{ "type": "URL", "indicator": "https://support.cloudflarewarp.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://support.cloudflarewarp.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3840323225, "indicator": "https://support.cloudflarewarp.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "692f04e9fa3d782118e94aac", "name": "LevelBlue - Open Threat Exchange - Delete AppDeployed", "description": "I\u2019m not sure what to think. |\ndeploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev | Are these\npulses being sold or attacked? Christopher P. Ahmann of TAM Legal and his other firms has ALWAYS attacked targets phones and networks. Nothing is too outrageous for this maniac.\n\nHe is responsible for the recent attacks on devices , clouds , google accounts and a flurry of threats. Indicators in recently pulsed reports have been removed. I\u2019ve done my best to restore. \n\nI am also concerned about the safety or legitimacy of this platform.\n\nNo one is ever alerted. Simply calling someone and telling them about the compromises can equate to a big pay day for Level Blue and nothing for the victims of attacks. I need my pulses restored. \n\nIt\u2019s plausible to believe OTX was attacked by an external threat actor.\nAnything is possible when it comes to money.", "modified": "2026-01-01T15:04:20.907000", "created": "2025-12-02T15:25:29.158000", "tags": [ "levelblue", "open threat", "dynamicloader", "tlsv1", "high", "msie", "windows nt", "delete c", "fwlink", "stream", "powershell", "write", "malware", "local", "united", "flag", "date", "server", "crazy egg", "name server", "gmt flag", "domain address", "markmonitor", "enom", "sugges", "onv incude", "data upload", "find s", "extraction", "types", "type", "indicator", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "contacted hosts", "search", "entries", "read c", "medium", "memcommit", "tls handshake", "failure", "module load", "next", "execution", "dock", "capture", "persistence", "copy", "unknown", "suricata alert", "et info", "bad traffic", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1480 execution", "file defense", "write c", "x02x82", "xe6x15c6", "x16f", "xc0xc0xc0", "revengerat", "guard", "service", "encrypt", "entries yara", "delphi", "win32", "jordan", "delete app" ], "references": [ "https://otx.alienvault.com/indicator/domain/Tamlegal.com", "DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz", "endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander", "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Vmprotect-9880726-0", "display_name": "Win.Malware.Vmprotect-9880726-0", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" } ], "industries": [ "Technology", "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4624, "FileHash-SHA256": 2021, "FileHash-MD5": 51, "FileHash-SHA1": 20, "SSLCertFingerprint": 10, "hostname": 1433, "domain": 728 }, "indicator_count": 8887, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e2d950ac7d1e2a3454a4f", "name": "Gooogle Accounts | Drive-by Compromise \u2022 Ransomware \u2022 Phishing Attack", "description": "Google accounts Drive-by Compromise. Affected Google accounts redirects to a suspicious non - Google homepage. |\nRansomware | Adware | Phishing | Injection | \nExploits seen affecting both OS and iOS devices. Threat actors able to remotely access iOS device, unlock, access iCloud. System root control, fully infected devices, Attackers continue to ravage devices w/ drive by compromise, unsafe adware, malware text, etc., Seeks to remove malicious IoC\u2019s on mock accounts , password stealers", "modified": "2025-12-31T23:04:59.378000", "created": "2025-12-02T00:06:45.807000", "tags": [ "iocs", "drop", "network traffic", "ck id", "mitre att", "ck matrix", "network related", "detected", "t1566", "t1204", "united", "click", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "learn", "suspicious", "informative", "name tactics", "adversaries", "command", "initial access", "spawns", "found", "binary file", "t1189", "regsetvalueexa", "regdword", "post http", "medium", "high", "regbinary", "loader", "dock", "write", "malware", "unknown", "romania unknown", "present may", "msie", "chrome", "body", "passive dns", "ip address", "present jun", "welcome", "accept", "encrypt", "gmt content", "ipv4 add", "url analysis", "urls", "files", "reverse dns", "unknown aaaa", "certificate", "hostname add", "error", "flag", "domain address", "contacted hosts", "type", "india unknown", "record value", "body html", "head title", "title", "entries", "read c", "high defense", "evasion", "yara detections", "virtool", "win32", "ahmann", "hacker group", "law firm", "order", "google", "smart assembly" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool:MSIL/Injector.BF", "display_name": "VirTool:MSIL/Injector.BF", "target": "/malware/VirTool:MSIL/Injector.BF" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 112, "FileHash-SHA256": 589, "URL": 1795, "SSLCertFingerprint": 3, "domain": 319, "hostname": 847, "email": 1 }, "indicator_count": 3781, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e1b4122a419384f1add7f", "name": "Cutwail Trojan DownLoader | Driveby compromises | Redirect", "description": "Cutwail Trojan DownLoader | Driveby comprises | Malicious Redirects.\n\nSuspicious redirects from Google homepage to \u2018Doodle\u2019s\nHeavy , ongoing cyber attack. Affects, iOS, Android, Cellular networks (global)\n\nI\u2019m hoping OTX will fully pulse. Indicators will be pulsed fully relying on OTX auto\npulse alone. No references or input from me.", "modified": "2025-12-31T22:02:44.679000", "created": "2025-12-01T22:48:33.510000", "tags": [ "filehashmd5", "filehashsha256", "sha256", "filehashsha1", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "dynamicloader", "medium", "show", "entries", "dynamic", "pe section", "filehash", "md5 add", "pulse pulses", "av detections", "copy", "write", "flag", "misc activity", "et info", "cloudflare dns", "over https", "windir", "openurl c", "prefetch2", "dns requests", "domain address", "google homepage", "html", "binary file", "ck id", "show technique", "mitre att", "ck matrix", "matched", "redirect", "t1189", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "ck techniques", "alert", "potential ip", "general", "click", "united", "analysis tip", "analysis", "tor analysis", "date", "c pe", "data upload", "extraction", "iocs", "manually add", "network traffic", "detected", "t1566", "submitted url", "t1204" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 95, "FileHash-SHA1": 95, "FileHash-SHA256": 183, "hostname": 227, "domain": 83, "URL": 575 }, "indicator_count": 1258, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6928f8d9e4222a6a219d785e", "name": "ClipBanker Spy & Information stealer | Crazy Frost | MaaS | Chrome & Cloudflare attacks", "description": "It appears that entity CrazyFrost provides MasS among other things that include major smear campaigns.| Likely quasi government , and Law Firm contractors.. Domestic terrorizing isn\u2019t a stretch.\nClipBanker: A form of banking trojan information stealer and spy that specifically monitors and steals information, likely by modifying the clipboard contents to redirect financial transactions (e.g., changing a copied bank account number to the attacker's).\n\n[OTX populated - HOSTNAME: CloudFlare.com.., a company owned by the US government, has been added to Pulse, an anti-virus database. (Pulses) created by users.]", "modified": "2025-12-28T00:04:06.179000", "created": "2025-11-28T01:20:25.401000", "tags": [ "dynamicloader", "json", "ascii text", "high", "data", "x90uxa4xf8", "cape", "stream", "guard", "write", "trojan", "redline", "malware", "push", "local", "injection_inter_process", "recon_fingerprint", "persistence_ads", "process_creation_suspicious_location", "infostealer_browser", "infostealer_cookies", "stealth_file", "cape_detected_threat", "antivm_generic_bios", "cape_extracted_content", "united", "mtb jul", "a domains", "aaaa", "443 ma86400", "servers", "win32upatre jul", "virtool", "b778b1", "div div", "d9e4f4", "edf2f8", "present mar", "fastest privacy", "first dns", "win32", "trojandropper", "passive dns", "mtb nov", "ipv4 add", "asn as13335", "dns resolutions", "domain", "data upload", "extraction", "yara", "troja yara", "trojar data", "virto", "worn data", "included iocs", "manually add", "resolved ips", "ta0002", "evasion ta0005", "tr shared", "modules", "files", "infor", "t1027", "process t1057", "community score", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "name server", "date", "cloudflare", "data protected", "misc activity", "et info", "dns requests", "domain address", "gmt flag", "techtarget", "server", "et policy", "prefetch2", "t1179 hooking", "access windows", "installs", "mitre att", "ck techniques", "click", "windir", "country", "contacted hosts", "ip address", "process details", "contacted", "http traffic", "suricata alerts", "event category", "found" ], "references": [ "Malware : ClipBanker Entity: Crazy Frost", "www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Services : GoogleChromeElevationService = Delete", "Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap", "Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap", "Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap", "Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj", "Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap", "Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake", "Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "CS IDS: Matches rule (http_inspect) invalid status line", "CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.", "jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube/" ], "public": 1, "adversary": "Crazy Frost", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Trojan.Disfa/downloader10", "display_name": "Trojan.Disfa/downloader10", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "Rozena", "display_name": "Rozena", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 295, "FileHash-SHA1": 217, "FileHash-SHA256": 1887, "URL": 3263, "domain": 597, "hostname": 1085, "email": 2, "CVE": 1 }, "indicator_count": 7347, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "112 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cdac3ba9d7f42c0ed9c46d", "name": "Emotet | POD 18447 for Cox.xls | M. Brian Sabey \u2022 HallRender \u2022 Denver", "description": "Researchers have identified the source of a virus that has spread around the world and is believed to be linked to a network called \"thedevilsback\" in the United States, which is currently under the control of Amazon.com.", "modified": "2024-03-16T05:00:42.461000", "created": "2024-02-15T06:16:27.967000", "tags": [ "dns resolutions", "ip traffic", "hashes", "file type", "name file", "ip detections", "country", "search", "zbot type", "indicator role", "active related", "filehashsha256", "entries", "brian sabey", "ssl certificate", "contacted", "resolutions", "communicating", "referrer", "emotet emotet", "malware emotet", "http", "emotet", "whois record", "contacted urls", "bundled", "threat roundup", "historical ssl", "execution", "attack", "probe", "service", "startpage", "core", "hiddentear", "guid", "ransomexx", "azorult", "lightning", "ursnif", "agent tesla", "quasar", "trickbot", "project", "remcos", "evilnum", "asyncrat", "matanbuchus", "cobalt strike", "metro", "intel", "ms windows", "pe32", "show", "trojan", "copy", "windows", "read", "write", "february", "delphi", "win32", "ransomware", "united", "unknown", "as44273 host", "moved", "passive dns", "gmt content", "scan endpoints", "all octoseek", "pulse pulses", "urls", "body", "date", "encrypt", "trojandropper", "ipv4", "virtool", "junkpoly", "worm", "msie", "chrome", "status", "creation date", "servers", "record value", "javascript", "please", "june", "august", "malware", "whois whois", "njrat", "ransomware", "siblings domain", "tulach", "hallrender", "cyber espionage", "cyberstalking" ], "references": [ "POD 18447 for Cox.xls", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "1.download.windowsupdate.com [HiddenTear]", "https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]", "https://gronthoghor.com/xoe/qbot.zip \u2022", "Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5573, "hostname": 1806, "FileHash-SHA256": 5748, "domain": 1677, "FileHash-MD5": 349, "FileHash-SHA1": 348, "CVE": 3, "email": 3 }, "indicator_count": 15507, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "764 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cdac46a01234da94a42565", "name": "Emotet | POD 18447 for Cox.xls | M. Brian Sabey \u2022 HallRender \u2022 Denver", "description": "Researchers have identified the source of a virus that has spread around the world and is believed to be linked to a network called \"thedevilsback\" in the United States, which is currently under the control of Amazon.com.", "modified": "2024-03-16T05:00:42.461000", "created": "2024-02-15T06:16:38.290000", "tags": [ "dns resolutions", "ip traffic", "hashes", "file type", "name file", "ip detections", "country", "search", "zbot type", "indicator role", "active related", "filehashsha256", "entries", "brian sabey", "ssl certificate", "contacted", "resolutions", "communicating", "referrer", "emotet emotet", "malware emotet", "http", "emotet", "whois record", "contacted urls", "bundled", "threat roundup", "historical ssl", "execution", "attack", "probe", "service", "startpage", "core", "hiddentear", "guid", "ransomexx", "azorult", "lightning", "ursnif", "agent tesla", "quasar", "trickbot", "project", "remcos", "evilnum", "asyncrat", "matanbuchus", "cobalt strike", "metro", "intel", "ms windows", "pe32", "show", "trojan", "copy", "windows", "read", "write", "february", "delphi", "win32", "ransomware", "united", "unknown", "as44273 host", "moved", "passive dns", "gmt content", "scan endpoints", "all octoseek", "pulse pulses", "urls", "body", "date", "encrypt", "trojandropper", "ipv4", "virtool", "junkpoly", "worm", "msie", "chrome", "status", "creation date", "servers", "record value", "javascript", "please", "june", "august", "malware", "whois whois", "njrat", "ransomware", "siblings domain", "tulach", "hallrender", "cyber espionage", "cyberstalking" ], "references": [ "POD 18447 for Cox.xls", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "1.download.windowsupdate.com [HiddenTear]", "https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]", "https://gronthoghor.com/xoe/qbot.zip \u2022", "Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5573, "hostname": 1806, "FileHash-SHA256": 5748, "domain": 1677, "FileHash-MD5": 349, "FileHash-SHA1": 348, "CVE": 3, "email": 3 }, "indicator_count": 15507, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "764 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube", "https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]", "Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap", "CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.", "jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8", "endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander", "1.download.windowsupdate.com [HiddenTear]", "POD 18447 for Cox.xls", "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj", "www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost", "CS IDS: Matches rule (http_inspect) invalid status line", "Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake", "Malware : ClipBanker Entity: Crazy Frost", "https://gronthoghor.com/xoe/qbot.zip \u2022", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap", "Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap", "http://www.anyxxxtube/", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "https://otx.alienvault.com/indicator/domain/Tamlegal.com", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap", "Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com", "Services : GoogleChromeElevationService = Delete" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Crazy Frost" ], "malware_families": [ "Alf:heraklezeval:trojan:win32/clipbanker", "Delphi", "Qbot", "Trojan:win32/zusy", "Zbot", "Win.malware.vmprotect-9880726-0", "Other malware", "Rozena", "Emotet", "Hiddentear", "Trojan:win32/antavmu.d", "Ransomware", "Trojan.disfa/downloader10", "Virtool:msil/injector.bf" ], "industries": [ "Legal", "Technology" ], "unique_indicators": 33986 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cloudflarewarp.com", "whois": "http://whois.domaintools.com/cloudflarewarp.com", "domain": "cloudflarewarp.com", "hostname": "support.cloudflarewarp.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "692f04e9fa3d782118e94aac", "name": "LevelBlue - Open Threat Exchange - Delete AppDeployed", "description": "I\u2019m not sure what to think. |\ndeploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev | Are these\npulses being sold or attacked? Christopher P. Ahmann of TAM Legal and his other firms has ALWAYS attacked targets phones and networks. Nothing is too outrageous for this maniac.\n\nHe is responsible for the recent attacks on devices , clouds , google accounts and a flurry of threats. Indicators in recently pulsed reports have been removed. I\u2019ve done my best to restore. \n\nI am also concerned about the safety or legitimacy of this platform.\n\nNo one is ever alerted. Simply calling someone and telling them about the compromises can equate to a big pay day for Level Blue and nothing for the victims of attacks. I need my pulses restored. \n\nIt\u2019s plausible to believe OTX was attacked by an external threat actor.\nAnything is possible when it comes to money.", "modified": "2026-01-01T15:04:20.907000", "created": "2025-12-02T15:25:29.158000", "tags": [ "levelblue", "open threat", "dynamicloader", "tlsv1", "high", "msie", "windows nt", "delete c", "fwlink", "stream", "powershell", "write", "malware", "local", "united", "flag", "date", "server", "crazy egg", "name server", "gmt flag", "domain address", "markmonitor", "enom", "sugges", "onv incude", "data upload", "find s", "extraction", "types", "type", "indicator", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "contacted hosts", "search", "entries", "read c", "medium", "memcommit", "tls handshake", "failure", "module load", "next", "execution", "dock", "capture", "persistence", "copy", "unknown", "suricata alert", "et info", "bad traffic", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1480 execution", "file defense", "write c", "x02x82", "xe6x15c6", "x16f", "xc0xc0xc0", "revengerat", "guard", "service", "encrypt", "entries yara", "delphi", "win32", "jordan", "delete app" ], "references": [ "https://otx.alienvault.com/indicator/domain/Tamlegal.com", "DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz", "endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander", "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Vmprotect-9880726-0", "display_name": "Win.Malware.Vmprotect-9880726-0", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" } ], "industries": [ "Technology", "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4624, "FileHash-SHA256": 2021, "FileHash-MD5": 51, "FileHash-SHA1": 20, "SSLCertFingerprint": 10, "hostname": 1433, "domain": 728 }, "indicator_count": 8887, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e2d950ac7d1e2a3454a4f", "name": "Gooogle Accounts | Drive-by Compromise \u2022 Ransomware \u2022 Phishing Attack", "description": "Google accounts Drive-by Compromise. Affected Google accounts redirects to a suspicious non - Google homepage. |\nRansomware | Adware | Phishing | Injection | \nExploits seen affecting both OS and iOS devices. Threat actors able to remotely access iOS device, unlock, access iCloud. System root control, fully infected devices, Attackers continue to ravage devices w/ drive by compromise, unsafe adware, malware text, etc., Seeks to remove malicious IoC\u2019s on mock accounts , password stealers", "modified": "2025-12-31T23:04:59.378000", "created": "2025-12-02T00:06:45.807000", "tags": [ "iocs", "drop", "network traffic", "ck id", "mitre att", "ck matrix", "network related", "detected", "t1566", "t1204", "united", "click", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "learn", "suspicious", "informative", "name tactics", "adversaries", "command", "initial access", "spawns", "found", "binary file", "t1189", "regsetvalueexa", "regdword", "post http", "medium", "high", "regbinary", "loader", "dock", "write", "malware", "unknown", "romania unknown", "present may", "msie", "chrome", "body", "passive dns", "ip address", "present jun", "welcome", "accept", "encrypt", "gmt content", "ipv4 add", "url analysis", "urls", "files", "reverse dns", "unknown aaaa", "certificate", "hostname add", "error", "flag", "domain address", "contacted hosts", "type", "india unknown", "record value", "body html", "head title", "title", "entries", "read c", "high defense", "evasion", "yara detections", "virtool", "win32", "ahmann", "hacker group", "law firm", "order", "google", "smart assembly" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool:MSIL/Injector.BF", "display_name": "VirTool:MSIL/Injector.BF", "target": "/malware/VirTool:MSIL/Injector.BF" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 112, "FileHash-SHA256": 589, "URL": 1795, "SSLCertFingerprint": 3, "domain": 319, "hostname": 847, "email": 1 }, "indicator_count": 3781, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e1b4122a419384f1add7f", "name": "Cutwail Trojan DownLoader | Driveby compromises | Redirect", "description": "Cutwail Trojan DownLoader | Driveby comprises | Malicious Redirects.\n\nSuspicious redirects from Google homepage to \u2018Doodle\u2019s\nHeavy , ongoing cyber attack. Affects, iOS, Android, Cellular networks (global)\n\nI\u2019m hoping OTX will fully pulse. Indicators will be pulsed fully relying on OTX auto\npulse alone. No references or input from me.", "modified": "2025-12-31T22:02:44.679000", "created": "2025-12-01T22:48:33.510000", "tags": [ "filehashmd5", "filehashsha256", "sha256", "filehashsha1", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "dynamicloader", "medium", "show", "entries", "dynamic", "pe section", "filehash", "md5 add", "pulse pulses", "av detections", "copy", "write", "flag", "misc activity", "et info", "cloudflare dns", "over https", "windir", "openurl c", "prefetch2", "dns requests", "domain address", "google homepage", "html", "binary file", "ck id", "show technique", "mitre att", "ck matrix", "matched", "redirect", "t1189", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "ck techniques", "alert", "potential ip", "general", "click", "united", "analysis tip", "analysis", "tor analysis", "date", "c pe", "data upload", "extraction", "iocs", "manually add", "network traffic", "detected", "t1566", "submitted url", "t1204" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 95, "FileHash-SHA1": 95, "FileHash-SHA256": 183, "hostname": 227, "domain": 83, "URL": 575 }, "indicator_count": 1258, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6928f8d9e4222a6a219d785e", "name": "ClipBanker Spy & Information stealer | Crazy Frost | MaaS | Chrome & Cloudflare attacks", "description": "It appears that entity CrazyFrost provides MasS among other things that include major smear campaigns.| Likely quasi government , and Law Firm contractors.. Domestic terrorizing isn\u2019t a stretch.\nClipBanker: A form of banking trojan information stealer and spy that specifically monitors and steals information, likely by modifying the clipboard contents to redirect financial transactions (e.g., changing a copied bank account number to the attacker's).\n\n[OTX populated - HOSTNAME: CloudFlare.com.., a company owned by the US government, has been added to Pulse, an anti-virus database. (Pulses) created by users.]", "modified": "2025-12-28T00:04:06.179000", "created": "2025-11-28T01:20:25.401000", "tags": [ "dynamicloader", "json", "ascii text", "high", "data", "x90uxa4xf8", "cape", "stream", "guard", "write", "trojan", "redline", "malware", "push", "local", "injection_inter_process", "recon_fingerprint", "persistence_ads", "process_creation_suspicious_location", "infostealer_browser", "infostealer_cookies", "stealth_file", "cape_detected_threat", "antivm_generic_bios", "cape_extracted_content", "united", "mtb jul", "a domains", "aaaa", "443 ma86400", "servers", "win32upatre jul", "virtool", "b778b1", "div div", "d9e4f4", "edf2f8", "present mar", "fastest privacy", "first dns", "win32", "trojandropper", "passive dns", "mtb nov", "ipv4 add", "asn as13335", "dns resolutions", "domain", "data upload", "extraction", "yara", "troja yara", "trojar data", "virto", "worn data", "included iocs", "manually add", "resolved ips", "ta0002", "evasion ta0005", "tr shared", "modules", "files", "infor", "t1027", "process t1057", "community score", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "name server", "date", "cloudflare", "data protected", "misc activity", "et info", "dns requests", "domain address", "gmt flag", "techtarget", "server", "et policy", "prefetch2", "t1179 hooking", "access windows", "installs", "mitre att", "ck techniques", "click", "windir", "country", "contacted hosts", "ip address", "process details", "contacted", "http traffic", "suricata alerts", "event category", "found" ], "references": [ "Malware : ClipBanker Entity: Crazy Frost", "www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Services : GoogleChromeElevationService = Delete", "Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap", "Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap", "Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap", "Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj", "Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap", "Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake", "Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "CS IDS: Matches rule (http_inspect) invalid status line", "CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.", "jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube/" ], "public": 1, "adversary": "Crazy Frost", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Trojan.Disfa/downloader10", "display_name": "Trojan.Disfa/downloader10", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "Rozena", "display_name": "Rozena", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 295, "FileHash-SHA1": 217, "FileHash-SHA256": 1887, "URL": 3263, "domain": 597, "hostname": 1085, "email": 2, "CVE": 1 }, "indicator_count": 7347, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "112 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cdac3ba9d7f42c0ed9c46d", "name": "Emotet | POD 18447 for Cox.xls | M. Brian Sabey \u2022 HallRender \u2022 Denver", "description": "Researchers have identified the source of a virus that has spread around the world and is believed to be linked to a network called \"thedevilsback\" in the United States, which is currently under the control of Amazon.com.", "modified": "2024-03-16T05:00:42.461000", "created": "2024-02-15T06:16:27.967000", "tags": [ "dns resolutions", "ip traffic", "hashes", "file type", "name file", "ip detections", "country", "search", "zbot type", "indicator role", "active related", "filehashsha256", "entries", "brian sabey", "ssl certificate", "contacted", "resolutions", "communicating", "referrer", "emotet emotet", "malware emotet", "http", "emotet", "whois record", "contacted urls", "bundled", "threat roundup", "historical ssl", "execution", "attack", "probe", "service", "startpage", "core", "hiddentear", "guid", "ransomexx", "azorult", "lightning", "ursnif", "agent tesla", "quasar", "trickbot", "project", "remcos", "evilnum", "asyncrat", "matanbuchus", "cobalt strike", "metro", "intel", "ms windows", "pe32", "show", "trojan", "copy", "windows", "read", "write", "february", "delphi", "win32", "ransomware", "united", "unknown", "as44273 host", "moved", "passive dns", "gmt content", "scan endpoints", "all octoseek", "pulse pulses", "urls", "body", "date", "encrypt", "trojandropper", "ipv4", "virtool", "junkpoly", "worm", "msie", "chrome", "status", "creation date", "servers", "record value", "javascript", "please", "june", "august", "malware", "whois whois", "njrat", "ransomware", "siblings domain", "tulach", "hallrender", "cyber espionage", "cyberstalking" ], "references": [ "POD 18447 for Cox.xls", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "1.download.windowsupdate.com [HiddenTear]", "https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]", "https://gronthoghor.com/xoe/qbot.zip \u2022", "Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5573, "hostname": 1806, "FileHash-SHA256": 5748, "domain": 1677, "FileHash-MD5": 349, "FileHash-SHA1": 348, "CVE": 3, "email": 3 }, "indicator_count": 15507, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "764 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cdac46a01234da94a42565", "name": "Emotet | POD 18447 for Cox.xls | M. Brian Sabey \u2022 HallRender \u2022 Denver", "description": "Researchers have identified the source of a virus that has spread around the world and is believed to be linked to a network called \"thedevilsback\" in the United States, which is currently under the control of Amazon.com.", "modified": "2024-03-16T05:00:42.461000", "created": "2024-02-15T06:16:38.290000", "tags": [ "dns resolutions", "ip traffic", "hashes", "file type", "name file", "ip detections", "country", "search", "zbot type", "indicator role", "active related", "filehashsha256", "entries", "brian sabey", "ssl certificate", "contacted", "resolutions", "communicating", "referrer", "emotet emotet", "malware emotet", "http", "emotet", "whois record", "contacted urls", "bundled", "threat roundup", "historical ssl", "execution", "attack", "probe", "service", "startpage", "core", "hiddentear", "guid", "ransomexx", "azorult", "lightning", "ursnif", "agent tesla", "quasar", "trickbot", "project", "remcos", "evilnum", "asyncrat", "matanbuchus", "cobalt strike", "metro", "intel", "ms windows", "pe32", "show", "trojan", "copy", "windows", "read", "write", "february", "delphi", "win32", "ransomware", "united", "unknown", "as44273 host", "moved", "passive dns", "gmt content", "scan endpoints", "all octoseek", "pulse pulses", "urls", "body", "date", "encrypt", "trojandropper", "ipv4", "virtool", "junkpoly", "worm", "msie", "chrome", "status", "creation date", "servers", "record value", "javascript", "please", "june", "august", "malware", "whois whois", "njrat", "ransomware", "siblings domain", "tulach", "hallrender", "cyber espionage", "cyberstalking" ], "references": [ "POD 18447 for Cox.xls", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "1.download.windowsupdate.com [HiddenTear]", "https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]", "https://gronthoghor.com/xoe/qbot.zip \u2022", "Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5573, "hostname": 1806, "FileHash-SHA256": 5748, "domain": 1677, "FileHash-MD5": 349, "FileHash-SHA1": 348, "CVE": 3, "email": 3 }, "indicator_count": 15507, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "764 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://support.cloudflarewarp.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://support.cloudflarewarp.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776596651.2015014 }