{ "type": "URL", "indicator": "https://t.carts.guru/bundle.js", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://t.carts.guru/bundle.js", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4098394811, "indicator": "https://t.carts.guru/bundle.js", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69519fa81048ad057eb9beaa", "name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)", "description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. | \nWhere does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.", "modified": "2026-01-27T21:02:45.343000", "created": "2025-12-28T21:22:48.595000", "tags": [ "united", "servers", "moved", "ip address", "record value", "encrypt", "present jul", "present jun", "trojandropper", "passive dns", "ipv4 add", "urls", "files", "virtool", "united states", "dynamicloader", "directui", "element", "classinfobase", "write c", "medium", "yara rule", "msvisualbasic60", "high", "hwndelement", "explorer", "write", "movie", "insert", "program", "python", "http traffic", "trojan generic", "search", "cnc activity", "delphi", "win32", "launcher", "pony", "fareit", "malware", "push", "msie", "windows nt", "generic", "checkin", "post", "yara detections", "rxr", "inject", "memcommit", "cryptexportkey", "invalid pointer", "regsetvalueexa", "solutions ltd", "read c", "regdword", "mozilla", "persistence", "execution", "android", "unknown", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "initial access", "defense evasion", "spawns", "t1590 gather", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "pattern match", "mitre att", "ck matrix", "href", "ascii text", "starfield", "hybrid", "general", "local", "path", "iframe", "palantir", "present nov", "present oct", "status", "present apr", "present dec", "cryp", "date", "trojan", "title", "name servers", "windows", "t1060", "disables proxy", "dock", "pegasus", "rootkit", "backdoor", "susp", "win32qqpass feb", "worm", "msr win32", "win64", "process32nextw", "findwindowa", "file execution", "writeconsolea", "procexpl", "file v2", "document", "document file", "v2 document", "lost", "tools", "pecompact", "media", "autorun", "service", "post http", "delete", "alerts", "emotet", "rkt", "autorun", "worm", "plugins", "title error", "body doctype", "html public", "w3cdtd html", "html head", "domain", "expiration date", "hostname add", "pulse pulses", "contacted hosts", "sha1", "sha256", "show technique", "strings", "t1480 execution", "signing defense", "script urls", "a domains", "unknown ns", "texas flyover", "script domains", "script script", "meta", "window", "process details", "contacted" ], "references": [ "Cart.Guru", "Yara Detections: Delphi", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "HTTP traffic on port 443 (POST)", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Yara Detections: Nullsoft_NSIS ...", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users" ], "public": 1, "adversary": "Palantir Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RXR", "display_name": "RXR", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Bagsu!rfn", "display_name": "Trojan:Win32/Bagsu!rfn", "target": "/malware/Trojan:Win32/Bagsu!rfn" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:Win32/SandboxProductId", "display_name": "#Lowfi:Win32/SandboxProductId", "target": "/malware/#Lowfi:Win32/SandboxProductId" }, { "id": "Win32:Backdoor", "display_name": "Win32:Backdoor", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "ALF:Trojan:MSIL/BlackFus.C", "display_name": "ALF:Trojan:MSIL/BlackFus.C", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "TrojanProxy:Win32/Ceutv.A", "display_name": "TrojanProxy:Win32/Ceutv.A", "target": "/malware/TrojanProxy:Win32/Ceutv.A" }, { "id": "VirTool:Win32/Obfuscator.AHU", "display_name": "VirTool:Win32/Obfuscator.AHU", "target": "/malware/VirTool:Win32/Obfuscator.AHU" }, { "id": "ShellCode", "display_name": "ShellCode", "target": null }, { "id": "Win32:Rootkit", "display_name": "Win32:Rootkit", "target": null }, { "id": "VB Flash", "display_name": "VB Flash", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win.Packed.Razy-6847895-0", "display_name": "Win.Packed.Razy-6847895-0", "target": null }, { "id": "Backdoor:Win32/Plugx.N!", "display_name": "Backdoor:Win32/Plugx.N!", "target": "/malware/Backdoor:Win32/Plugx.N!" }, { "id": "Win.Dropper.QQpass-7194329-0", "display_name": "Win.Dropper.QQpass-7194329-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win32:Agent", "display_name": "Win32:Agent", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "Win.Trojan.Emotet-7545664-0", "display_name": "Win.Trojan.Emotet-7545664-0", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2362, "domain": 449, "hostname": 710, "email": 6, "FileHash-MD5": 260, "FileHash-SHA1": 201, "FileHash-SHA256": 333, "SSLCertFingerprint": 27 }, "indicator_count": 4348, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "82 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69519fa818f84531ce6becc9", "name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)", "description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. Where does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.", "modified": "2026-01-27T21:02:45.343000", "created": "2025-12-28T21:22:48.383000", "tags": [ "united", "servers", "moved", "ip address", "record value", "encrypt", "present jul", "present jun", "trojandropper", "passive dns", "ipv4 add", "urls", "files", "virtool", "united states", "dynamicloader", "directui", "element", "classinfobase", "write c", "medium", "yara rule", "msvisualbasic60", "high", "hwndelement", "explorer", "write", "movie", "insert", "program", "python", "http traffic", "trojan generic", "search", "cnc activity", "delphi", "win32", "launcher", "pony", "fareit", "malware", "push", "msie", "windows nt", "generic", "checkin", "post", "yara detections", "rxr", "inject", "memcommit", "cryptexportkey", "invalid pointer", "regsetvalueexa", "solutions ltd", "read c", "regdword", "mozilla", "persistence", "execution", "android", "unknown", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "initial access", "defense evasion", "spawns", "t1590 gather", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "pattern match", "mitre att", "ck matrix", "href", "ascii text", "starfield", "hybrid", "general", "local", "path", "iframe", "palantir", "present nov", "present oct", "status", "present apr", "present dec", "cryp", "date", "trojan", "title", "name servers", "windows", "t1060", "disables proxy", "dock", "pegasus", "rootkit", "backdoor", "susp", "win32qqpass feb", "worm", "msr win32", "win64", "process32nextw", "findwindowa", "file execution", "writeconsolea", "procexpl", "file v2", "document", "document file", "v2 document", "lost", "tools", "pecompact", "media", "autorun", "service", "post http", "delete", "alerts", "emotet", "rkt", "autorun", "worm", "plugins", "title error", "body doctype", "html public", "w3cdtd html", "html head", "domain", "expiration date", "hostname add", "pulse pulses", "contacted hosts", "sha1", "sha256", "show technique", "strings", "t1480 execution", "signing defense", "script urls", "a domains", "unknown ns", "texas flyover", "script domains", "script script", "meta", "window", "process details", "contacted" ], "references": [ "Cart.Guru", "Yara Detections: Delphi", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "HTTP traffic on port 443 (POST)", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Yara Detections: Nullsoft_NSIS ...", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users" ], "public": 1, "adversary": "Palantir Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RXR", "display_name": "RXR", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Bagsu!rfn", "display_name": "Trojan:Win32/Bagsu!rfn", "target": "/malware/Trojan:Win32/Bagsu!rfn" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:Win32/SandboxProductId", "display_name": "#Lowfi:Win32/SandboxProductId", "target": "/malware/#Lowfi:Win32/SandboxProductId" }, { "id": "Win32:Backdoor", "display_name": "Win32:Backdoor", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "ALF:Trojan:MSIL/BlackFus.C", "display_name": "ALF:Trojan:MSIL/BlackFus.C", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "TrojanProxy:Win32/Ceutv.A", "display_name": "TrojanProxy:Win32/Ceutv.A", "target": "/malware/TrojanProxy:Win32/Ceutv.A" }, { "id": "VirTool:Win32/Obfuscator.AHU", "display_name": "VirTool:Win32/Obfuscator.AHU", "target": "/malware/VirTool:Win32/Obfuscator.AHU" }, { "id": "ShellCode", "display_name": "ShellCode", "target": null }, { "id": "Win32:Rootkit", "display_name": "Win32:Rootkit", "target": null }, { "id": "VB Flash", "display_name": "VB Flash", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win.Packed.Razy-6847895-0", "display_name": "Win.Packed.Razy-6847895-0", "target": null }, { "id": "Backdoor:Win32/Plugx.N!", "display_name": "Backdoor:Win32/Plugx.N!", "target": "/malware/Backdoor:Win32/Plugx.N!" }, { "id": "Win.Dropper.QQpass-7194329-0", "display_name": "Win.Dropper.QQpass-7194329-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win32:Agent", "display_name": "Win32:Agent", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "Win.Trojan.Emotet-7545664-0", "display_name": "Win.Trojan.Emotet-7545664-0", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2362, "domain": 449, "hostname": 710, "email": 6, "FileHash-MD5": 260, "FileHash-SHA1": 201, "FileHash-SHA256": 333, "SSLCertFingerprint": 27 }, "indicator_count": 4348, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "82 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68858e8244c8db854e8947c1", "name": "Goodreads Malware", "description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore", "modified": "2025-08-26T01:03:19.405000", "created": "2025-07-27T02:27:14.517000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "united", "flag united", "present jun", "present may", "present apr", "search", "moved", "creation date", "record value", "date", "body", "meta", "indicator role", "title added", "active related", "pulses url", "memcommit", "value1", "partnerid4146", "username", "gamesessionid", "port", "destination", "regsetvalueexa", "mozilla", "write", "persistence", "execution", "malware", "copy", "next", "process32nextw", "show", "entries", "module load", "t1129", "intel", "ms windows", "showing", "t1045", "win32", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "evasion att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "pattern match", "ascii text", "null", "error", "starfield", "click", "hybrid", "local", "path", "strings", "refresh", "tools", "onload", "span", "smbds ipc", "ms17010", "msf style", "probe ms17010", "generic flags", "yara detections", "nrv2x", "upxoepplace" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 155, "hostname": 1237, "FileHash-SHA256": 1141, "domain": 574, "URL": 4593, "FileHash-SHA1": 139, "email": 1, "SSLCertFingerprint": 8 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d91b1a8f414040bfba430", "name": "Spyware", "description": "And I've been walking, talking\nBelieving the things that are true\nAnd I've been finding\nThe difference between right and wrong, bad and good\nSee me put things together\nPut them back where they belong\nWhen I look at each other\nHave I always been singing the same song?\n\nShe said\nThis is a perfect world\nRiding on an incline\nI'm staring in your face\nYou'll photograph mine\n\nI-I-I-I-I\nWhoo, ah-ha-ha\nHa-ha-ha-ha-ha-ha\n\nSomebody said that it happens all over the world\nI do believe that it's true (\u2022o\u2022)\n#spyware #MaaS #malvertizing #bullyfor$ #unethical #dangerous_tool", "modified": "2025-08-20T00:01:59.498000", "created": "2025-07-21T01:02:41.049000", "tags": [ "serving ip", "address", "status", "utc na", "utc google", "utc facebook", "custom audience", "tag manager", "ua748443502", "utc gtmwrp73mt", "utc gsrdlm5jnx1", "utc aw937838002", "adsense na", "connect", "file type", "status code", "body length", "kb body", "sha256", "powershell", "b file", "ta0004 defense", "evasion ta0005", "command", "control ta0011", "c0002 wininet", "number", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation cus", "algorithm", "cndigicert sha2", "secure server", "ca odigicert", "inc cus", "subject", "cnwe1 ogoogle", "trust", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft", "get http", "request", "windows nt", "win64", "khtml", "gecko", "response", "united", "search", "creation date", "expiration date", "name servers", "unknown soa", "germany unknown", "entries", "pulse submit", "url analysis", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 304, "hostname": 796, "URL": 2590, "FileHash-SHA256": 2735, "FileHash-MD5": 253, "FileHash-SHA1": 144, "email": 1 }, "indicator_count": 6823, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Yara Detections: Nullsoft_NSIS ...", "HTTP traffic on port 443 (POST)", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users", "Cart.Guru", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Yara Detections: Delphi", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Palantir Pegasus" ], "malware_families": [ "Rxr", "Pegasus", "#lowfi:win32/sandboxproductid", "Win32:agent", "Win.trojan.emotet-7545664-0", "Alf:trojan:msil/blackfus.c", "Trojan:win32/qqpass", "Trojanproxy:win32/ceutv.a", "Win32:malob-bx\\ [cryp]", "Worm:win32/autorun", "Pony", "Tofsee", "Pegasus - mob-s0005", "Backdoor:win32/plugx.n!", "Win32:backdoor", "Win32:malware", "Win.trojan.agent", "Virtool:win32/obfuscator.ahu", "Win.dropper.qqpass-7194329-0", "Win.packed.razy-6847895-0", "Win32:rootkit", "Trojan:win32/bagsu!rfn", "Trojandownloader:win32/cutwail", "#lowfienabledtcontinueafterunpacking", "Shellcode", "Vb flash", "Virtool:win32/obfuscator", "Win32:evo-gen\\ [susp]" ], "industries": [], "unique_indicators": 19005 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/carts.guru", "whois": "http://whois.domaintools.com/carts.guru", "domain": "carts.guru", "hostname": "t.carts.guru" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69519fa81048ad057eb9beaa", "name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)", "description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. | \nWhere does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.", "modified": "2026-01-27T21:02:45.343000", "created": "2025-12-28T21:22:48.595000", "tags": [ "united", "servers", "moved", "ip address", "record value", "encrypt", "present jul", "present jun", "trojandropper", "passive dns", "ipv4 add", "urls", "files", "virtool", "united states", "dynamicloader", "directui", "element", "classinfobase", "write c", "medium", "yara rule", "msvisualbasic60", "high", "hwndelement", "explorer", "write", "movie", "insert", "program", "python", "http traffic", "trojan generic", "search", "cnc activity", "delphi", "win32", "launcher", "pony", "fareit", "malware", "push", "msie", "windows nt", "generic", "checkin", "post", "yara detections", "rxr", "inject", "memcommit", "cryptexportkey", "invalid pointer", "regsetvalueexa", "solutions ltd", "read c", "regdword", "mozilla", "persistence", "execution", "android", "unknown", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "initial access", "defense evasion", "spawns", "t1590 gather", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "pattern match", "mitre att", "ck matrix", "href", "ascii text", "starfield", "hybrid", "general", "local", "path", "iframe", "palantir", "present nov", "present oct", "status", "present apr", "present dec", "cryp", "date", "trojan", "title", "name servers", "windows", "t1060", "disables proxy", "dock", "pegasus", "rootkit", "backdoor", "susp", "win32qqpass feb", "worm", "msr win32", "win64", "process32nextw", "findwindowa", "file execution", "writeconsolea", "procexpl", "file v2", "document", "document file", "v2 document", "lost", "tools", "pecompact", "media", "autorun", "service", "post http", "delete", "alerts", "emotet", "rkt", "autorun", "worm", "plugins", "title error", "body doctype", "html public", "w3cdtd html", "html head", "domain", "expiration date", "hostname add", "pulse pulses", "contacted hosts", "sha1", "sha256", "show technique", "strings", "t1480 execution", "signing defense", "script urls", "a domains", "unknown ns", "texas flyover", "script domains", "script script", "meta", "window", "process details", "contacted" ], "references": [ "Cart.Guru", "Yara Detections: Delphi", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "HTTP traffic on port 443 (POST)", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Yara Detections: Nullsoft_NSIS ...", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users" ], "public": 1, "adversary": "Palantir Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RXR", "display_name": "RXR", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Bagsu!rfn", "display_name": "Trojan:Win32/Bagsu!rfn", "target": "/malware/Trojan:Win32/Bagsu!rfn" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:Win32/SandboxProductId", "display_name": "#Lowfi:Win32/SandboxProductId", "target": "/malware/#Lowfi:Win32/SandboxProductId" }, { "id": "Win32:Backdoor", "display_name": "Win32:Backdoor", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "ALF:Trojan:MSIL/BlackFus.C", "display_name": "ALF:Trojan:MSIL/BlackFus.C", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "TrojanProxy:Win32/Ceutv.A", "display_name": "TrojanProxy:Win32/Ceutv.A", "target": "/malware/TrojanProxy:Win32/Ceutv.A" }, { "id": "VirTool:Win32/Obfuscator.AHU", "display_name": "VirTool:Win32/Obfuscator.AHU", "target": "/malware/VirTool:Win32/Obfuscator.AHU" }, { "id": "ShellCode", "display_name": "ShellCode", "target": null }, { "id": "Win32:Rootkit", "display_name": "Win32:Rootkit", "target": null }, { "id": "VB Flash", "display_name": "VB Flash", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win.Packed.Razy-6847895-0", "display_name": "Win.Packed.Razy-6847895-0", "target": null }, { "id": "Backdoor:Win32/Plugx.N!", "display_name": "Backdoor:Win32/Plugx.N!", "target": "/malware/Backdoor:Win32/Plugx.N!" }, { "id": "Win.Dropper.QQpass-7194329-0", "display_name": "Win.Dropper.QQpass-7194329-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win32:Agent", "display_name": "Win32:Agent", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "Win.Trojan.Emotet-7545664-0", "display_name": "Win.Trojan.Emotet-7545664-0", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2362, "domain": 449, "hostname": 710, "email": 6, "FileHash-MD5": 260, "FileHash-SHA1": 201, "FileHash-SHA256": 333, "SSLCertFingerprint": 27 }, "indicator_count": 4348, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "82 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69519fa818f84531ce6becc9", "name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)", "description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. Where does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.", "modified": "2026-01-27T21:02:45.343000", "created": "2025-12-28T21:22:48.383000", "tags": [ "united", "servers", "moved", "ip address", "record value", "encrypt", "present jul", "present jun", "trojandropper", "passive dns", "ipv4 add", "urls", "files", "virtool", "united states", "dynamicloader", "directui", "element", "classinfobase", "write c", "medium", "yara rule", "msvisualbasic60", "high", "hwndelement", "explorer", "write", "movie", "insert", "program", "python", "http traffic", "trojan generic", "search", "cnc activity", "delphi", "win32", "launcher", "pony", "fareit", "malware", "push", "msie", "windows nt", "generic", "checkin", "post", "yara detections", "rxr", "inject", "memcommit", "cryptexportkey", "invalid pointer", "regsetvalueexa", "solutions ltd", "read c", "regdword", "mozilla", "persistence", "execution", "android", "unknown", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "initial access", "defense evasion", "spawns", "t1590 gather", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "pattern match", "mitre att", "ck matrix", "href", "ascii text", "starfield", "hybrid", "general", "local", "path", "iframe", "palantir", "present nov", "present oct", "status", "present apr", "present dec", "cryp", "date", "trojan", "title", "name servers", "windows", "t1060", "disables proxy", "dock", "pegasus", "rootkit", "backdoor", "susp", "win32qqpass feb", "worm", "msr win32", "win64", "process32nextw", "findwindowa", "file execution", "writeconsolea", "procexpl", "file v2", "document", "document file", "v2 document", "lost", "tools", "pecompact", "media", "autorun", "service", "post http", "delete", "alerts", "emotet", "rkt", "autorun", "worm", "plugins", "title error", "body doctype", "html public", "w3cdtd html", "html head", "domain", "expiration date", "hostname add", "pulse pulses", "contacted hosts", "sha1", "sha256", "show technique", "strings", "t1480 execution", "signing defense", "script urls", "a domains", "unknown ns", "texas flyover", "script domains", "script script", "meta", "window", "process details", "contacted" ], "references": [ "Cart.Guru", "Yara Detections: Delphi", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "HTTP traffic on port 443 (POST)", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Yara Detections: Nullsoft_NSIS ...", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users" ], "public": 1, "adversary": "Palantir Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RXR", "display_name": "RXR", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Bagsu!rfn", "display_name": "Trojan:Win32/Bagsu!rfn", "target": "/malware/Trojan:Win32/Bagsu!rfn" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:Win32/SandboxProductId", "display_name": "#Lowfi:Win32/SandboxProductId", "target": "/malware/#Lowfi:Win32/SandboxProductId" }, { "id": "Win32:Backdoor", "display_name": "Win32:Backdoor", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "ALF:Trojan:MSIL/BlackFus.C", "display_name": "ALF:Trojan:MSIL/BlackFus.C", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "TrojanProxy:Win32/Ceutv.A", "display_name": "TrojanProxy:Win32/Ceutv.A", "target": "/malware/TrojanProxy:Win32/Ceutv.A" }, { "id": "VirTool:Win32/Obfuscator.AHU", "display_name": "VirTool:Win32/Obfuscator.AHU", "target": "/malware/VirTool:Win32/Obfuscator.AHU" }, { "id": "ShellCode", "display_name": "ShellCode", "target": null }, { "id": "Win32:Rootkit", "display_name": "Win32:Rootkit", "target": null }, { "id": "VB Flash", "display_name": "VB Flash", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win.Packed.Razy-6847895-0", "display_name": "Win.Packed.Razy-6847895-0", "target": null }, { "id": "Backdoor:Win32/Plugx.N!", "display_name": "Backdoor:Win32/Plugx.N!", "target": "/malware/Backdoor:Win32/Plugx.N!" }, { "id": "Win.Dropper.QQpass-7194329-0", "display_name": "Win.Dropper.QQpass-7194329-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win32:Agent", "display_name": "Win32:Agent", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "Win.Trojan.Emotet-7545664-0", "display_name": "Win.Trojan.Emotet-7545664-0", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2362, "domain": 449, "hostname": 710, "email": 6, "FileHash-MD5": 260, "FileHash-SHA1": 201, "FileHash-SHA256": 333, "SSLCertFingerprint": 27 }, "indicator_count": 4348, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "82 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68858e8244c8db854e8947c1", "name": "Goodreads Malware", "description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore", "modified": "2025-08-26T01:03:19.405000", "created": "2025-07-27T02:27:14.517000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "united", "flag united", "present jun", "present may", "present apr", "search", "moved", "creation date", "record value", "date", "body", "meta", "indicator role", "title added", "active related", "pulses url", "memcommit", "value1", "partnerid4146", "username", "gamesessionid", "port", "destination", "regsetvalueexa", "mozilla", "write", "persistence", "execution", "malware", "copy", "next", "process32nextw", "show", "entries", "module load", "t1129", "intel", "ms windows", "showing", "t1045", "win32", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "evasion att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "pattern match", "ascii text", "null", "error", "starfield", "click", "hybrid", "local", "path", "strings", "refresh", "tools", "onload", "span", "smbds ipc", "ms17010", "msf style", "probe ms17010", "generic flags", "yara detections", "nrv2x", "upxoepplace" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 155, "hostname": 1237, "FileHash-SHA256": 1141, "domain": 574, "URL": 4593, "FileHash-SHA1": 139, "email": 1, "SSLCertFingerprint": 8 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d91b1a8f414040bfba430", "name": "Spyware", "description": "And I've been walking, talking\nBelieving the things that are true\nAnd I've been finding\nThe difference between right and wrong, bad and good\nSee me put things together\nPut them back where they belong\nWhen I look at each other\nHave I always been singing the same song?\n\nShe said\nThis is a perfect world\nRiding on an incline\nI'm staring in your face\nYou'll photograph mine\n\nI-I-I-I-I\nWhoo, ah-ha-ha\nHa-ha-ha-ha-ha-ha\n\nSomebody said that it happens all over the world\nI do believe that it's true (\u2022o\u2022)\n#spyware #MaaS #malvertizing #bullyfor$ #unethical #dangerous_tool", "modified": "2025-08-20T00:01:59.498000", "created": "2025-07-21T01:02:41.049000", "tags": [ "serving ip", "address", "status", "utc na", "utc google", "utc facebook", "custom audience", "tag manager", "ua748443502", "utc gtmwrp73mt", "utc gsrdlm5jnx1", "utc aw937838002", "adsense na", "connect", "file type", "status code", "body length", "kb body", "sha256", "powershell", "b file", "ta0004 defense", "evasion ta0005", "command", "control ta0011", "c0002 wininet", "number", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation cus", "algorithm", "cndigicert sha2", "secure server", "ca odigicert", "inc cus", "subject", "cnwe1 ogoogle", "trust", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft", "get http", "request", "windows nt", "win64", "khtml", "gecko", "response", "united", "search", "creation date", "expiration date", "name servers", "unknown soa", "germany unknown", "entries", "pulse submit", "url analysis", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 304, "hostname": 796, "URL": 2590, "FileHash-SHA256": 2735, "FileHash-MD5": 253, "FileHash-SHA1": 144, "email": 1 }, "indicator_count": 6823, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://t.carts.guru/bundle.js", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://t.carts.guru/bundle.js", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776642072.1642363 }