLib , PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access ",
"http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"battery.csv",
"https://aspmx.l.google.com/"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"pi, pdfkit.net",
"Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act",
"NSO Group - Pegasus",
"Tier-1 SaaS Reputation Parasitism Leveraging Wix Infrastructure",
"DragonForce Malaysia Hacker Group",
"NSO Group",
"StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s",
"Lazarus"
],
"malware_families": [
"Mirai",
"Exploit:win32/cve-2017-0147",
"Alf:heraklezeval:trojan:win32/c2lop",
"Nids",
"Alf:spikeaexr.pevpszl",
"#lowfi:siga:trojanspy:msil/keylogger",
"Win.trojan.vb-83922",
"Emotet",
"Trojan.generic",
"Win.malware.elenooka-6996044-0",
"Tulach",
"Gen:variant.bulz",
"Et",
"Virus:win32/floxif.h",
"Ml.generic",
"Tel:exploit:html/pswebkit",
"Sodin ransomware",
"W32.hack.generic",
"Malware.generic",
"Trojan:win32/icedid.di!mtb",
"Pegasus",
"Ransom:win32/gandcrab.h!mtb",
"Trojan:win32/wannacry.350",
"Alf:program:opencandy:remnant",
"Sigur",
"Firstname",
"Trojan:win32/smkldr.h!mtb",
"Ransom:win32/cve-2017-0147",
"Cobalt strike - s0154",
"Amadey",
"Keyloggers",
"Spyfu",
"#virtool:win32/obfuscator.adb",
"Qvm20.1.8d80.malware",
"Redline stealer",
"Tel:delphi/obfuscator",
"Adwaresig [adw] ml.generic",
"Anonymizer",
"Artemis",
"Eternalblue",
"Virtool:win32/injector",
"Tel:trojan:win32/emotet",
"Malicious.22a4c0",
"Dropper.binder",
"#lowfi:lua:dllsuspiciousexport.a",
"#lowfi:hstr:pyinstaller_packaged_script",
"Adware.dropware",
"Worm:win32/autorun!atmn",
"Gen:variant.zusy",
"Ransom:msil/gandcrab",
"Backdoor:win32/drixed",
"Sdbot.caoc",
"Gen:variant.razy",
"Generic.asmalws malicious_confidence_70% 1\til:trojan.msilzilla 1\tfilerepmalware 1\transom.sabsik 1\tbehaveslike.dropper 1\tmicrosoft phishing 1\tbackdoor.mokes 1\tphishing bank of america corporat",
"Virus:win95/cerebrus",
"Laplasclipper",
"Trojan.html.agent",
"Trojan.wanna/wannacry",
"Trojan:win32/pariham.a",
"Pws:msil/steam",
"Unix.trojan.mirai-7135937-0",
"Quasar rat",
"Tons of malware",
"Gamehack.dr",
"Lastname",
"Slfper:installcore",
"Virtool:win32/vbinject.gen!jb",
"Ramnit",
"Autorunit",
"Malware family: stealthworker / gobrut",
"Kanna",
"Mydoom",
"Der zugriff",
"Relic",
"Porn revenge",
"Skynet",
"Malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tunsafe.ai_score_98% 1\tmobigame 1\tbanker,evasive,retefe 1\tprogram.unwanted 1\tmalicious.high.ml 1\tkryptik.dawvk 1\tunsafe.ai_score_91% 1\tadwar",
"Backdoor:win32/mydoom",
"Trojan.ole2.vbs",
"Unix.trojan.mirai-7646352-0",
"#hstr:hacktool:win32/mimikatz",
"Trojan.ransom.generickd",
"Worm:win32/bloored",
"Undefined 1\tms 1\txyz 1\tgl 1\tnet tld aggregation com ms xyz gl net 20% 20% 20% 20% 20% tld\tcount com\t1 undefined\tnan ms\t1 xyz\t1 gl\t1 net\t1 combined blacklist timeline hybrid-analysis maltiverse resea",
"Maltiverse",
"Tofsee",
"Icedid",
"Generic.malware",
"Worm:win32/netsky",
"Other malware",
"Proxy",
"Ransom:win32/blocker.nn!mtb",
"#exploit:win32/blofeldscat",
"Md5 hash: f8add7e7161460ea2b1970cf4ca535bf",
"Zeus",
"Backdoor.mokes",
"Trojanspy",
"Generic.31fcc75f",
"Phish.ab",
"Cve-2023-22518"
],
"industries": [
"Telecom",
"Legal",
"Entertainment",
"Telecommunications",
"Financial",
"Crypto",
"Civil society",
"Government",
"Healthcare",
"Bank",
"Banks",
"Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in",
"Technology"
],
"unique_indicators": 333806
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/Apple.com",
"whois": "http://whois.domaintools.com/Apple.com",
"domain": "Apple.com",
"hostname": "support.Apple.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-04-19T08:11:41.130000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27678,
"FileHash-SHA256": 47676,
"FileHash-MD5": 42534,
"FileHash-SHA1": 23213,
"hostname": 33703,
"URL": 75433,
"SSLCertFingerprint": 30,
"CVE": 7582,
"email": 313,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"IPv4": 80,
"URI": 5
},
"indicator_count": 284461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6995e22d28c9e9d76f0dec64",
"name": "Not So Awesome Fonts",
"description": "Researchers: Further review warranted on awesome fonts.",
"modified": "2026-04-13T23:46:40.833000",
"created": "2026-02-18T16:00:45.725000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 123,
"FileHash-MD5": 10,
"FileHash-SHA1": 12,
"FileHash-SHA256": 223,
"email": 5,
"hostname": 223,
"URL": 565,
"CVE": 29,
"SSLCertFingerprint": 2
},
"indicator_count": 1192,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6992bae83a5988dff8311490",
"name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)",
"description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.",
"modified": "2026-04-13T23:46:20.071000",
"created": "2026-02-16T06:36:24.788000",
"tags": [
"Obfuscation: XOR-based String Encryption (0x20)",
"T1110.001 (Brute Force: Password Guessing)",
"Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba",
"MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
"#PotentialUS-Origin_FalseFlag_Obfuscation"
],
"references": [
"Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186",
"Obfuscation: XOR-based String Encryption (0x20)",
"T1110.001 (Brute Force: Password Guessing)",
"This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains",
"Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f",
"Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.",
"his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.",
"The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.",
"By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.",
"The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting",
"",
"The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.",
"By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.",
"The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.",
"LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.",
"LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.",
"LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.",
"Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.",
"Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs",
"Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.",
"Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.",
"Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.",
"WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset."
],
"public": 1,
"adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s",
"targeted_countries": [],
"malware_families": [
{
"id": "Malware Family: StealthWorker / GoBrut",
"display_name": "Malware Family: StealthWorker / GoBrut",
"target": "/malware/Malware Family: StealthWorker / GoBrut"
},
{
"id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
"display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
"target": null
}
],
"attack_ids": [
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2166,
"FileHash-SHA1": 2067,
"FileHash-SHA256": 3371,
"domain": 13295,
"URL": 6860,
"email": 272,
"hostname": 4705,
"SSLCertFingerprint": 268,
"CVE": 107,
"CIDR": 6
},
"indicator_count": 33117,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 62,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d6619d62ea0c3bbf0ebf75",
"name": "Mac OS Unwanted Programs | Mac Booster application potentially installed in background without target\u2019s knowledge",
"description": "Not installed by users I\u2019m researching for. Downloaded as an unwanted program Overview of com.iobit.MacBooster-3\ncom.iobit.MacBooster-3 is the package identifier for MacBooster 3, a software application developed by IObit. This application is specifically designed for optimizing and maintaining Mac computers.\nKey Features\nMacBooster 3 includes several essential features aimed at enhancing the performance and security of Mac systems:\nSystem Cleanup: .\nPerformance Boosting: \nMalware Protection: .\nCompatibility\nMacBooster 3 is compatible with macOS versions starting from OS X 10.9. False - \nWhat are the potential risks of using MacBooster 3 on a Mac computer?\nUsing MacBooster 3 on a Mac computer can lead to potentially unwanted program (PUP) behavior, including browser interference, frequent pop-ups, and the installation of unnecessary software.",
"modified": "2026-04-08T14:09:33.432000",
"created": "2026-04-08T14:09:33.432000",
"tags": [
"issuer apple",
"valid from",
"valid",
"serial number",
"macho",
"macho 64bit",
"mac os",
"x macho",
"intel",
"file version",
"team identifier",
"apple root",
"ca feb",
"am ma9eduzpcw",
"signers",
"issuer valid",
"from valid",
"status issuer",
"apple inc",
"valid apple",
"a9 a8",
"process32nextw",
"regsetvalueexa",
"read c",
"regdword",
"tls handshake",
"failure",
"msie",
"malware",
"write",
"win32",
"unknown",
"dynamicloader",
"high",
"myapp",
"device driver",
"host",
"worm",
"delphi",
"error",
"code",
"defender",
"next",
"file score",
"cryp",
"virus",
"checkin tls",
"forbidden yara",
"msvisualcpp2008",
"less ip",
"contacted",
"scanning host",
"trojan",
"exploit host",
"apple inc",
"monitored target",
"targeting",
"name servers",
"servers",
"expiration date",
"value emails",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"tulach"
],
"references": [
"com.iobit.MacBooster-3",
"IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden",
"Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,",
"Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun",
"Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer",
"Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe",
"Alerts: injection_process_search antivm_network_adapters privilege_luid_check",
"Alerts: checks_debugger has_pdb raises_exception",
"IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96",
"Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com",
"Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen",
"I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.",
"https://otx.alienvault.com/indicator/cve/CVE-2023-22518",
"Issue! Team member found CVE-2023-22518 have origins from the State of Colorado",
"Issue! Multiple IoC\u2019s missing.",
"A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more",
"I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place",
"Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue",
"Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s",
"Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.",
"Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?",
"Researching using an easy powerful tool like this has led to confrontations.",
"I liked the tool. There is something strange happening with the pulses & IoC\u2019s",
"I did not clone my pulse to read Bit.io",
"I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members",
"There are serious researchers on here for a short time hoping to resolve serious cyber issues",
"I am unable to reach Level Blue regarding issues. Mailer Daemon only",
"It\u2019s not just me. I have contacted from very secured emails, networks, devices",
"I typically follow targets who have truly dangerous situations who no longer pulse.",
"This would be sent in an email but \u2026.",
"About pulse, found in peripheral.",
"When your pulse says contacted, who is contacted besides OTX?",
"An earlier version contacted entities affected or affecting targets."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Virus:Win32/Floxif.H",
"display_name": "Virus:Win32/Floxif.H",
"target": "/malware/Virus:Win32/Floxif.H"
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "Ransom:Win32/CVE-2017-0147",
"display_name": "Ransom:Win32/CVE-2017-0147",
"target": "/malware/Ransom:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 75,
"FileHash-MD5": 102,
"FileHash-SHA256": 2076,
"IPv4": 111,
"URL": 2496,
"CVE": 2,
"domain": 483,
"hostname": 938,
"email": 4,
"SSLCertFingerprint": 2
},
"indicator_count": 6289,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "11 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69aeda93ec05fb8653adca6d",
"name": "clone of my pulse. this dmv kit pdfkit.net used the same off logo kit it was one of the few i found in their fcc application . rpi&macids look for",
"description": "",
"modified": "2026-04-08T00:00:45.252000",
"created": "2026-03-09T14:34:59.072000",
"tags": [
"pfft.net"
],
"references": [
""
],
"public": 1,
"adversary": "pi, pdfkit.net",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "698c75717175e2cc7ff33df2",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 551,
"domain": 638,
"CVE": 114,
"hostname": 449,
"email": 28,
"FileHash-MD5": 145,
"FileHash-SHA1": 188,
"FileHash-SHA256": 132,
"Mutex": 1
},
"indicator_count": 2246,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 50,
"modified_text": "11 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a145ba89a2b4af5a0aa721",
"name": "Credential Stuffing & C2 Config: AREK-BTC Variant (Zeppelin-Linked)",
"description": "IoCs for 83hcm-eadaebdbd / BF_BIND_STUFF Campaign\n[CONFIG_START]\nVERSION: 4.2.1-NSV4\nSERVER_HOST: akamaihd.net/eum/results.txt\nAUTH_KEY: 83hcm-eadaebdbd\nTARGET_LIST: /nests/stuffed_cred_v4.db\nACTION: BF_BIND_STUFF\nRETRY_LIMIT: 400\nLOG_PATH: /tmp/results_log.txt\n[PAYLOAD_REDIRECTS]\nURL1: https://formsv.nycourts.gov...\nURL2: https://caneidhelp.miami.edu...\nURL3: https://www.americanexpress.com...\n[USER_AGENT_SPOOF]\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\n[END_CONFIG]",
"modified": "2026-04-01T00:44:45.494000",
"created": "2026-02-27T07:20:26.222000",
"tags": [
"configstart",
"version",
"authkey",
"url1",
"useragentspoof",
"windows nt",
"win64",
"endconfig"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 91,
"domain": 33,
"hostname": 29,
"FileHash-SHA256": 91,
"FileHash-MD5": 1,
"FileHash-SHA1": 20,
"CVE": 14,
"email": 1
},
"indicator_count": 280,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6989077aa8c925b423ef9354",
"name": "Hybrid Managed Service Actor / provisioned insider",
"description": "An artifact was observed on May 4, 2025, utilizing a document lure. Analysis of the artifact indicated a failed cryptographic validation. This activity occurred specifically within the 24-hour period preceding the May 5, 2025, Microsoft DMARC/DKIM/SPF enforcement.\nThis activity was followed by the execution of suspected malware payloads, leading to the unauthorized transfer of data. The observed data exfiltration endpoint was hasthe.technology.",
"modified": "2026-03-31T21:36:40.020000",
"created": "2026-02-08T22:00:24.065000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 414,
"FileHash-SHA256": 115,
"CVE": 91,
"hostname": 374,
"URL": 657,
"email": 19,
"JA3": 1,
"FileHash-MD5": 13,
"FileHash-SHA1": 13
},
"indicator_count": 1697,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 51,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698d30c03b57c38dff915023",
"name": "Double Umbrella AS15169/AS21928: This evaluates a critical structural convergence between Google (AS15169) and T-Mobile USA (AS21928) within the global Tier-1 routing backbone",
"description": "Research credit: msudosos, The research identifies a high-fidelity pattern where traffic from dual origins commingles within a restricted lateral transit hub, allowing for horizontal movement across backbone providers that typically maintain distinct trust boundaries. Specifically, the Content Origin (Umbrella A) originated by Google (AS15169) reaches the core backbone through a high-trust sequence involving Arelion (AS1299), NTT (AS2914), and GTT (AS3257). Simultaneously, the Mobile Origin (Umbrella B) originated by T-Mobile USA (AS21928) enters the backbone via Cogent (AS174) and Lumen (AS3356). The findings designate Lumen (AS3356) as the central lateral hub where traffic pivots horizontally between the \u201cCore Five\u201d partners-including Zayo (AS6461) and Hurricane Electric (AS6939) \u2014before leaking to international sub-transit peers like Sparkle (AS6762) and Telxius (AS12956), finally exiting at global edge points such as PCCW (AS3491) and Tata (AS6453).",
"modified": "2026-03-29T06:02:00.914000",
"created": "2026-02-12T01:45:36.128000",
"tags": [
"The dynamics of the mudoSOSIntersectalign with sophisticated adv"
],
"references": [
"as15169"
],
"public": 1,
"adversary": "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 3,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URI": 1,
"domain": 2661,
"URL": 6810,
"hostname": 2147,
"email": 56,
"FileHash-SHA256": 2781,
"CVE": 172,
"FileHash-MD5": 365,
"FileHash-SHA1": 344,
"IPv4": 1,
"CIDR": 20940
},
"indicator_count": 36278,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 52,
"modified_text": "21 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698c3273517158869e0ba780",
"name": "Reputation Shielded C2 Pivot; High-Churn Wix Infrastructure with iCloud Exfil Adjacency",
"description": "Researcher Note (Feb 11, 2026) IPv4 185.230.61.96 (AS58182 \u2013 Wix.com Ltd.), resolving to unalocated.61.wixsite.com, demonstrates indicators consistent with structured abuse of shared SaaS hosting for command-and-control operations. Passive DNS telemetry reflects 500+ historical domain bindings across 52 TLDs, suggesting deliberate namespace dispersion and rotational overlay management rather than static tenancy. Network detections include repeated FormBook HTTP GET check-ins, Pushdo loader beacon cadence, and Windows Network Diagnostics user-agent spoofing, collectively aligning with controlled tasking infrastructure. Associated artifacts (11/50 AV detections) cluster around credential-stealer and loader families, including FormBook and GandCrab lineage components. The behavioral profile supports assessment of reputation parasitism\u2014leveraging trusted hosting to inherit platform trust and evade domain-based enforcement controls. Confidence: Moderate-High. MITRE: T1071.001, T1105, T1036.",
"modified": "2026-03-29T00:29:26.398000",
"created": "2026-02-11T07:40:32.757000",
"tags": [],
"references": [],
"public": 1,
"adversary": "Tier-1 SaaS Reputation Parasitism Leveraging Wix Infrastructure",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 265,
"domain": 294,
"URL": 331,
"email": 12,
"CVE": 61,
"FileHash-MD5": 73,
"FileHash-SHA1": 64,
"FileHash-SHA256": 74
},
"indicator_count": 1174,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 53,
"modified_text": "21 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698ef344417f9985660e698b",
"name": "Pulse Data",
"description": "A complete summary of all the key points in the analysis of the W32.virus, compiled by the University of California, Los Angeles, at the end of May, 2014, and published online.",
"modified": "2026-03-28T07:23:23.210000",
"created": "2026-02-13T09:47:48.788000",
"tags": [
"imphash",
"file type",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"detections tls",
"zeppelin"
],
"references": [
"",
"4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq , aPLib , PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access "
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 646,
"FileHash-SHA1": 604,
"FileHash-SHA256": 1373,
"hostname": 1143,
"domain": 1381,
"URL": 2537,
"CVE": 101,
"email": 25,
"SSLCertFingerprint": 9
},
"indicator_count": 7819,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "22 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://support.Apple.com/en",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://support.Apple.com/en",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776615468.3437502
}