{
"type": "URL",
"indicator": "https://syndicatedsearch.goog/afs/ads/i/iframe.html",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://syndicatedsearch.goog/afs/ads/i/iframe.html",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3849908835,
"indicator": "https://syndicatedsearch.goog/afs/ads/i/iframe.html",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 13,
"pulses": [
{
"id": "6993a71f4d27a7ff637d948d",
"name": "\"Gay\" dating websites that spoof assets",
"description": "fake and redirect - enjoyflirting.com\n\nincluding pornhub, xhamster and uk age verification systems",
"modified": "2026-03-18T23:02:37.713000",
"created": "2026-02-16T23:24:10.804000",
"tags": [
"get https",
"sha512",
"post https",
"sha256",
"sha1",
"get http",
"p2404",
"filesize",
"p11771835368",
"options https",
"score"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1124",
"name": "System Time Discovery",
"display_name": "T1124 - System Time Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "r0b1nh0od",
"id": "320328",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 500,
"FileHash-SHA1": 419,
"FileHash-SHA256": 419,
"URL": 327,
"domain": 14,
"hostname": 43
},
"indicator_count": 1722,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 26,
"modified_text": "73 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68de7a48636c1d113e6069ff",
"name": "911 Call during Remote phone reconfiguration | 3rd Party YouTube | Ransomware",
"description": "Tested address. Link based on a 911 call on a known targeted device. Address incorrect but malicious activity found. Hacked device was under an unauthorized reconfiguration over several days. Russian conversion set up, Yandex and a 3rd party YouTube on a device that has never had a YouTube account or any other 3rd party apps.",
"modified": "2025-11-01T12:01:18.197000",
"created": "2025-10-02T13:12:40.466000",
"tags": [
"passive dns",
"emails",
"servers",
"code",
"united",
"aaaa",
"found",
"email",
"port",
"destination",
"msie",
"windows nt",
"wow64",
"slcc2",
"dock",
"write",
"execution",
"memcommit",
"write c",
"create c",
"delete c",
"delete",
"april",
"trojan",
"mtb apr",
"ransom",
"united states",
"hostname",
"read c",
"users",
"win32",
"malware",
"title",
"installer",
"america",
"password",
"injection",
"crypt",
"zombie",
"network",
"remote"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Inject.BRDV",
"display_name": "Inject.BRDV",
"target": null
},
{
"id": "PSW.Generic11",
"display_name": "PSW.Generic11",
"target": null
},
{
"id": "Crypt2.AZDI",
"display_name": "Crypt2.AZDI",
"target": null
},
{
"id": "win32:Androp",
"display_name": "win32:Androp",
"target": null
},
{
"id": "Trojan:Win32/Zombie",
"display_name": "Trojan:Win32/Zombie",
"target": "/malware/Trojan:Win32/Zombie"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1562.003",
"name": "Impair Command History Logging",
"display_name": "T1562.003 - Impair Command History Logging"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1563",
"name": "Remote Service Session Hijacking",
"display_name": "T1563 - Remote Service Session Hijacking"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1037.003",
"name": "Network Logon Script",
"display_name": "T1037.003 - Network Logon Script"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 52,
"email": 1,
"URL": 172,
"hostname": 70,
"FileHash-MD5": 155,
"FileHash-SHA1": 133,
"FileHash-SHA256": 258
},
"indicator_count": 841,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "210 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686d28ec9208b0424e0ccad2",
"name": "Remote Keylogger | Foundry",
"description": "Keylogger Remotely installed on all of targets devices. Up until\u2026 target had to purchase and return more than 50\ndevices minus service plans. Apple\nengineers have been involved many times. Mercenary attacks also confirmed: A kind phone store owner gave her a free phone that was hacked within seconds. \nUnless someone has been \u2018framing Palantir / Foundry Tech Mafia is portrayed a playing a significant involvement of SA victim potentially since day of coerced disclosure in 2013.\nThe first clue was a YouTube follower with a menacing name and picture began to follow, change login, network, dumped adult content, utilized web content scrapers,. stole\nPasswords,etc., Anyway .. Unruy & remotely installed keylogger. \n#foundry #apple #soc #keylogger \n\nThis is risky to say but very wrong to do. She was a multi generational (MGM) American.",
"modified": "2025-09-19T03:02:22.742000",
"created": "2025-07-08T14:19:24.211000",
"tags": [
"delete",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"delete c",
"intel",
"write",
"malware",
"dynamicloader",
"yara rule",
"high",
"vmware",
"phishing",
"remote",
"keylogger",
"remote keylogger",
"type indicator",
"related pulses",
"no expiration",
"url https",
"showing",
"reputation",
"foundry",
"apple",
"downloader",
"trojan"
],
"references": [
"http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||",
"\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net",
"\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects",
"\u2022 199.59.243.226",
"\u2022 ww25.vpn.steamcommunity-site.info",
"\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/",
"\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/",
"\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us",
"\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com",
"\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Unruy",
"display_name": "Unruy",
"target": null
},
{
"id": "Reputation.1",
"display_name": "Reputation.1",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [
"Telecommunications",
"Technology",
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 260,
"FileHash-SHA1": 244,
"FileHash-SHA256": 4406,
"URL": 9684,
"domain": 3164,
"hostname": 3370,
"CVE": 1
},
"indicator_count": 21129,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 148,
"modified_text": "254 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "688d75bdc4bc5ba5cb6df7fb",
"name": "2nd X - https://ldl.myqnascloud.com/ - DT_VMP_32",
"description": "*Malware: DT_VMP_32 -associated with non specific trojan or ransomware activity, widely-known malware family with (custom) unique names.\n\u2022 pid-bodis-gcontrol151 |\u2022 googledownloads.cn\nServer or central repository used to target Tsara Brashears , \n into a malicious w/botnet world. Parked domains used w/malicious intent though appearing benign or \u2018for sale\u2019. \n\nDetections: \nSuspicious User-Agent - Possible Trojan Downloader (https)\nHTTP Request to a *.tw domain\n#bodis #targeting #parkingcrews #active #content_delivery #malvertizing #content_scraping #malware #attacks #dumping #framing #webcache #colbaltstrike #trojan_downloader #disabler #distributor #music_piracy #domainfraud #ransom",
"modified": "2025-09-01T01:01:18.030000",
"created": "2025-08-02T02:19:41.646000",
"tags": [
"cisco",
"umbrella rank",
"domain",
"general full",
"united",
"reverse dns",
"software",
"kb script",
"url https",
"asn15169",
"google",
"resource",
"hash",
"value",
"variables",
"domainpath name",
"name value",
"august",
"servaas klute",
"americachicago",
"verified",
"ecdsa",
"linux x8664",
"khtml",
"gecko",
"aes128gcm",
"maxradlinklen50",
"encrypt",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"javascript",
"spawns",
"mitre att",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"ascii text",
"pattern match",
"show technique",
"body",
"date",
"hybrid",
"general",
"path",
"click",
"strings",
"meta",
"present jul",
"search",
"entries",
"ip address",
"registrar",
"creation date",
"record value",
"name servers",
"servers",
"found a",
"location united",
"asn as15169",
"less whois",
"mtb apr",
"trojan",
"trojandropper",
"backdoor",
"win32qqpass apr",
"next associated",
"files show",
"date hash",
"avast avg",
"ipv4",
"pulse pulses",
"passive dns",
"urls",
"files",
"hacktool",
"ipv4 add",
"virtool",
"present aug",
"present feb",
"present jan",
"gmt location",
"gmt max",
"certificate",
"showing",
"cowboy"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2209,
"domain": 801,
"URL": 6114,
"FileHash-SHA256": 2162,
"FileHash-MD5": 184,
"FileHash-SHA1": 187,
"CIDR": 3,
"SSLCertFingerprint": 2,
"email": 1,
"CVE": 2
},
"indicator_count": 11665,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "272 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6876e1e75949dfc0fe3c7875",
"name": "Potentially ICARUS, Strange redirect from urlscan.io to 103.224.212.210",
"description": "The \u201cPotentially ICARUS\u201d threat hunt focuses on identifying a highly capable and persistent malware strain exhibiting a broad range of tactics and behaviors. This threat shows hallmarks of a multi-purpose implant or a modular malware framework. With confirmed classifications as adware, bootkit, trojan, stealer, and spyware, the sample uses layered techniques for persistence, evasion, discovery, and privilege escalation.\nPersistence Techniques\n\nThis hunt aims to uncover infection vectors, malicious registry keys, dropped binaries, and behavioral indicators across the environment, with a focus on detecting early execution, data exfiltration mechanisms, and evasion patterns consistent with the ICARUS threat profile.",
"modified": "2025-08-22T05:03:46.995000",
"created": "2025-07-15T23:19:02.845000",
"tags": [
"potentially",
"icarus",
"setup",
"session manager",
"com hijacking",
"task scheduler",
"com api",
"image file",
"ifeo",
"master boot",
"aqb1",
"ndh1",
"s1280x720",
"aqe1",
"qclienttypeweb",
"p11752710011",
"p2404",
"p4eqyyz1w",
"AvEmUpdate.exe",
"afwServ.exe",
"icarus.exe",
"AvLaunch.exe",
"avast_free_antivirus_online_setup.exe",
"AvastBrowser.exe",
"RegSvr.exe",
"msiexec.exe",
"msedge.exe",
"wsc_proxy.exe",
"overseer.exe",
"setup.exe",
"undefined",
"Zeppelin_10",
"ConventionEngine_Anomaly_MultiPDB_Double",
"RansomWin32Apollo",
"Win.Exploit.CVE_2019_0803-6976664-0",
"Trojan.Penguish.an",
"Win.Dropper.Sykipot-9950506-0",
""
],
"references": [
"AvastBrowserUpdate.exe",
"update.avastbrowser.com",
"icarus.exe",
"icarus.exe",
"honzik.avcdn.net",
"branding.avast.com",
"branding.avast.com",
"honzik.avcdn.net",
"branding.avast.com",
"honzik.avcdn.net",
"AvastBrowserUpdate.exe",
"update.avastbrowser.com",
"172.66.175.47",
"AvastBrowserUpdate.exe",
"update.avastbrowser.com",
"172.66.175.47",
"update.avastbrowser.com",
"172.66.175.47",
"C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp",
"C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp",
"C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000",
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}",
"icarus.exe",
"AvastBrowserUpdate.exe",
"C:\\Windows\\system32\\aswBoot.exe",
"C:\\Windows\\system32\\aswBoot.exe",
"C:\\Windows\\system32\\aswBoot.exe",
"https://tria.ge/250717-z7b8kssly4",
"https://tria.ge/250717-zt5yqsbp8z/behavioral1",
"https://tria.ge/250715-xd58fsysc1",
"https://tria.ge/250717-zt5yqsbp8z",
"https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0803",
"https://hackread.com/fake-antivirus-sites-malware-avast-malwarebytes-bitdefender/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1547.014",
"name": "Active Setup",
"display_name": "T1547.014 - Active Setup"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1552",
"name": "Unsecured Credentials",
"display_name": "T1552 - Unsecured Credentials"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1130",
"name": "Install Root Certificate",
"display_name": "T1130 - Install Root Certificate"
},
{
"id": "T1124",
"name": "System Time Discovery",
"display_name": "T1124 - System Time Discovery"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1016.001",
"name": "Internet Connection Discovery",
"display_name": "T1016.001 - Internet Connection Discovery"
},
{
"id": "T1067",
"name": "Bootkit",
"display_name": "T1067 - Bootkit"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1546.012",
"name": "Image File Execution Options Injection",
"display_name": "T1546.012 - Image File Execution Options Injection"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1198",
"name": "SIP and Trust Provider Hijacking",
"display_name": "T1198 - SIP and Trust Provider Hijacking"
},
{
"id": "T1120",
"name": "Peripheral Device Discovery",
"display_name": "T1120 - Peripheral Device Discovery"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
}
],
"industries": [
"Cyber Security and Networking"
],
"TLP": "green",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "r0b1nh0od",
"id": "320328",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 165,
"domain": 65,
"hostname": 57,
"FileHash-MD5": 4197,
"FileHash-SHA256": 4117,
"FileHash-SHA1": 4092
},
"indicator_count": 12693,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 26,
"modified_text": "282 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "685209a13834b09a48cffc29",
"name": "Syntax for Site Search with Ecosia | Vivaldi Forum",
"description": "Ecosia \nServer: ESF\n#virus #trojans",
"modified": "2025-07-17T23:01:16",
"created": "2025-06-18T00:34:41.026000",
"tags": [
"html document",
"unicode text",
"utf8 text",
"resolved ips",
"get http",
"dns resolutions",
"oc0006 http",
"defense evasion",
"ta0005 command",
"control ta0011",
"accept",
"gmt ifnonematch",
"info file",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"manager",
"shutdown",
"sample",
"address port",
"ip address",
"port",
"country name",
"layer protocol",
"t1055 process",
"command",
"control t1573",
"t1105 ingress",
"tool transfer",
"network info",
"performs dns",
"urls",
"united",
"url info",
"domain info",
"domain ip",
"ip info",
"ip country",
"info non",
"malicious",
"status url",
"ecosia",
"passive dns",
"pulse pulses",
"http",
"related nids",
"files location",
"flag united",
"hostname",
"l http",
"related pulses",
"none related",
"tags none",
"file type",
"sha256",
"google safe",
"browsing"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 43,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 171,
"FileHash-SHA1": 142,
"FileHash-SHA256": 1195,
"hostname": 42,
"URL": 172,
"domain": 18
},
"indicator_count": 1740,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "317 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68451577ada8bb0aa0834edb",
"name": "X - Business Social Media Account used to attack victim",
"description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.",
"modified": "2025-07-08T04:03:04.386000",
"created": "2025-06-08T04:45:43.423000",
"tags": [
"trojan",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"upxoepplace",
"pulses none",
"related tags",
"none file",
"markus",
"april",
"win32",
"copy",
"usvwu",
"usvw",
"high",
"medium",
"show",
"uss c",
"binary file",
"yara",
"write",
"delphi",
"enigma",
"present mar",
"aaaa",
"united",
"passive dns",
"date",
"present nov",
"moved",
"urls",
"creation date",
"entries",
"body",
"trojandropper",
"susp",
"msr jul",
"next associated",
"pulse pulses",
"mtb jun",
"backdoor",
"content length",
"html document",
"ascii text",
"search",
"internalname",
"entries pe",
"showing",
"filehash",
"md5 add",
"av detections",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"pattern match",
"size",
"encrypt",
"june",
"hybrid",
"local",
"path",
"click",
"twitter",
"strings",
"url https",
"url http",
"report spam",
"created",
"hours ago",
"bad actor",
"ck ids",
"t1057",
"discovery",
"t1071",
"amer",
"ipv4",
"indicator role",
"title added",
"active related",
"pulses",
"china",
"hong kong",
"russia",
"type indicator",
"role title",
"added active",
"related pulses",
"pulses url",
"filehashsha256",
"url add",
"http",
"ip address",
"related nids",
"files location",
"flag united",
"domain",
"hostname",
"next",
"filehashmd5",
"protocol",
"t1105",
"tool transfer",
"t1480"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 637,
"FileHash-SHA1": 639,
"FileHash-SHA256": 5380,
"domain": 676,
"hostname": 1120,
"URL": 1031,
"SSLCertFingerprint": 4
},
"indicator_count": 9487,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "327 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67576b4cdaafecfac733fac4",
"name": "http://pit.waw.pl skrypt w pliku://C:/28f67ac2f4875f36aeb31e181e2d2d50f84b5c0791afa4b7bd6987cf00e95186.html.html http://ww53.cookiesinfo.com/",
"description": "MS Office Excel 2016\n0x2491:$h_raw1: /javascript\n0x289d:$h_raw1: /javascript\n0x2dd0:$h_raw1: /javascript\n0x182a6:$h_raw1: /javascript\n0x18dc0:$h_raw1: /javascript\n0x1a072:$h_raw1: /javascript\n0x1ad72:$h_raw1: /javascript\n0x222e6:$h_raw1: /javascript\n0x22870:$h_raw1: /javascript\n0x23lut:$h_raw1: /javascript\nskrypt w pliku://C:/28f67ac2f4875f36aeb31e181e2d2d50f84b5c0791afa4b7bd6987cf00e95186.html.html",
"modified": "2025-05-14T20:46:38.021000",
"created": "2024-12-09T22:12:28.252000",
"tags": [
"grudzie",
"typ zawartoci",
"linux x8664",
"khtml",
"gecko",
"metoda",
"adres url",
"poczenie",
"dugo treci",
"dostawa artnet",
"sha1",
"sha256",
"microsoft",
"microsoft store",
"office",
"robisz",
"zakupy w",
"dla firm",
"family",
"internetem",
"kliknij tutaj",
"microsoft i",
"bony",
"jaka",
"android",
"utc1 html",
"utc1",
"utc1 gif",
"plik",
"utc1 popieprzy",
"javascript",
"or requesturl",
"or filehash",
"maxradlinklen50",
"type3",
"june",
"copyright",
"t1027",
"warto",
"muid warto",
"mr warto",
"warto clid",
"anonchk warto"
],
"references": [
"http://office.microsoft.com/pl-pl/try/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 56,
"hostname": 96,
"URL": 348,
"FileHash-SHA256": 313,
"FileHash-MD5": 22,
"FileHash-SHA1": 12,
"IPv4": 11,
"YARA": 2
},
"indicator_count": 860,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 123,
"modified_text": "381 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67f5555b6ce863d998e83e26",
"name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net",
"description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.",
"modified": "2025-05-11T19:03:59.885000",
"created": "2025-04-08T16:56:59.641000",
"tags": [
"generated from",
"do not",
"edit uri",
"urls",
"edit",
"rewriteengine",
"rewritecond",
"rewriterule",
"r301",
"xml2encalias",
"beralloct",
"berbvarrayadd",
"berbvarrayfree",
"berbvdup",
"berbvecadd",
"berbvecfree",
"berbvfree",
"berdump",
"berdup",
"berdupbv",
"laerrordomain",
"laerrornoncekey",
"lamechanismtree",
"lacontext",
"ladomainstate",
"laenvironment",
"lanotification",
"laprivatekey",
"lapublickey",
"laright",
"apple swift",
"o librarylevel",
"combine import",
"foundation",
"swift import",
"mcpeerid",
"mcsession",
"property",
"copyright",
"protocol",
"class",
"bonjour",
"ascii lowercase",
"abc company",
"section",
"bonjour txt",
"note",
"ui element",
"utf8 encoding",
"nscopying",
"nsdictionary",
"nsstring",
"mcextern",
"attribute",
"mcextern extern",
"mcexternweak",
"nsenum",
"nsinteger",
"mcerrorcode",
"mcerrorunknown",
"mcerrortimedout",
"peer",
"example",
"bonjour apis",
"stop",
"tags",
"session",
"nsprogress",
"nserror",
"nsurl",
"nsarray",
"create",
"nsuinteger",
"notifies",
"mcsession api",
"interface",
"dbictrace",
"dbivporth",
"dbictracelevel",
"dbdtffoo",
"dbihseterrchar",
"dbicstate",
"dbictraceflags",
"provides macros",
"dbi release",
"only",
"sqlsuccess",
"odbc",
"sqlok",
"tim bunce",
"england",
"sql cli",
"sql datatype",
"sqlguid",
"sqlwlongvarchar",
"main",
"beware",
"sv sth",
"sv dbh",
"impsth",
"impdbh",
"sv keysv",
"sv params",
"sv attr",
"sv attribs",
"sv drh",
"void",
"fri jul",
"mixed",
"dbixsrevision",
"plsvundef",
"license",
"spagain",
"perlioprintf",
"dbiclogpio",
"putback",
"ireland",
"gnu general",
"super",
"magic",
"dbicflags",
"dbis",
"svrv",
"null",
"imp2com",
"dbicactivekids",
"dbicfiadestroy",
"sv h",
"dbicdbistate",
"code",
"copy",
"refer",
"trace",
"error",
"unknown",
"hookopcheckh",
"startexternc",
"hookopcheckcb",
"userdata",
"endexternc",
"isinternalbuild",
"kickmcxdforuid",
"loadappkit",
"ardconfig",
"authenticator",
"dsauthenticator",
"dsnode",
"dsrecord",
"group",
"hostconfig",
"apfsvolumelock",
"apfsvolumerole",
"aoskgetosinfo",
"aoskgetuserinfo",
"aosaddappleid",
"aosdisablepcs",
"aosenablepcs",
"aoslog",
"aoslogforce",
"aosrelaycookie",
"didfailcallback",
"kaosaccountkey",
"kapcsbundle",
"kapcspath",
"kjsonextension",
"apcsbucketid",
"apcsreports",
"apconfiguration",
"apversiondata",
"apversionhelper",
"systemvolumesvm",
"name size",
"identifier",
"gb disk0s3",
"devdisk3",
"apfs container",
"scheme",
"physical store",
"macintosh hd",
"apfs snapshot",
"preboot",
"refs address",
"size wired",
"name",
"version",
"uuid",
"linked against",
"renderer",
"helper",
"chrome helper",
"contains",
"cloud ui",
"macintosh",
"khtml",
"gecko",
"ui helper",
"plugin",
"service",
"good",
"battery power",
"apfs encryption",
"jumpcloud go",
"chrome web",
"store",
"privacy badger",
"flowcrypt",
"encrypt gmail",
"simple",
"google",
"b2b phone",
"number",
"apollo",
"future",
"exccrash",
"sigkill",
"code signature",
"invalid",
"sigabrt",
"protonvpn",
"excguard",
"excbreakpoint",
"sigtrap",
"excbadaccess",
"appl",
"english",
"adobe crash",
"adobe",
"acrobat dcadobe",
"processor",
"uninstaller",
"assistant",
"install",
"cloud",
"dock",
"calendar",
"music",
"terminal",
"tips",
"installer",
"updater",
"proton",
"tools",
"stub",
"python",
"clock",
"powershell",
"team",
"rave scout",
"cookies",
"public folder",
"key cert",
"sign",
"crl sign",
"root ca",
"authority",
"public primary",
"global root",
"verisign",
"academic",
"premium",
"adaptive",
"interactive",
"background",
"standard",
"launchd sandbox",
"s mdworker",
"agent",
"command line",
"progress",
"yubico",
"macos13action",
"disableoverride",
"disableairdrop",
"denyactivation",
"enable",
"loginwindowtext",
"jumpcloud",
"autoupdate",
"loggingoption",
"enablefirewall",
"arm64e",
"apple m2",
"mac142",
"kjqqtw7pqt",
"daemon",
"server",
"open directory",
"user",
"account",
"kerberos admin",
"kerberos change",
"device daemon",
"network",
"desktop",
"screensaver",
"bridge",
"aesxtsarm",
"aesecbarm",
"sha512vngarmhw",
"sha384vngarmhw",
"sha256vngarm",
"sha1vngarm",
"darwin kernel",
"wed mar",
"wkarraycreate",
"wkbooleancreate",
"wkcontextcreate",
"wkdatacreate",
"wkdatagettypeid",
"wkdoublecreate",
"wkframecopyurl",
"wkgettypeid",
"wkimagecreate",
"wkpagecandelete",
"webview",
"notice",
"this software",
"including",
"but not",
"limited to",
"redistribution",
"is provided",
"by apple",
"direct",
"damage",
"apiavailable",
"webkit",
"nsswiftname",
"document",
"a block",
"as is",
"hasinclude",
"wkdownload",
"abstract",
"wkerrorcode",
"wkerrorunknown",
"discussion",
"bool",
"whether",
"wkcontentworld",
"wkwebview",
"javascript",
"nsunavailable",
"vaargs",
"nsswiftasync",
"wkswiftasync",
"wkcookiepolicy",
"wkswiftuiactor",
"nshttpcookie",
"targetosiphone",
"wknavigation",
"decides",
"boolean value",
"apideprecated",
"methodkind",
"wkerrordomain",
"wkscriptmessage",
"promise",
"fulfill",
"const",
"url scheme",
"mark",
"wkuserscript",
"targetosvision",
"param",
"wkframeinfo",
"targetosios",
"pass",
"window",
"mime type",
"link",
"nsimage",
"returns",
"nsset",
"checks",
"matches",
"a boolean",
"defaults",
"wkwebextension",
"cgsize",
"uiimage",
"apis",
"nsdate",
"wkcontentmode",
"wkextern",
"possible",
"cgfloat",
"media",
"cgrect",
"apiunavailable",
"framework",
"nsswiftuiactor",
"targetoswatch",
"confirms",
"apple upgrade",
"nsstring user",
"nsobject",
"provider",
"apple",
"password",
"uicontrol",
"nscontrol",
"asuseragerange",
"check",
"opaque user",
"apple id",
"initiate",
"asauthorization",
"operation",
"state",
"nserrorenum",
"nsdata",
"relying party",
"asapiavailable",
"perform",
"realm",
"http response",
"authorization",
"http",
"oauth",
"saml",
"a byte",
"nsdata userid",
"relying",
"a string",
"nsdata readdata",
"bool didwrite",
"a cose",
"nsdata first",
"nsdata second",
"nsstring name",
"bool appid",
"targetosxr",
"nsstring appid",
"bluetooth",
"mdm profile",
"nsurl url",
"returns yes",
"a state",
"a json",
"web token",
"private seckeys",
"enables",
"keychain",
"asswiftsendable",
"cose algorithm",
"ecdsa",
"sha256",
"cose curve",
"p256",
"nullable",
"bool success",
"remove",
"call",
"complete",
"initializes",
"time code",
"extensions",
"asextern extern",
"asextern",
"nsswiftsendable",
"prepare",
"list",
"nsextension",
"attempt",
"nsstring label",
"creates",
"nsstring code",
"a key",
"webauthn",
"nssecurecoding",
"input",
"output",
"initialize",
"nsinteger rank",
"json",
"inputs",
"hash",
"nsstring origin",
"settings app",
"extension",
"https urls",
"safari",
"cancel",
"nsuuid uuid",
"r uftpexu",
"nsmutabledata",
"vnsdate",
"mprcjy",
"postfix",
"domain",
"canonical",
"tables",
"ldap",
"post",
"replace user",
"address",
"wietse venema",
"bugs",
"mail",
"aliases",
"postfix version",
"restrict",
"sample",
"person",
"basic system",
"general",
"reject empty",
"postfix smtp",
"ipv6 host",
"reject",
"reply",
"access",
"prior",
"hold",
"info",
"mail delivery",
"charset",
"system",
"report",
"postfix dsn",
"mail returned",
"this",
"generic",
"smtp",
"isp mail",
"mime",
"headerchecks",
"readme files",
"filters while",
"posix",
"empty",
"body",
"write",
"date",
"smtp server",
"specify",
"mx host",
"unix password",
"user unknown",
"pathbin",
"postfix queue",
"unix",
"cyrus",
"path",
"uucp",
"shell",
"local",
"program",
"agreement",
"contributor",
"recipient",
"contribution",
"the program",
"corporation",
"contributors",
"product x",
"as expressly",
"arch",
"arch x8664",
"pipe wall",
"wimplicit",
"ranlib",
"warn",
"switch",
"start",
"systype",
"outlook",
"postfix master",
"begin",
"server admin",
"mail backend",
"modern smtp",
"iana",
"many",
"postfix pipe",
"recent cyrus",
"amos gouaux",
"old example",
"or even",
"lutz jaenicke",
"technology",
"cottbus",
"germany",
"openssl package",
"openssl project",
"europe",
"remember that",
"use of",
"file",
"update",
"usrsbin",
"file format",
"no group",
"daemondirectory",
"deliver mail",
"transport",
"description",
"result format",
"virtual",
"virtual alias",
"redirect mail",
"relocated",
"matches user",
"synopsis",
"lastname",
"firstname",
"apple computer",
"tcpip",
"supported",
"quantum",
"facility",
"level",
"level info",
"broadcast",
"ignore",
"rules",
"sender",
"automounter map",
"use directory",
"get home",
"home autohome",
"true",
"t option",
"mount",
"force",
"environment",
"automountdenv",
"promptcommand",
"shellsessiondir",
"histfile",
"histfilesize",
"myvar",
"histtimeformat",
"arrange",
"bashrematch",
"tell",
"ps1h",
"make bash",
"s checkwinsize",
"etcbashrc",
"termprogram",
"inpck",
"nnnbaud",
"berkeley",
"parity",
"pc entry",
"pass8",
"parenb istrip",
"fixed speed",
"entry",
"clocal mode",
"maxhistsize",
"promptmode",
"verbose end",
"etcirbrcloaded",
"default",
"setup",
"history file",
"kernel",
"readline",
"jabber",
"group database",
"dovecot",
"postfix scsd",
"networkd",
"searchpaths",
"freebsd",
"tmpdir",
"fcodes",
"prunepaths",
"vartmp",
"prunedirs",
"filesystems",
"nroff",
"manpath",
"uncomment",
"manpager",
"whatispager",
"manlocale",
"every",
"manpath optman",
"maybe",
"troff",
"status mailfrom",
"returnpath via",
"pidfile",
"flags",
"bcgjnuwz",
"bin usrsbin",
"sbin",
"default pf",
"care",
"audio",
"user database",
"unix copy",
"gate daemon",
"bashno",
"r etcbashrc",
"rfc1323",
"m1460",
"macos x",
"signature",
"linux",
"opera",
"xp sp1",
"windows sp1",
"nmap syn",
"m265",
"synack",
"mind",
"macos",
"warp",
"ipv6",
"internet",
"icmp",
"cisco",
"monitoring",
"argus",
"chaos",
"rsvp",
"encapsulation",
"aris",
"isis",
"netbootmount",
"netbootshadow",
"computername",
"localonly",
"localnetbootdir",
"netboot",
"define",
"purpose",
"networkonly",
"waiting",
"networkup",
"term",
"devnull",
"common setup",
"configure",
"set command",
"dns hostname",
"dns query",
"see also",
"kame",
"sunnet manager",
"rpcsrc",
"netlicense",
"ftpd",
"bindash binksh",
"binsh bintcsh",
"jumpcloud ldap",
"smb2",
"security",
"workgroup",
"standalone",
"samba server",
"enforce",
"smb3",
"example share",
"improper use",
"ctrlc",
"none",
"fax reception",
"hardwired",
"0007",
"must",
"visudo",
"blocksize",
"charset lang",
"language lcall",
"lines columns",
"lscolors",
"sshauthsock",
"orion",
"setup user",
"home",
"zdotdir",
"delete",
"beep",
"vendor",
"kf10",
"kf11",
"kf12",
"kf13",
"backspace",
"insert",
"resume",
"termsessionid",
"savehist",
"sharehistory",
"h do",
"volume",
"de l",
"l uuid",
"m tra",
"n est",
"suuid",
"prfen",
"fusion",
"syst",
"look",
"executant",
"alla",
"over",
"test",
"overie",
"zapis",
"rapid",
"disco usa",
"de macos",
"nie s",
"i denne",
"adgjmpsvx",
"diskgthis disk",
"01k8x j",
"34disk",
"levy kytt",
"dict",
"array",
"plist",
"apple root",
"code signing",
"inode64r",
"xofkoxzh",
"integer",
"doctype",
"brain",
"abcd",
"ogwo",
"boaw",
"cobwa",
"uhawavauatsh",
"ip bitmap",
"foewdc",
"could",
"ip block",
"funcs",
"cogwo",
"trash",
"double",
"hunt",
"affa",
"carr",
"crypto",
"docwbac",
"q1b0",
"q1 0",
"h h5",
"docwbag",
"slice",
"format",
"zero",
"alfa",
"hera",
"lelei",
"hehe",
"hisp",
"fail",
"katy",
"zakk",
"eodwcbgao",
"hhk8di",
"alma",
"topo",
"open",
"huhk",
"piper",
"hehx",
"eh ui",
"h20hph",
"hif h",
"hmhhihqhyla hq",
"r11b0",
"target",
"uus10u",
"hifh",
"loghookfailed",
"loghook",
"hell",
"q1b 0",
"f duh",
"aqw1",
"1160"
],
"references": [
"index.html.en",
"bind.html",
"caching.html",
"BUILDING",
"configuring.html",
"content-negotiation.html",
"custom-error.html",
"convenience.map",
"LDAP.tbd",
"lber.h",
"ldap.h",
"LocalAuthentication.tbd",
"arm64e-apple-macos.swiftinterface",
"x86_64-apple-ios-macabi.swiftinterface",
"arm64e-apple-ios-macabi.swiftinterface",
"x86_64-apple-macos.swiftinterface",
"MultipeerConnectivity.tbd",
"module.modulemap",
"MCNearbyServiceAdvertiser.h",
"MCPeerID.h",
"MCError.h",
"MCNearbyServiceBrowser.h",
"MCAdvertiserAssistant.h",
"MultipeerConnectivity.apinotes",
"MultipeerConnectivity.h",
"MCSession.h",
"MCBrowserViewController.h",
"dbivport.h",
"dbi_sql.h",
"dbd_xsh.h",
"dbixs_rev.h",
"Driver_xst.h",
"DBIXS.h",
"hook_op_check.h",
"Admin.tbd",
"AirPlayReceiver.tbd",
"apfs_boot_mount.tbd",
"AOSKit.tbd",
"APConfigurationSystem.tbd",
"AppleFirmwareUpdate.tbd",
"launchdaemons.txt",
"preboot_archive_errors.log",
"mounts.txt",
"launchagents.txt",
"disk_structure.txt",
"user_launchagents.txt",
"security_status.txt",
"kexts.txt",
"process_list.txt",
"battery.csv",
"diskEncryption.csv",
"chromeExtensions.csv",
"crashes.csv",
"interfaceAddrs.csv",
"kernel.csv",
"interfaceDetails.csv",
"etcHosts.csv",
"applications.csv",
"mounts.csv",
"sharedFolders.csv",
"certificates.csv",
"sharingPreferences.csv",
"launchD.csv",
"usbDevices.csv",
"managedPolicies.csv",
"systemInfo.csv",
"users.csv",
"sipConfig.csv",
"systemControls.csv",
"canonical",
"aliases",
"custom_header_checks",
"access",
"bounce.cf.default",
"generic",
"header_checks",
"main.cf.default",
"LICENSE",
"makedefs.out",
"main.cf",
"master.cf.default",
"main.cf.proto",
"master.cf.proto",
"master.cf",
"TLS_LICENSE",
"postfix-files",
"transport",
"virtual",
"relocated",
"afpovertcp.cfg",
"asl.conf",
"auto_home",
"auto_master",
"autofs.conf",
"bashrc_Apple_Terminal",
"com.apple.screensharing.agent.launchd",
"bashrc",
"command_args.json",
"csh.cshrc",
"csh.login",
"find.codes",
"csh.logout",
"ftpusers",
"gettytab",
"irbrc",
"kern_loader.conf",
"group",
"locate.rc",
"man.conf",
"mail.rc",
"manpaths",
"networks",
"nfs.conf",
"newsyslog.conf",
"ntp_opendirectory.conf",
"ntp.conf",
"notify.conf",
"paths",
"pf.conf",
"passwd",
"profile",
"pf.os",
"protocols",
"rc.netboot",
"rc.common",
"rmtab",
"resolv.conf",
"rtadvd.conf",
"rpc",
"shells",
"smb.conf",
"sudo_lecture",
"ttys",
"syslog.conf",
"xtab",
"sudoers",
"zprofile",
"zshrc",
"zshrc_Apple_Terminal",
"CodeResources",
"version.plist",
"Info.plist"
],
"public": 1,
"adversary": "DragonForce Malaysia Hacker Group",
"targeted_countries": [],
"malware_families": [
{
"id": "Lastname",
"display_name": "Lastname",
"target": null
},
{
"id": "Firstname",
"display_name": "Firstname",
"target": null
}
],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 66,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ilyailya",
"id": "298851",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 4449,
"domain": 3847,
"URL": 14263,
"FileHash-SHA256": 2356,
"FileHash-MD5": 223,
"FileHash-SHA1": 523,
"email": 223,
"CVE": 40,
"CIDR": 12,
"SSLCertFingerprint": 302
},
"indicator_count": 26238,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 37,
"modified_text": "384 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e863bebbf95e0dc5a4169a",
"name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack expected",
"description": "Network compromised updated Apple device was directed (303) to a server. This is one of several botnets found. onthewifi \u2206 {Win32:BotX-gen\\ [Trj]} \u2022 Injection process | Password bypass. Studies targets behavior | Checks for other devices | Glupteba: \n Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals can perform a number of actions of a malicious hacker's choice on your device.",
"modified": "2024-04-05T12:00:46.637000",
"created": "2024-03-06T12:38:22.052000",
"tags": [
"referrer",
"tsara brashears",
"password bypass",
"apple phone",
"unlocker",
"shell code",
"script",
"pe resource",
"execution",
"sneaky server",
"emotet",
"android",
"download",
"malware",
"relic",
"monitoring",
"installer",
"formbook",
"urls",
"contacted",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"files",
"file type",
"kb file",
"b file",
"graph",
"pe32 executable",
"ms windows",
"intel",
"generic cil",
"executable",
"mono",
"win32 dynamic",
"link library",
"win16 ne",
"samplename",
"samplepath",
"jays youtube",
"rticon neutral",
"details",
"header intel",
"name md5",
"type",
"language",
"contained",
"ico rtgroupicon",
"neutral",
"net technology",
"corporation",
"domains",
"markmonitor inc",
"malicious",
"cnc",
"network",
"bypass password",
"network probe",
"dns query",
"as20940",
"united",
"aaaa",
"search",
"showing",
"date",
"passive dns",
"registrar",
"unknown",
"encrypt",
"next",
"domain",
"emails",
"name servers",
"as199524",
"record value",
"rst seen",
"last seen",
"asn country",
"cname",
"as15169 google",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files ip",
"as4788",
"address",
"pulses",
"win32",
"entries",
"dadjoke",
"ms defender",
"united kingdom",
"germany unknown",
"as46606",
"as14061",
"servers",
"as12576 ee",
"russia unknown",
"as3320 deutsche",
"gamaredon",
"armageddon",
"as8068",
"script urls",
"for privacy",
"script domains",
"certificate",
"meta",
"creation date",
"as14627",
"ipv4",
"onthewifi",
"as54113",
"trojan",
"flywheel",
"sea x",
"accept",
"ransom",
"post http",
"langserbian",
"sublangdefault",
"rticon",
"process32nextw",
"medium",
"t1055",
"high",
"ip address",
"generic",
"body",
"markus",
"june",
"copy",
"bitcoin"
],
"references": [
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"FormBook: 45.159.189.105",
"FormBook: http://45.159.189.105/bot/regex",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"capitana.onthewifi.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Win32:Cryptor",
"display_name": "Win32:Cryptor",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.KM!MTB",
"display_name": "Trojan:Win32/Glupteba.KM!MTB",
"target": "/malware/Trojan:Win32/Glupteba.KM!MTB"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1188",
"name": "Multi-hop Proxy",
"display_name": "T1188 - Multi-hop Proxy"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 53,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 309,
"FileHash-SHA1": 307,
"FileHash-SHA256": 3084,
"URL": 3066,
"domain": 1085,
"hostname": 1709,
"CVE": 1,
"email": 7
},
"indicator_count": 9568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "785 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65ea6410c1e1b1185951ef98",
"name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack executed (Copy)",
"description": "",
"modified": "2024-04-05T12:00:46.637000",
"created": "2024-03-08T01:04:16.906000",
"tags": [
"referrer",
"tsara brashears",
"password bypass",
"apple phone",
"unlocker",
"shell code",
"script",
"pe resource",
"execution",
"sneaky server",
"emotet",
"android",
"download",
"malware",
"relic",
"monitoring",
"installer",
"formbook",
"urls",
"contacted",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"files",
"file type",
"kb file",
"b file",
"graph",
"pe32 executable",
"ms windows",
"intel",
"generic cil",
"executable",
"mono",
"win32 dynamic",
"link library",
"win16 ne",
"samplename",
"samplepath",
"jays youtube",
"rticon neutral",
"details",
"header intel",
"name md5",
"type",
"language",
"contained",
"ico rtgroupicon",
"neutral",
"net technology",
"corporation",
"domains",
"markmonitor inc",
"malicious",
"cnc",
"network",
"bypass password",
"network probe",
"dns query",
"as20940",
"united",
"aaaa",
"search",
"showing",
"date",
"passive dns",
"registrar",
"unknown",
"encrypt",
"next",
"domain",
"emails",
"name servers",
"as199524",
"record value",
"rst seen",
"last seen",
"asn country",
"cname",
"as15169 google",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files ip",
"as4788",
"address",
"pulses",
"win32",
"entries",
"dadjoke",
"ms defender",
"united kingdom",
"germany unknown",
"as46606",
"as14061",
"servers",
"as12576 ee",
"russia unknown",
"as3320 deutsche",
"gamaredon",
"armageddon",
"as8068",
"script urls",
"for privacy",
"script domains",
"certificate",
"meta",
"creation date",
"as14627",
"ipv4",
"onthewifi",
"as54113",
"trojan",
"flywheel",
"sea x",
"accept",
"ransom",
"post http",
"langserbian",
"sublangdefault",
"rticon",
"process32nextw",
"medium",
"t1055",
"high",
"ip address",
"generic",
"body",
"markus",
"june",
"copy",
"bitcoin"
],
"references": [
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"FormBook: 45.159.189.105",
"FormBook: http://45.159.189.105/bot/regex",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"capitana.onthewifi.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Win32:Cryptor",
"display_name": "Win32:Cryptor",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.KM!MTB",
"display_name": "Trojan:Win32/Glupteba.KM!MTB",
"target": "/malware/Trojan:Win32/Glupteba.KM!MTB"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1188",
"name": "Multi-hop Proxy",
"display_name": "T1188 - Multi-hop Proxy"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65e863bebbf95e0dc5a4169a",
"export_count": 47,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 309,
"FileHash-SHA1": 307,
"FileHash-SHA256": 3084,
"URL": 3066,
"domain": 1085,
"hostname": 1709,
"CVE": 1,
"email": 7
},
"indicator_count": 9568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "785 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e576d419524d75af35a36e",
"name": "FormBook",
"description": "FormBook is an infostealer malware (malicious spyware). malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware. As a MaaS offering, FormBook malware may be deployed by various threat actors. It's currently being use by a ,legal teams masquerading as government (might be \nlegitimate attorneys) law firm modifying and deleting front facing threats on various platforms. One firm has very poor reviews Corrupt. Others initiate malicious prosecution law suits. Social; engineering , intertwining malicious behavior.in every aspect of targets life from business banking, ancestry to aggressive match making attempts.",
"modified": "2024-04-03T05:03:03.527000",
"created": "2024-03-04T07:23:00.177000",
"tags": [
"resolutions",
"referrer",
"siblings",
"asn owner",
"historical ssl",
"contacted",
"high level",
"hackers",
"formbook",
"name verdict",
"falcon sandbox",
"report",
"united",
"registrar",
"creation date",
"search",
"emails",
"name",
"name servers",
"showing",
"unknown",
"scan endpoints",
"date",
"next",
"root ca",
"pattern match",
"authority",
"beginstring",
"class",
"mitre att",
"global root",
"ck id",
"show technique",
"ck matrix",
"null",
"accept",
"refresh",
"span",
"error",
"tools",
"body",
"look",
"verify",
"restart",
"hybrid",
"local",
"click",
"strings",
"files files",
"ssl certificate",
"tsara brashears",
"highly targeted",
"ransomware",
"dark power",
"play ransomware",
"malware",
"core",
"installer",
"awful",
"snatch",
"metro",
"service",
"critical",
"copy",
"execution",
"location united",
"asn as15169",
"less whois",
"as15169 google",
"status",
"entries",
"record value",
"servers",
"trojan",
"win32",
"aaaa",
"worm",
"passive dns",
"gmt cache",
"sameorigin",
"all scoreblue",
"ipv4",
"lowfi",
"domain related",
"urls",
"domain",
"nxdomain",
"hostname",
"users",
"yara detections",
"alerts",
"high",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"musicmaid",
"reader",
"office standard",
"high process",
"injection t1055",
"t1055",
"x00x00",
"icmp traffic",
"injection",
"hijacker",
"password",
"stealer",
"corruption",
"targeting",
"172.31.13.249"
],
"references": [
"gstatic.com",
"Unsupported/Fake Windows NT Version 5.0",
"Login privileges",
"172.31.13.249"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Dorv.B!rfn",
"display_name": "Trojan:Win32/Dorv.B!rfn",
"target": "/malware/Trojan:Win32/Dorv.B!rfn"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "PWS:MSIL/Dcstl.GD!MTB",
"display_name": "PWS:MSIL/Dcstl.GD!MTB",
"target": "/malware/PWS:MSIL/Dcstl.GD!MTB"
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Win32:MalwareX-gen\\ [Trj]",
"display_name": "Win32:MalwareX-gen\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1447",
"name": "Delete Device Data",
"display_name": "T1447 - Delete Device Data"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1002",
"name": "Data Compressed",
"display_name": "T1002 - Data Compressed"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3117,
"FileHash-MD5": 280,
"FileHash-SHA1": 286,
"FileHash-SHA256": 3773,
"domain": 1264,
"hostname": 1595,
"email": 6,
"CVE": 5
},
"indicator_count": 10326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 232,
"modified_text": "788 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e57f32581a900dfb272d05",
"name": "FormBook | 172.31.13.249",
"description": "",
"modified": "2024-04-03T05:03:03.527000",
"created": "2024-03-04T07:58:42.074000",
"tags": [
"resolutions",
"referrer",
"siblings",
"asn owner",
"historical ssl",
"contacted",
"high level",
"hackers",
"formbook",
"name verdict",
"falcon sandbox",
"report",
"united",
"registrar",
"creation date",
"search",
"emails",
"name",
"name servers",
"showing",
"unknown",
"scan endpoints",
"date",
"next",
"root ca",
"pattern match",
"authority",
"beginstring",
"class",
"mitre att",
"global root",
"ck id",
"show technique",
"ck matrix",
"null",
"accept",
"refresh",
"span",
"error",
"tools",
"body",
"look",
"verify",
"restart",
"hybrid",
"local",
"click",
"strings",
"files files",
"ssl certificate",
"tsara brashears",
"highly targeted",
"ransomware",
"dark power",
"play ransomware",
"malware",
"core",
"installer",
"awful",
"snatch",
"metro",
"service",
"critical",
"copy",
"execution",
"location united",
"asn as15169",
"less whois",
"as15169 google",
"status",
"entries",
"record value",
"servers",
"trojan",
"win32",
"aaaa",
"worm",
"passive dns",
"gmt cache",
"sameorigin",
"all scoreblue",
"ipv4",
"lowfi",
"domain related",
"urls",
"domain",
"nxdomain",
"hostname",
"users",
"yara detections",
"alerts",
"high",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"musicmaid",
"reader",
"office standard",
"high process",
"injection t1055",
"t1055",
"x00x00",
"icmp traffic",
"injection",
"hijacker",
"password",
"stealer",
"corruption",
"targeting",
"172.31.13.249"
],
"references": [
"gstatic.com",
"Unsupported/Fake Windows NT Version 5.0",
"Login privileges",
"172.31.13.249"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Dorv.B!rfn",
"display_name": "Trojan:Win32/Dorv.B!rfn",
"target": "/malware/Trojan:Win32/Dorv.B!rfn"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "PWS:MSIL/Dcstl.GD!MTB",
"display_name": "PWS:MSIL/Dcstl.GD!MTB",
"target": "/malware/PWS:MSIL/Dcstl.GD!MTB"
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Win32:MalwareX-gen\\ [Trj]",
"display_name": "Win32:MalwareX-gen\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1447",
"name": "Delete Device Data",
"display_name": "T1447 - Delete Device Data"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1002",
"name": "Data Compressed",
"display_name": "T1002 - Data Compressed"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65e576d419524d75af35a36e",
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3117,
"FileHash-MD5": 280,
"FileHash-SHA1": 286,
"FileHash-SHA256": 3773,
"domain": 1264,
"hostname": 1595,
"email": 6,
"CVE": 5
},
"indicator_count": 10326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "788 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"diskEncryption.csv",
"main.cf.proto",
"manpaths",
"x86_64-apple-macos.swiftinterface",
"sudo_lecture",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}",
"MCAdvertiserAssistant.h",
"http://office.microsoft.com/pl-pl/try/",
"header_checks",
"systemControls.csv",
"\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com",
"pf.os",
"users.csv",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}",
"relocated",
"\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects",
"172.31.13.249",
"nfs.conf",
"https://hackread.com/fake-antivirus-sites-malware-avast-malwarebytes-bitdefender/",
"\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/",
"zshrc_Apple_Terminal",
"dbd_xsh.h",
"\u2022 199.59.243.226",
"rmtab",
"index.html.en",
"sharingPreferences.csv",
"x86_64-apple-ios-macabi.swiftinterface",
"APConfigurationSystem.tbd",
"bashrc",
"com.apple.screensharing.agent.launchd",
"FormBook: 45.159.189.105",
"module.modulemap",
"Login privileges",
"LDAP.tbd",
"FormBook: http://45.159.189.105/bot/regex",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"canonical",
"LocalAuthentication.tbd",
"gettytab",
"protocols",
"MCNearbyServiceAdvertiser.h",
"DBIXS.h",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}",
"convenience.map",
"pf.conf",
"AppleFirmwareUpdate.tbd",
"networks",
"\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/",
"MCPeerID.h",
"MCSession.h",
"https://tria.ge/250717-zt5yqsbp8z/behavioral1",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000",
"https://tria.ge/250717-z7b8kssly4",
"postfix-files",
"xtab",
"C:\\Windows\\system32\\aswBoot.exe",
"mounts.txt",
"TLS_LICENSE",
"172.66.175.47",
"https://tria.ge/250715-xd58fsysc1",
"bounce.cf.default",
"csh.logout",
"MultipeerConnectivity.h",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"",
"mail.rc",
"interfaceDetails.csv",
"makedefs.out",
"content-negotiation.html",
"master.cf.proto",
"mounts.csv",
"battery.csv",
"generic",
"http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||",
"zprofile",
"bind.html",
"ttys",
"Driver_xst.h",
"notify.conf",
"CodeResources",
"custom-error.html",
"BUILDING",
"resolv.conf",
"capitana.onthewifi.com",
"C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp",
"branding.avast.com",
"MultipeerConnectivity.tbd",
"zshrc",
"chromeExtensions.csv",
"sipConfig.csv",
"ftpusers",
"csh.cshrc",
"crashes.csv",
"access",
"arm64e-apple-macos.swiftinterface",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}",
"managedPolicies.csv",
"configuring.html",
"asl.conf",
"locate.rc",
"interfaceAddrs.csv",
"\u2022 ww25.vpn.steamcommunity-site.info",
"icarus.exe",
"newsyslog.conf",
"AOSKit.tbd",
"arm64e-apple-ios-macabi.swiftinterface",
"autofs.conf",
"kern_loader.conf",
"virtual",
"gstatic.com",
"systemInfo.csv",
"ntp.conf",
"find.codes",
"applications.csv",
"afpovertcp.cfg",
"AirPlayReceiver.tbd",
"LICENSE",
"shells",
"command_args.json",
"paths",
"https://tria.ge/250717-zt5yqsbp8z",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}",
"kexts.txt",
"launchdaemons.txt",
"AvastBrowserUpdate.exe",
"hook_op_check.h",
"auto_master",
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"syslog.conf",
"\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net",
"master.cf.default",
"certificates.csv",
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"rc.netboot",
"lber.h",
"dbi_sql.h",
"user_launchagents.txt",
"master.cf",
"smb.conf",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000",
"preboot_archive_errors.log",
"kernel.csv",
"caching.html",
"passwd",
"usbDevices.csv",
"apfs_boot_mount.tbd",
"aliases",
"\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us",
"custom_header_checks",
"MCBrowserViewController.h",
"Unsupported/Fake Windows NT Version 5.0",
"launchagents.txt",
"bashrc_Apple_Terminal",
"MCError.h",
"dbivport.h",
"launchD.csv",
"main.cf",
"process_list.txt",
"sharedFolders.csv",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common",
"auto_home",
"dbixs_rev.h",
"disk_structure.txt",
"honzik.avcdn.net",
"group",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages",
"\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/",
"man.conf",
"MultipeerConnectivity.apinotes",
"transport",
"profile",
"irbrc",
"update.avastbrowser.com",
"csh.login",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"",
"sudoers",
"https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0803",
"rtadvd.conf",
"ntp_opendirectory.conf",
"etcHosts.csv",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}",
"main.cf.default",
"rpc",
"Info.plist",
"MCNearbyServiceBrowser.h",
"security_status.txt",
"rc.common",
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"Admin.tbd",
"version.plist",
"ldap.h"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"DragonForce Malaysia Hacker Group"
],
"malware_families": [
"Inject.brdv",
"Reputation.1",
"Unruy",
"Pws:msil/dcstl.gd!mtb",
"Slf:trojan:win32/grandoreiro.a",
"Worm:win32/mofksys.rnd!mtb",
"Trojan:win32/zombie.a",
"Win32:trojan-gen",
"Trojan:win32/antavmu.d",
"Win.virus.polyransom-5704625-0",
"#lowfi:hstr:msil/possibledownloader.s01",
"Trojan:win32/qqpass",
"Win32:malwarex-gen\\ [trj]",
"Win32:botx-gen\\ [trj]",
"Firstname",
"Crypt2.azdi",
"Formbook",
"Lastname",
"Trojan:win32/glupteba.km!mtb",
"Win32:cryptor",
"Trojan:win32/zombie",
"Win32:androp",
"Psw.generic11",
"Trojan:win32/dorv.b!rfn"
],
"industries": [
"Cyber security and networking",
"Telecommunications",
"Media",
"Technology"
],
"unique_indicators": 91523
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/syndicatedsearch.goog",
"whois": "http://whois.domaintools.com/syndicatedsearch.goog",
"domain": "syndicatedsearch.goog",
"hostname": "Unavailable"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 13,
"pulses": [
{
"id": "6993a71f4d27a7ff637d948d",
"name": "\"Gay\" dating websites that spoof assets",
"description": "fake and redirect - enjoyflirting.com\n\nincluding pornhub, xhamster and uk age verification systems",
"modified": "2026-03-18T23:02:37.713000",
"created": "2026-02-16T23:24:10.804000",
"tags": [
"get https",
"sha512",
"post https",
"sha256",
"sha1",
"get http",
"p2404",
"filesize",
"p11771835368",
"options https",
"score"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1124",
"name": "System Time Discovery",
"display_name": "T1124 - System Time Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "r0b1nh0od",
"id": "320328",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 500,
"FileHash-SHA1": 419,
"FileHash-SHA256": 419,
"URL": 327,
"domain": 14,
"hostname": 43
},
"indicator_count": 1722,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 26,
"modified_text": "73 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68de7a48636c1d113e6069ff",
"name": "911 Call during Remote phone reconfiguration | 3rd Party YouTube | Ransomware",
"description": "Tested address. Link based on a 911 call on a known targeted device. Address incorrect but malicious activity found. Hacked device was under an unauthorized reconfiguration over several days. Russian conversion set up, Yandex and a 3rd party YouTube on a device that has never had a YouTube account or any other 3rd party apps.",
"modified": "2025-11-01T12:01:18.197000",
"created": "2025-10-02T13:12:40.466000",
"tags": [
"passive dns",
"emails",
"servers",
"code",
"united",
"aaaa",
"found",
"email",
"port",
"destination",
"msie",
"windows nt",
"wow64",
"slcc2",
"dock",
"write",
"execution",
"memcommit",
"write c",
"create c",
"delete c",
"delete",
"april",
"trojan",
"mtb apr",
"ransom",
"united states",
"hostname",
"read c",
"users",
"win32",
"malware",
"title",
"installer",
"america",
"password",
"injection",
"crypt",
"zombie",
"network",
"remote"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Inject.BRDV",
"display_name": "Inject.BRDV",
"target": null
},
{
"id": "PSW.Generic11",
"display_name": "PSW.Generic11",
"target": null
},
{
"id": "Crypt2.AZDI",
"display_name": "Crypt2.AZDI",
"target": null
},
{
"id": "win32:Androp",
"display_name": "win32:Androp",
"target": null
},
{
"id": "Trojan:Win32/Zombie",
"display_name": "Trojan:Win32/Zombie",
"target": "/malware/Trojan:Win32/Zombie"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1562.003",
"name": "Impair Command History Logging",
"display_name": "T1562.003 - Impair Command History Logging"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1563",
"name": "Remote Service Session Hijacking",
"display_name": "T1563 - Remote Service Session Hijacking"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1037.003",
"name": "Network Logon Script",
"display_name": "T1037.003 - Network Logon Script"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 52,
"email": 1,
"URL": 172,
"hostname": 70,
"FileHash-MD5": 155,
"FileHash-SHA1": 133,
"FileHash-SHA256": 258
},
"indicator_count": 841,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "210 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686d28ec9208b0424e0ccad2",
"name": "Remote Keylogger | Foundry",
"description": "Keylogger Remotely installed on all of targets devices. Up until\u2026 target had to purchase and return more than 50\ndevices minus service plans. Apple\nengineers have been involved many times. Mercenary attacks also confirmed: A kind phone store owner gave her a free phone that was hacked within seconds. \nUnless someone has been \u2018framing Palantir / Foundry Tech Mafia is portrayed a playing a significant involvement of SA victim potentially since day of coerced disclosure in 2013.\nThe first clue was a YouTube follower with a menacing name and picture began to follow, change login, network, dumped adult content, utilized web content scrapers,. stole\nPasswords,etc., Anyway .. Unruy & remotely installed keylogger. \n#foundry #apple #soc #keylogger \n\nThis is risky to say but very wrong to do. She was a multi generational (MGM) American.",
"modified": "2025-09-19T03:02:22.742000",
"created": "2025-07-08T14:19:24.211000",
"tags": [
"delete",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"delete c",
"intel",
"write",
"malware",
"dynamicloader",
"yara rule",
"high",
"vmware",
"phishing",
"remote",
"keylogger",
"remote keylogger",
"type indicator",
"related pulses",
"no expiration",
"url https",
"showing",
"reputation",
"foundry",
"apple",
"downloader",
"trojan"
],
"references": [
"http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||",
"\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net",
"\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects",
"\u2022 199.59.243.226",
"\u2022 ww25.vpn.steamcommunity-site.info",
"\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/",
"\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/",
"\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us",
"\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com",
"\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Unruy",
"display_name": "Unruy",
"target": null
},
{
"id": "Reputation.1",
"display_name": "Reputation.1",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [
"Telecommunications",
"Technology",
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 260,
"FileHash-SHA1": 244,
"FileHash-SHA256": 4406,
"URL": 9684,
"domain": 3164,
"hostname": 3370,
"CVE": 1
},
"indicator_count": 21129,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 148,
"modified_text": "254 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "688d75bdc4bc5ba5cb6df7fb",
"name": "2nd X - https://ldl.myqnascloud.com/ - DT_VMP_32",
"description": "*Malware: DT_VMP_32 -associated with non specific trojan or ransomware activity, widely-known malware family with (custom) unique names.\n\u2022 pid-bodis-gcontrol151 |\u2022 googledownloads.cn\nServer or central repository used to target Tsara Brashears , \n into a malicious w/botnet world. Parked domains used w/malicious intent though appearing benign or \u2018for sale\u2019. \n\nDetections: \nSuspicious User-Agent - Possible Trojan Downloader (https)\nHTTP Request to a *.tw domain\n#bodis #targeting #parkingcrews #active #content_delivery #malvertizing #content_scraping #malware #attacks #dumping #framing #webcache #colbaltstrike #trojan_downloader #disabler #distributor #music_piracy #domainfraud #ransom",
"modified": "2025-09-01T01:01:18.030000",
"created": "2025-08-02T02:19:41.646000",
"tags": [
"cisco",
"umbrella rank",
"domain",
"general full",
"united",
"reverse dns",
"software",
"kb script",
"url https",
"asn15169",
"google",
"resource",
"hash",
"value",
"variables",
"domainpath name",
"name value",
"august",
"servaas klute",
"americachicago",
"verified",
"ecdsa",
"linux x8664",
"khtml",
"gecko",
"aes128gcm",
"maxradlinklen50",
"encrypt",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"javascript",
"spawns",
"mitre att",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"ascii text",
"pattern match",
"show technique",
"body",
"date",
"hybrid",
"general",
"path",
"click",
"strings",
"meta",
"present jul",
"search",
"entries",
"ip address",
"registrar",
"creation date",
"record value",
"name servers",
"servers",
"found a",
"location united",
"asn as15169",
"less whois",
"mtb apr",
"trojan",
"trojandropper",
"backdoor",
"win32qqpass apr",
"next associated",
"files show",
"date hash",
"avast avg",
"ipv4",
"pulse pulses",
"passive dns",
"urls",
"files",
"hacktool",
"ipv4 add",
"virtool",
"present aug",
"present feb",
"present jan",
"gmt location",
"gmt max",
"certificate",
"showing",
"cowboy"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2209,
"domain": 801,
"URL": 6114,
"FileHash-SHA256": 2162,
"FileHash-MD5": 184,
"FileHash-SHA1": 187,
"CIDR": 3,
"SSLCertFingerprint": 2,
"email": 1,
"CVE": 2
},
"indicator_count": 11665,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "272 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6876e1e75949dfc0fe3c7875",
"name": "Potentially ICARUS, Strange redirect from urlscan.io to 103.224.212.210",
"description": "The \u201cPotentially ICARUS\u201d threat hunt focuses on identifying a highly capable and persistent malware strain exhibiting a broad range of tactics and behaviors. This threat shows hallmarks of a multi-purpose implant or a modular malware framework. With confirmed classifications as adware, bootkit, trojan, stealer, and spyware, the sample uses layered techniques for persistence, evasion, discovery, and privilege escalation.\nPersistence Techniques\n\nThis hunt aims to uncover infection vectors, malicious registry keys, dropped binaries, and behavioral indicators across the environment, with a focus on detecting early execution, data exfiltration mechanisms, and evasion patterns consistent with the ICARUS threat profile.",
"modified": "2025-08-22T05:03:46.995000",
"created": "2025-07-15T23:19:02.845000",
"tags": [
"potentially",
"icarus",
"setup",
"session manager",
"com hijacking",
"task scheduler",
"com api",
"image file",
"ifeo",
"master boot",
"aqb1",
"ndh1",
"s1280x720",
"aqe1",
"qclienttypeweb",
"p11752710011",
"p2404",
"p4eqyyz1w",
"AvEmUpdate.exe",
"afwServ.exe",
"icarus.exe",
"AvLaunch.exe",
"avast_free_antivirus_online_setup.exe",
"AvastBrowser.exe",
"RegSvr.exe",
"msiexec.exe",
"msedge.exe",
"wsc_proxy.exe",
"overseer.exe",
"setup.exe",
"undefined",
"Zeppelin_10",
"ConventionEngine_Anomaly_MultiPDB_Double",
"RansomWin32Apollo",
"Win.Exploit.CVE_2019_0803-6976664-0",
"Trojan.Penguish.an",
"Win.Dropper.Sykipot-9950506-0",
""
],
"references": [
"AvastBrowserUpdate.exe",
"update.avastbrowser.com",
"icarus.exe",
"icarus.exe",
"honzik.avcdn.net",
"branding.avast.com",
"branding.avast.com",
"honzik.avcdn.net",
"branding.avast.com",
"honzik.avcdn.net",
"AvastBrowserUpdate.exe",
"update.avastbrowser.com",
"172.66.175.47",
"AvastBrowserUpdate.exe",
"update.avastbrowser.com",
"172.66.175.47",
"update.avastbrowser.com",
"172.66.175.47",
"C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp",
"C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp",
"C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000",
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}",
"icarus.exe",
"AvastBrowserUpdate.exe",
"C:\\Windows\\system32\\aswBoot.exe",
"C:\\Windows\\system32\\aswBoot.exe",
"C:\\Windows\\system32\\aswBoot.exe",
"https://tria.ge/250717-z7b8kssly4",
"https://tria.ge/250717-zt5yqsbp8z/behavioral1",
"https://tria.ge/250715-xd58fsysc1",
"https://tria.ge/250717-zt5yqsbp8z",
"https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0803",
"https://hackread.com/fake-antivirus-sites-malware-avast-malwarebytes-bitdefender/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1547.014",
"name": "Active Setup",
"display_name": "T1547.014 - Active Setup"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1552",
"name": "Unsecured Credentials",
"display_name": "T1552 - Unsecured Credentials"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1130",
"name": "Install Root Certificate",
"display_name": "T1130 - Install Root Certificate"
},
{
"id": "T1124",
"name": "System Time Discovery",
"display_name": "T1124 - System Time Discovery"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1016.001",
"name": "Internet Connection Discovery",
"display_name": "T1016.001 - Internet Connection Discovery"
},
{
"id": "T1067",
"name": "Bootkit",
"display_name": "T1067 - Bootkit"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1546.012",
"name": "Image File Execution Options Injection",
"display_name": "T1546.012 - Image File Execution Options Injection"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1198",
"name": "SIP and Trust Provider Hijacking",
"display_name": "T1198 - SIP and Trust Provider Hijacking"
},
{
"id": "T1120",
"name": "Peripheral Device Discovery",
"display_name": "T1120 - Peripheral Device Discovery"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
}
],
"industries": [
"Cyber Security and Networking"
],
"TLP": "green",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "r0b1nh0od",
"id": "320328",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 165,
"domain": 65,
"hostname": 57,
"FileHash-MD5": 4197,
"FileHash-SHA256": 4117,
"FileHash-SHA1": 4092
},
"indicator_count": 12693,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 26,
"modified_text": "282 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "685209a13834b09a48cffc29",
"name": "Syntax for Site Search with Ecosia | Vivaldi Forum",
"description": "Ecosia \nServer: ESF\n#virus #trojans",
"modified": "2025-07-17T23:01:16",
"created": "2025-06-18T00:34:41.026000",
"tags": [
"html document",
"unicode text",
"utf8 text",
"resolved ips",
"get http",
"dns resolutions",
"oc0006 http",
"defense evasion",
"ta0005 command",
"control ta0011",
"accept",
"gmt ifnonematch",
"info file",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"manager",
"shutdown",
"sample",
"address port",
"ip address",
"port",
"country name",
"layer protocol",
"t1055 process",
"command",
"control t1573",
"t1105 ingress",
"tool transfer",
"network info",
"performs dns",
"urls",
"united",
"url info",
"domain info",
"domain ip",
"ip info",
"ip country",
"info non",
"malicious",
"status url",
"ecosia",
"passive dns",
"pulse pulses",
"http",
"related nids",
"files location",
"flag united",
"hostname",
"l http",
"related pulses",
"none related",
"tags none",
"file type",
"sha256",
"google safe",
"browsing"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 43,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 171,
"FileHash-SHA1": 142,
"FileHash-SHA256": 1195,
"hostname": 42,
"URL": 172,
"domain": 18
},
"indicator_count": 1740,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "317 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68451577ada8bb0aa0834edb",
"name": "X - Business Social Media Account used to attack victim",
"description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.",
"modified": "2025-07-08T04:03:04.386000",
"created": "2025-06-08T04:45:43.423000",
"tags": [
"trojan",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"upxoepplace",
"pulses none",
"related tags",
"none file",
"markus",
"april",
"win32",
"copy",
"usvwu",
"usvw",
"high",
"medium",
"show",
"uss c",
"binary file",
"yara",
"write",
"delphi",
"enigma",
"present mar",
"aaaa",
"united",
"passive dns",
"date",
"present nov",
"moved",
"urls",
"creation date",
"entries",
"body",
"trojandropper",
"susp",
"msr jul",
"next associated",
"pulse pulses",
"mtb jun",
"backdoor",
"content length",
"html document",
"ascii text",
"search",
"internalname",
"entries pe",
"showing",
"filehash",
"md5 add",
"av detections",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"pattern match",
"size",
"encrypt",
"june",
"hybrid",
"local",
"path",
"click",
"twitter",
"strings",
"url https",
"url http",
"report spam",
"created",
"hours ago",
"bad actor",
"ck ids",
"t1057",
"discovery",
"t1071",
"amer",
"ipv4",
"indicator role",
"title added",
"active related",
"pulses",
"china",
"hong kong",
"russia",
"type indicator",
"role title",
"added active",
"related pulses",
"pulses url",
"filehashsha256",
"url add",
"http",
"ip address",
"related nids",
"files location",
"flag united",
"domain",
"hostname",
"next",
"filehashmd5",
"protocol",
"t1105",
"tool transfer",
"t1480"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 637,
"FileHash-SHA1": 639,
"FileHash-SHA256": 5380,
"domain": 676,
"hostname": 1120,
"URL": 1031,
"SSLCertFingerprint": 4
},
"indicator_count": 9487,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "327 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67576b4cdaafecfac733fac4",
"name": "http://pit.waw.pl skrypt w pliku://C:/28f67ac2f4875f36aeb31e181e2d2d50f84b5c0791afa4b7bd6987cf00e95186.html.html http://ww53.cookiesinfo.com/",
"description": "MS Office Excel 2016\n0x2491:$h_raw1: /javascript\n0x289d:$h_raw1: /javascript\n0x2dd0:$h_raw1: /javascript\n0x182a6:$h_raw1: /javascript\n0x18dc0:$h_raw1: /javascript\n0x1a072:$h_raw1: /javascript\n0x1ad72:$h_raw1: /javascript\n0x222e6:$h_raw1: /javascript\n0x22870:$h_raw1: /javascript\n0x23lut:$h_raw1: /javascript\nskrypt w pliku://C:/28f67ac2f4875f36aeb31e181e2d2d50f84b5c0791afa4b7bd6987cf00e95186.html.html",
"modified": "2025-05-14T20:46:38.021000",
"created": "2024-12-09T22:12:28.252000",
"tags": [
"grudzie",
"typ zawartoci",
"linux x8664",
"khtml",
"gecko",
"metoda",
"adres url",
"poczenie",
"dugo treci",
"dostawa artnet",
"sha1",
"sha256",
"microsoft",
"microsoft store",
"office",
"robisz",
"zakupy w",
"dla firm",
"family",
"internetem",
"kliknij tutaj",
"microsoft i",
"bony",
"jaka",
"android",
"utc1 html",
"utc1",
"utc1 gif",
"plik",
"utc1 popieprzy",
"javascript",
"or requesturl",
"or filehash",
"maxradlinklen50",
"type3",
"june",
"copyright",
"t1027",
"warto",
"muid warto",
"mr warto",
"warto clid",
"anonchk warto"
],
"references": [
"http://office.microsoft.com/pl-pl/try/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 56,
"hostname": 96,
"URL": 348,
"FileHash-SHA256": 313,
"FileHash-MD5": 22,
"FileHash-SHA1": 12,
"IPv4": 11,
"YARA": 2
},
"indicator_count": 860,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 123,
"modified_text": "381 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67f5555b6ce863d998e83e26",
"name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net",
"description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.",
"modified": "2025-05-11T19:03:59.885000",
"created": "2025-04-08T16:56:59.641000",
"tags": [
"generated from",
"do not",
"edit uri",
"urls",
"edit",
"rewriteengine",
"rewritecond",
"rewriterule",
"r301",
"xml2encalias",
"beralloct",
"berbvarrayadd",
"berbvarrayfree",
"berbvdup",
"berbvecadd",
"berbvecfree",
"berbvfree",
"berdump",
"berdup",
"berdupbv",
"laerrordomain",
"laerrornoncekey",
"lamechanismtree",
"lacontext",
"ladomainstate",
"laenvironment",
"lanotification",
"laprivatekey",
"lapublickey",
"laright",
"apple swift",
"o librarylevel",
"combine import",
"foundation",
"swift import",
"mcpeerid",
"mcsession",
"property",
"copyright",
"protocol",
"class",
"bonjour",
"ascii lowercase",
"abc company",
"section",
"bonjour txt",
"note",
"ui element",
"utf8 encoding",
"nscopying",
"nsdictionary",
"nsstring",
"mcextern",
"attribute",
"mcextern extern",
"mcexternweak",
"nsenum",
"nsinteger",
"mcerrorcode",
"mcerrorunknown",
"mcerrortimedout",
"peer",
"example",
"bonjour apis",
"stop",
"tags",
"session",
"nsprogress",
"nserror",
"nsurl",
"nsarray",
"create",
"nsuinteger",
"notifies",
"mcsession api",
"interface",
"dbictrace",
"dbivporth",
"dbictracelevel",
"dbdtffoo",
"dbihseterrchar",
"dbicstate",
"dbictraceflags",
"provides macros",
"dbi release",
"only",
"sqlsuccess",
"odbc",
"sqlok",
"tim bunce",
"england",
"sql cli",
"sql datatype",
"sqlguid",
"sqlwlongvarchar",
"main",
"beware",
"sv sth",
"sv dbh",
"impsth",
"impdbh",
"sv keysv",
"sv params",
"sv attr",
"sv attribs",
"sv drh",
"void",
"fri jul",
"mixed",
"dbixsrevision",
"plsvundef",
"license",
"spagain",
"perlioprintf",
"dbiclogpio",
"putback",
"ireland",
"gnu general",
"super",
"magic",
"dbicflags",
"dbis",
"svrv",
"null",
"imp2com",
"dbicactivekids",
"dbicfiadestroy",
"sv h",
"dbicdbistate",
"code",
"copy",
"refer",
"trace",
"error",
"unknown",
"hookopcheckh",
"startexternc",
"hookopcheckcb",
"userdata",
"endexternc",
"isinternalbuild",
"kickmcxdforuid",
"loadappkit",
"ardconfig",
"authenticator",
"dsauthenticator",
"dsnode",
"dsrecord",
"group",
"hostconfig",
"apfsvolumelock",
"apfsvolumerole",
"aoskgetosinfo",
"aoskgetuserinfo",
"aosaddappleid",
"aosdisablepcs",
"aosenablepcs",
"aoslog",
"aoslogforce",
"aosrelaycookie",
"didfailcallback",
"kaosaccountkey",
"kapcsbundle",
"kapcspath",
"kjsonextension",
"apcsbucketid",
"apcsreports",
"apconfiguration",
"apversiondata",
"apversionhelper",
"systemvolumesvm",
"name size",
"identifier",
"gb disk0s3",
"devdisk3",
"apfs container",
"scheme",
"physical store",
"macintosh hd",
"apfs snapshot",
"preboot",
"refs address",
"size wired",
"name",
"version",
"uuid",
"linked against",
"renderer",
"helper",
"chrome helper",
"contains",
"cloud ui",
"macintosh",
"khtml",
"gecko",
"ui helper",
"plugin",
"service",
"good",
"battery power",
"apfs encryption",
"jumpcloud go",
"chrome web",
"store",
"privacy badger",
"flowcrypt",
"encrypt gmail",
"simple",
"google",
"b2b phone",
"number",
"apollo",
"future",
"exccrash",
"sigkill",
"code signature",
"invalid",
"sigabrt",
"protonvpn",
"excguard",
"excbreakpoint",
"sigtrap",
"excbadaccess",
"appl",
"english",
"adobe crash",
"adobe",
"acrobat dcadobe",
"processor",
"uninstaller",
"assistant",
"install",
"cloud",
"dock",
"calendar",
"music",
"terminal",
"tips",
"installer",
"updater",
"proton",
"tools",
"stub",
"python",
"clock",
"powershell",
"team",
"rave scout",
"cookies",
"public folder",
"key cert",
"sign",
"crl sign",
"root ca",
"authority",
"public primary",
"global root",
"verisign",
"academic",
"premium",
"adaptive",
"interactive",
"background",
"standard",
"launchd sandbox",
"s mdworker",
"agent",
"command line",
"progress",
"yubico",
"macos13action",
"disableoverride",
"disableairdrop",
"denyactivation",
"enable",
"loginwindowtext",
"jumpcloud",
"autoupdate",
"loggingoption",
"enablefirewall",
"arm64e",
"apple m2",
"mac142",
"kjqqtw7pqt",
"daemon",
"server",
"open directory",
"user",
"account",
"kerberos admin",
"kerberos change",
"device daemon",
"network",
"desktop",
"screensaver",
"bridge",
"aesxtsarm",
"aesecbarm",
"sha512vngarmhw",
"sha384vngarmhw",
"sha256vngarm",
"sha1vngarm",
"darwin kernel",
"wed mar",
"wkarraycreate",
"wkbooleancreate",
"wkcontextcreate",
"wkdatacreate",
"wkdatagettypeid",
"wkdoublecreate",
"wkframecopyurl",
"wkgettypeid",
"wkimagecreate",
"wkpagecandelete",
"webview",
"notice",
"this software",
"including",
"but not",
"limited to",
"redistribution",
"is provided",
"by apple",
"direct",
"damage",
"apiavailable",
"webkit",
"nsswiftname",
"document",
"a block",
"as is",
"hasinclude",
"wkdownload",
"abstract",
"wkerrorcode",
"wkerrorunknown",
"discussion",
"bool",
"whether",
"wkcontentworld",
"wkwebview",
"javascript",
"nsunavailable",
"vaargs",
"nsswiftasync",
"wkswiftasync",
"wkcookiepolicy",
"wkswiftuiactor",
"nshttpcookie",
"targetosiphone",
"wknavigation",
"decides",
"boolean value",
"apideprecated",
"methodkind",
"wkerrordomain",
"wkscriptmessage",
"promise",
"fulfill",
"const",
"url scheme",
"mark",
"wkuserscript",
"targetosvision",
"param",
"wkframeinfo",
"targetosios",
"pass",
"window",
"mime type",
"link",
"nsimage",
"returns",
"nsset",
"checks",
"matches",
"a boolean",
"defaults",
"wkwebextension",
"cgsize",
"uiimage",
"apis",
"nsdate",
"wkcontentmode",
"wkextern",
"possible",
"cgfloat",
"media",
"cgrect",
"apiunavailable",
"framework",
"nsswiftuiactor",
"targetoswatch",
"confirms",
"apple upgrade",
"nsstring user",
"nsobject",
"provider",
"apple",
"password",
"uicontrol",
"nscontrol",
"asuseragerange",
"check",
"opaque user",
"apple id",
"initiate",
"asauthorization",
"operation",
"state",
"nserrorenum",
"nsdata",
"relying party",
"asapiavailable",
"perform",
"realm",
"http response",
"authorization",
"http",
"oauth",
"saml",
"a byte",
"nsdata userid",
"relying",
"a string",
"nsdata readdata",
"bool didwrite",
"a cose",
"nsdata first",
"nsdata second",
"nsstring name",
"bool appid",
"targetosxr",
"nsstring appid",
"bluetooth",
"mdm profile",
"nsurl url",
"returns yes",
"a state",
"a json",
"web token",
"private seckeys",
"enables",
"keychain",
"asswiftsendable",
"cose algorithm",
"ecdsa",
"sha256",
"cose curve",
"p256",
"nullable",
"bool success",
"remove",
"call",
"complete",
"initializes",
"time code",
"extensions",
"asextern extern",
"asextern",
"nsswiftsendable",
"prepare",
"list",
"nsextension",
"attempt",
"nsstring label",
"creates",
"nsstring code",
"a key",
"webauthn",
"nssecurecoding",
"input",
"output",
"initialize",
"nsinteger rank",
"json",
"inputs",
"hash",
"nsstring origin",
"settings app",
"extension",
"https urls",
"safari",
"cancel",
"nsuuid uuid",
"r uftpexu",
"nsmutabledata",
"vnsdate",
"mprcjy",
"postfix",
"domain",
"canonical",
"tables",
"ldap",
"post",
"replace user",
"address",
"wietse venema",
"bugs",
"mail",
"aliases",
"postfix version",
"restrict",
"sample",
"person",
"basic system",
"general",
"reject empty",
"postfix smtp",
"ipv6 host",
"reject",
"reply",
"access",
"prior",
"hold",
"info",
"mail delivery",
"charset",
"system",
"report",
"postfix dsn",
"mail returned",
"this",
"generic",
"smtp",
"isp mail",
"mime",
"headerchecks",
"readme files",
"filters while",
"posix",
"empty",
"body",
"write",
"date",
"smtp server",
"specify",
"mx host",
"unix password",
"user unknown",
"pathbin",
"postfix queue",
"unix",
"cyrus",
"path",
"uucp",
"shell",
"local",
"program",
"agreement",
"contributor",
"recipient",
"contribution",
"the program",
"corporation",
"contributors",
"product x",
"as expressly",
"arch",
"arch x8664",
"pipe wall",
"wimplicit",
"ranlib",
"warn",
"switch",
"start",
"systype",
"outlook",
"postfix master",
"begin",
"server admin",
"mail backend",
"modern smtp",
"iana",
"many",
"postfix pipe",
"recent cyrus",
"amos gouaux",
"old example",
"or even",
"lutz jaenicke",
"technology",
"cottbus",
"germany",
"openssl package",
"openssl project",
"europe",
"remember that",
"use of",
"file",
"update",
"usrsbin",
"file format",
"no group",
"daemondirectory",
"deliver mail",
"transport",
"description",
"result format",
"virtual",
"virtual alias",
"redirect mail",
"relocated",
"matches user",
"synopsis",
"lastname",
"firstname",
"apple computer",
"tcpip",
"supported",
"quantum",
"facility",
"level",
"level info",
"broadcast",
"ignore",
"rules",
"sender",
"automounter map",
"use directory",
"get home",
"home autohome",
"true",
"t option",
"mount",
"force",
"environment",
"automountdenv",
"promptcommand",
"shellsessiondir",
"histfile",
"histfilesize",
"myvar",
"histtimeformat",
"arrange",
"bashrematch",
"tell",
"ps1h",
"make bash",
"s checkwinsize",
"etcbashrc",
"termprogram",
"inpck",
"nnnbaud",
"berkeley",
"parity",
"pc entry",
"pass8",
"parenb istrip",
"fixed speed",
"entry",
"clocal mode",
"maxhistsize",
"promptmode",
"verbose end",
"etcirbrcloaded",
"default",
"setup",
"history file",
"kernel",
"readline",
"jabber",
"group database",
"dovecot",
"postfix scsd",
"networkd",
"searchpaths",
"freebsd",
"tmpdir",
"fcodes",
"prunepaths",
"vartmp",
"prunedirs",
"filesystems",
"nroff",
"manpath",
"uncomment",
"manpager",
"whatispager",
"manlocale",
"every",
"manpath optman",
"maybe",
"troff",
"status mailfrom",
"returnpath via",
"pidfile",
"flags",
"bcgjnuwz",
"bin usrsbin",
"sbin",
"default pf",
"care",
"audio",
"user database",
"unix copy",
"gate daemon",
"bashno",
"r etcbashrc",
"rfc1323",
"m1460",
"macos x",
"signature",
"linux",
"opera",
"xp sp1",
"windows sp1",
"nmap syn",
"m265",
"synack",
"mind",
"macos",
"warp",
"ipv6",
"internet",
"icmp",
"cisco",
"monitoring",
"argus",
"chaos",
"rsvp",
"encapsulation",
"aris",
"isis",
"netbootmount",
"netbootshadow",
"computername",
"localonly",
"localnetbootdir",
"netboot",
"define",
"purpose",
"networkonly",
"waiting",
"networkup",
"term",
"devnull",
"common setup",
"configure",
"set command",
"dns hostname",
"dns query",
"see also",
"kame",
"sunnet manager",
"rpcsrc",
"netlicense",
"ftpd",
"bindash binksh",
"binsh bintcsh",
"jumpcloud ldap",
"smb2",
"security",
"workgroup",
"standalone",
"samba server",
"enforce",
"smb3",
"example share",
"improper use",
"ctrlc",
"none",
"fax reception",
"hardwired",
"0007",
"must",
"visudo",
"blocksize",
"charset lang",
"language lcall",
"lines columns",
"lscolors",
"sshauthsock",
"orion",
"setup user",
"home",
"zdotdir",
"delete",
"beep",
"vendor",
"kf10",
"kf11",
"kf12",
"kf13",
"backspace",
"insert",
"resume",
"termsessionid",
"savehist",
"sharehistory",
"h do",
"volume",
"de l",
"l uuid",
"m tra",
"n est",
"suuid",
"prfen",
"fusion",
"syst",
"look",
"executant",
"alla",
"over",
"test",
"overie",
"zapis",
"rapid",
"disco usa",
"de macos",
"nie s",
"i denne",
"adgjmpsvx",
"diskgthis disk",
"01k8x j",
"34disk",
"levy kytt",
"dict",
"array",
"plist",
"apple root",
"code signing",
"inode64r",
"xofkoxzh",
"integer",
"doctype",
"brain",
"abcd",
"ogwo",
"boaw",
"cobwa",
"uhawavauatsh",
"ip bitmap",
"foewdc",
"could",
"ip block",
"funcs",
"cogwo",
"trash",
"double",
"hunt",
"affa",
"carr",
"crypto",
"docwbac",
"q1b0",
"q1 0",
"h h5",
"docwbag",
"slice",
"format",
"zero",
"alfa",
"hera",
"lelei",
"hehe",
"hisp",
"fail",
"katy",
"zakk",
"eodwcbgao",
"hhk8di",
"alma",
"topo",
"open",
"huhk",
"piper",
"hehx",
"eh ui",
"h20hph",
"hif h",
"hmhhihqhyla hq",
"r11b0",
"target",
"uus10u",
"hifh",
"loghookfailed",
"loghook",
"hell",
"q1b 0",
"f duh",
"aqw1",
"1160"
],
"references": [
"index.html.en",
"bind.html",
"caching.html",
"BUILDING",
"configuring.html",
"content-negotiation.html",
"custom-error.html",
"convenience.map",
"LDAP.tbd",
"lber.h",
"ldap.h",
"LocalAuthentication.tbd",
"arm64e-apple-macos.swiftinterface",
"x86_64-apple-ios-macabi.swiftinterface",
"arm64e-apple-ios-macabi.swiftinterface",
"x86_64-apple-macos.swiftinterface",
"MultipeerConnectivity.tbd",
"module.modulemap",
"MCNearbyServiceAdvertiser.h",
"MCPeerID.h",
"MCError.h",
"MCNearbyServiceBrowser.h",
"MCAdvertiserAssistant.h",
"MultipeerConnectivity.apinotes",
"MultipeerConnectivity.h",
"MCSession.h",
"MCBrowserViewController.h",
"dbivport.h",
"dbi_sql.h",
"dbd_xsh.h",
"dbixs_rev.h",
"Driver_xst.h",
"DBIXS.h",
"hook_op_check.h",
"Admin.tbd",
"AirPlayReceiver.tbd",
"apfs_boot_mount.tbd",
"AOSKit.tbd",
"APConfigurationSystem.tbd",
"AppleFirmwareUpdate.tbd",
"launchdaemons.txt",
"preboot_archive_errors.log",
"mounts.txt",
"launchagents.txt",
"disk_structure.txt",
"user_launchagents.txt",
"security_status.txt",
"kexts.txt",
"process_list.txt",
"battery.csv",
"diskEncryption.csv",
"chromeExtensions.csv",
"crashes.csv",
"interfaceAddrs.csv",
"kernel.csv",
"interfaceDetails.csv",
"etcHosts.csv",
"applications.csv",
"mounts.csv",
"sharedFolders.csv",
"certificates.csv",
"sharingPreferences.csv",
"launchD.csv",
"usbDevices.csv",
"managedPolicies.csv",
"systemInfo.csv",
"users.csv",
"sipConfig.csv",
"systemControls.csv",
"canonical",
"aliases",
"custom_header_checks",
"access",
"bounce.cf.default",
"generic",
"header_checks",
"main.cf.default",
"LICENSE",
"makedefs.out",
"main.cf",
"master.cf.default",
"main.cf.proto",
"master.cf.proto",
"master.cf",
"TLS_LICENSE",
"postfix-files",
"transport",
"virtual",
"relocated",
"afpovertcp.cfg",
"asl.conf",
"auto_home",
"auto_master",
"autofs.conf",
"bashrc_Apple_Terminal",
"com.apple.screensharing.agent.launchd",
"bashrc",
"command_args.json",
"csh.cshrc",
"csh.login",
"find.codes",
"csh.logout",
"ftpusers",
"gettytab",
"irbrc",
"kern_loader.conf",
"group",
"locate.rc",
"man.conf",
"mail.rc",
"manpaths",
"networks",
"nfs.conf",
"newsyslog.conf",
"ntp_opendirectory.conf",
"ntp.conf",
"notify.conf",
"paths",
"pf.conf",
"passwd",
"profile",
"pf.os",
"protocols",
"rc.netboot",
"rc.common",
"rmtab",
"resolv.conf",
"rtadvd.conf",
"rpc",
"shells",
"smb.conf",
"sudo_lecture",
"ttys",
"syslog.conf",
"xtab",
"sudoers",
"zprofile",
"zshrc",
"zshrc_Apple_Terminal",
"CodeResources",
"version.plist",
"Info.plist"
],
"public": 1,
"adversary": "DragonForce Malaysia Hacker Group",
"targeted_countries": [],
"malware_families": [
{
"id": "Lastname",
"display_name": "Lastname",
"target": null
},
{
"id": "Firstname",
"display_name": "Firstname",
"target": null
}
],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 66,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ilyailya",
"id": "298851",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 4449,
"domain": 3847,
"URL": 14263,
"FileHash-SHA256": 2356,
"FileHash-MD5": 223,
"FileHash-SHA1": 523,
"email": 223,
"CVE": 40,
"CIDR": 12,
"SSLCertFingerprint": 302
},
"indicator_count": 26238,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 37,
"modified_text": "384 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e863bebbf95e0dc5a4169a",
"name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack expected",
"description": "Network compromised updated Apple device was directed (303) to a server. This is one of several botnets found. onthewifi \u2206 {Win32:BotX-gen\\ [Trj]} \u2022 Injection process | Password bypass. Studies targets behavior | Checks for other devices | Glupteba: \n Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals can perform a number of actions of a malicious hacker's choice on your device.",
"modified": "2024-04-05T12:00:46.637000",
"created": "2024-03-06T12:38:22.052000",
"tags": [
"referrer",
"tsara brashears",
"password bypass",
"apple phone",
"unlocker",
"shell code",
"script",
"pe resource",
"execution",
"sneaky server",
"emotet",
"android",
"download",
"malware",
"relic",
"monitoring",
"installer",
"formbook",
"urls",
"contacted",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"files",
"file type",
"kb file",
"b file",
"graph",
"pe32 executable",
"ms windows",
"intel",
"generic cil",
"executable",
"mono",
"win32 dynamic",
"link library",
"win16 ne",
"samplename",
"samplepath",
"jays youtube",
"rticon neutral",
"details",
"header intel",
"name md5",
"type",
"language",
"contained",
"ico rtgroupicon",
"neutral",
"net technology",
"corporation",
"domains",
"markmonitor inc",
"malicious",
"cnc",
"network",
"bypass password",
"network probe",
"dns query",
"as20940",
"united",
"aaaa",
"search",
"showing",
"date",
"passive dns",
"registrar",
"unknown",
"encrypt",
"next",
"domain",
"emails",
"name servers",
"as199524",
"record value",
"rst seen",
"last seen",
"asn country",
"cname",
"as15169 google",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files ip",
"as4788",
"address",
"pulses",
"win32",
"entries",
"dadjoke",
"ms defender",
"united kingdom",
"germany unknown",
"as46606",
"as14061",
"servers",
"as12576 ee",
"russia unknown",
"as3320 deutsche",
"gamaredon",
"armageddon",
"as8068",
"script urls",
"for privacy",
"script domains",
"certificate",
"meta",
"creation date",
"as14627",
"ipv4",
"onthewifi",
"as54113",
"trojan",
"flywheel",
"sea x",
"accept",
"ransom",
"post http",
"langserbian",
"sublangdefault",
"rticon",
"process32nextw",
"medium",
"t1055",
"high",
"ip address",
"generic",
"body",
"markus",
"june",
"copy",
"bitcoin"
],
"references": [
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"FormBook: 45.159.189.105",
"FormBook: http://45.159.189.105/bot/regex",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"capitana.onthewifi.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Win32:Cryptor",
"display_name": "Win32:Cryptor",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.KM!MTB",
"display_name": "Trojan:Win32/Glupteba.KM!MTB",
"target": "/malware/Trojan:Win32/Glupteba.KM!MTB"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1188",
"name": "Multi-hop Proxy",
"display_name": "T1188 - Multi-hop Proxy"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 53,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 309,
"FileHash-SHA1": 307,
"FileHash-SHA256": 3084,
"URL": 3066,
"domain": 1085,
"hostname": 1709,
"CVE": 1,
"email": 7
},
"indicator_count": 9568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "785 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://syndicatedsearch.goog/afs/ads/i/iframe.html",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://syndicatedsearch.goog/afs/ads/i/iframe.html",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780205886.4597082
}