{
"type": "URL",
"indicator": "https://teja8.kuikr.com/i6/20181126/Model",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://teja8.kuikr.com/i6/20181126/Model",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4137887896,
"indicator": "https://teja8.kuikr.com/i6/20181126/Model",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 25,
"pulses": [
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-05-17T15:52:35.396000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 28000,
"FileHash-SHA256": 48374,
"FileHash-MD5": 42596,
"FileHash-SHA1": 23243,
"hostname": 35654,
"URL": 75758,
"SSLCertFingerprint": 30,
"CVE": 7585,
"email": 316,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"URI": 5,
"IPv4": 574,
"Mutex": 1
},
"indicator_count": 288350,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 92,
"modified_text": "13 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64eccb5d39a90a3c391e",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:32.565000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 152,
"modified_text": "65 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64e1d5e06aa6207f78de",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:21.863000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 149,
"modified_text": "65 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b92a27c47d4e28927364",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:26.110000",
"created": "2026-03-12T13:01:30.067000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 72,
"modified_text": "79 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b9295603a6100edfa8c8",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:25.387000",
"created": "2026-03-12T13:01:29.284000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "79 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b927aa7f10e82639d204",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.872000",
"created": "2026-03-12T13:01:27.872000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b927c086397130c5d114",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.275000",
"created": "2026-03-12T13:01:27.275000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b926871746ed8a1bc324",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:26.440000",
"created": "2026-03-12T13:01:26.440000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b925e85c948d4dd608cc",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:25.852000",
"created": "2026-03-12T13:01:25.852000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8e974189d2c41f07ed8",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:25.910000",
"created": "2026-03-12T13:00:25.910000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8e74d2b3effd55f88c3",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:23.173000",
"created": "2026-03-12T13:00:23.173000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8dfbf8426a7a1d0146d",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:15.427000",
"created": "2026-03-12T13:00:15.427000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d7123610591625b8fb",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:07.354000",
"created": "2026-03-12T13:00:07.354000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d61e3f64a8f1f169b6",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:06.214000",
"created": "2026-03-12T13:00:06.214000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d24eeb4200bdb1d702",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:02.096000",
"created": "2026-03-12T13:00:02.096000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "695fd5fa266f9ea34c8f5c45",
"name": "Cats and Kittens Attack Mirai Botnet and how it may target Threat Exchange users",
"description": "Cat attacks related to LummaC2 attacks,info stealing, domain seizures, etc. Including are references to the Lumma C2 with cats and Aura Stealer attacks. Same attack group , includes Mirai Botnet. Has the group become a larger , stronger adversary? \nSony Music connection. I\u2019m aware (The US Department of Justice and Microsoft disrupted LummaC2 infostealing-malware through domain seizures, taking down over 2,300 associated domains. The FBI and CISA by AlienVault) Further research necessary.",
"modified": "2026-02-07T14:04:48.556000",
"created": "2026-01-08T16:06:18.126000",
"tags": [
"levelblue labs",
"mirai",
"windows",
"ck ids",
"application",
"network denial",
"service",
"contacted",
"search",
"unknown",
"top source",
"top destination",
"source source",
"china as4812",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"enter",
"udp include",
"country",
"unique",
"unique asns",
"ip hostname",
"reverse ip",
"lookup country",
"china as17429",
"taiwan as3462",
"new caledonia",
"as18200 office",
"china as4538",
"china as9394",
"india as137654",
"japan as2514",
"japan as9365",
"china as45083",
"endian",
"linux",
"apple",
"linux subsys",
"lang c",
"linenum",
"lsyms",
"machine",
"static",
"va",
"os linux",
"nx",
"relocs",
"intel 8038",
"elf32",
"malware distribution",
"domain seizures",
"infostealing malware",
"cat-themed domains",
"gather victim",
"t1589",
"t1568",
"t1590",
"web protocols",
"drop resolver",
"t1568 t1590",
"show",
"filehash",
"md5 add",
"pulse pulses",
"copy",
"affected _and_fixed",
"thank you"
],
"references": [
"cat-are-here.ru",
"Antivirus Detections: Unix.Trojan.Mirai-10028259-0 | Mirai (ELF) Mirai (Windows",
"Yara Detections: LZMA",
"IP\u2019s Contacted: 32.227.223.238 107.74.143.88 69.196.71.159 96.16.197.80 101.80.61.229 125.101.205.34",
"IP\u2019s Contacted: 16.85.50.206 215.160.125.18 40.71.227.8 57.122.151.130",
"All Domains Contacted: thekittler.ru newkittler.ru cats-master.ru",
"https://otx.alienvault.com/indicator/file/b57042ed9a7d7dbe1f7c7f32de74d2b367ee835d",
"https://otx.alienvault.com/indicator/domain/cat-are-here.ru",
"CloudFlare IP\u2019s: 104.18.36.237 ,104.18.37.237",
"CloudFlare Domain: apple-dns.net",
"Cloudflare URL: https://forms.sonymusicfans.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js",
"https://forms.sonymusicfans.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js",
"http://213.209.143.24/ppc \u2022 http://213.209.143.24/rep.i486 \u2022 http://213.209.143.24/rep.sh4",
"http://213.209.143.24/x32 \u2022 https://250-mail.simswap.in \u2022 https://mail.simswap.in",
"http://kittler.ru/arm5 \u2022 http://kittler.ru/mpsl \u2022 http://thekittler.ru/rep.arm7",
"http://kittler.ru/rep.sh4 \u2022 http://kittler.ru/x32 \u2022 http://cats-master.ru/x86_64",
"sonymusicfans.com \u2022 forms.sonymusicfans.com \u2022 image.emails.sonymusicfans.com \u2022 url8878.e.sonymusicfans.com",
"https://forms.sonymusicfans.com/campaign/cannons-all-i-need-pre-add-pre-save/",
"https://forms.sonymusicfans.com/wp-content/plugins/smf-core/assets/css/campaign_333c4e8b19a72989caf8.css",
"https://view.emails.sonymusicfans.com/Error.aspx",
"URL http://url8878.e.sonymusicfans.com/ls/click \u2022 https://forms.sonymusicfans.com/campaign/all",
"http://url8878.e.sonymusicfans.com/ \u2022 http://url8878.e.sonymusicfans.com/ls/click",
"https://forms.sonymusicfans.com/campaign/all \u2022 https://forms.sonymusicfans.com/campaign/mmph/",
"https://image.emails.sonymusicfans.com/lib/fe9a12747566007d70/m/1/eb6e3ce4-7a7b-4435-a2cd-968f7277e6e0.png",
"https://image.emails.sonymusicfans.com/lib/fe9412747566057a72/m/1/b381d305-8e17-49be-bc99-e5fab3a7cd17.gif",
"push.apple.com \u2022 emails.redvue.com \u2022 apple-dns.net \u2022 57.122.151.130 \u2022 https://teja8.kuikr.com/i6/20181130/Apple",
"Tracking LummaC2 Infrastructure with Cats (byAlienVault) https://otx.alienvault.com/pulse/6839003a3028827e1ebbfb1a",
"Interesting relationships: LummaC2 , Mirai Botnet , Sony Music Group , Apple",
"https://otx.alienvault.com/pulse/694898db3a9999fecfd893cb"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "Unix.Trojan.Mirai-10028259-0",
"display_name": "Unix.Trojan.Mirai-10028259-0",
"target": null
},
{
"id": "Unix.Trojan.Gafgyt-6981160-0",
"display_name": "Unix.Trojan.Gafgyt-6981160-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1498",
"name": "Network Denial of Service",
"display_name": "T1498 - Network Denial of Service"
},
{
"id": "T1595",
"name": "Active Scanning",
"display_name": "T1595 - Active Scanning"
},
{
"id": "TA0001",
"name": "Initial Access",
"display_name": "TA0001 - Initial Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1584.001",
"name": "Domains",
"display_name": "T1584.001 - Domains"
},
{
"id": "T1102.001",
"name": "Dead Drop Resolver",
"display_name": "T1102.001 - Dead Drop Resolver"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 74,
"FileHash-SHA1": 74,
"FileHash-SHA256": 1067,
"URL": 2140,
"domain": 247,
"hostname": 674,
"CVE": 2
},
"indicator_count": 4278,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 147,
"modified_text": "112 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "687992eceac6f12e9cebd65f",
"name": "Operation Endgame | ThreatIntelligence | Pegasus | Mirai | Berbew | Emotet",
"description": "Operation Endgame - Mass spying on civilians suspected of involvement in illegal activity. This spying can last for years. Law enforcement and intelligence agencies use infrastructures from Google, Bing, Apple, Amazon, Coudflare, Microsoft, among other companies. Traffic can be masked in DNS and encrypted connections to go undetected. It is recommended to abandon closed-source services and software and opt for fully open-source software and install a powerful firewall. The use of a secure VPN is recommended. \nThere may be repeated indicators and some false positives due to the nature of the threats. We are working to eliminate duplicate entries and false positives. Check the comment box for important notifications. Follow our Telegram channel: @PrivacyNotACrime",
"modified": "2025-12-28T19:04:27.449000",
"created": "2025-07-18T00:18:50.968000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": null,
"export_count": 375,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 7,
"follower_count": 0,
"vote": 0,
"author": {
"username": "privacynotacrime",
"id": "349346",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 123,
"modified_text": "153 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6920c43c3772bb24f26f70cc",
"name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun",
"description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.",
"modified": "2025-12-21T18:01:07.268000",
"created": "2025-11-21T19:57:48.145000",
"tags": [
"dynamicloader",
"write c",
"write",
"high",
"yara rule",
"myapp",
"delphi",
"worm",
"win32",
"error",
"code",
"malware",
"defender",
"medium",
"binary file",
"heavensgate",
"bochs",
"dynamic",
"td td",
"td tr",
"united",
"a td",
"a domains",
"dynamic dns",
"static dns",
"dd wrt",
"twitter",
"trojan",
"trojandropper",
"null",
"enough",
"simple",
"click",
"easy",
"premium",
"associated urls",
"server response",
"google safe",
"results nov",
"avast avg",
"11.21.2025",
"11.20.2025",
"borland delphi",
"pe32",
"intel",
"ms windows",
"inno setup",
"win32 exe",
"pecompact",
"delphi generic",
"pe32 compiler",
"dark comet",
"dark gate",
"glassworm",
"md5 code",
"data",
"porkbun llc",
"windows match",
"getprocaddress",
"peb idrdata",
"match peb",
"t1547",
"t1059 t1112",
"shared modules",
"t1129",
"boot",
"logon autostart",
"execu",
"t1134 boot",
"encoding",
"capture e1113",
"file attributes",
"analysis ob0001",
"b0001 software",
"virtual machine",
"detection b0009",
"analysis ob0002",
"ob0003 screen",
"windows get",
"check",
"encode",
"check internet",
"wininet set",
"clear file",
"enumerate gui",
"get hostname",
"get keyboard",
"set registry",
"find",
"capture",
"url http",
"consolefoundry",
"console foundry",
"foundry",
"malware catalog tree",
"autorun keys",
"modification",
"alexander karp",
"peter theil",
"christoper ahmann",
"christopher pool",
"mercedes",
"apple",
"palantir",
"adversarial",
"adversaries",
"hostile",
"quasi",
"empty hash",
"denver",
"mal_xred_backdoor",
"backdoor",
"xred",
"brian sabey",
"first-send-petikvx",
"stop",
"glassworm",
"elex",
"darkgate",
"dark-comet",
"search",
"entries",
"show",
"yara detections",
"icmp traffic",
"rtf file",
"top source",
"top destination",
"format",
"host",
"copy",
"next",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"access att",
"font",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"ascii text",
"pattern match",
"sha256",
"mitre att",
"title",
"meta",
"hybrid",
"local",
"path",
"strings",
"body",
"contact",
"trace",
"form",
"bitcoin",
"core",
"jeffrey reimer",
"exe infection",
"cve",
"porn"
],
"references": [
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns",
"Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep",
"Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading",
"Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn",
"Alerts: packer_unknown",
"Malicious IP Contacted: 69.42.215.252",
"Abused Domains Contacted: xred.mooo.com freedns.afraid.org",
"IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org",
"IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com",
"IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com",
"Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry",
"Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below",
"by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"http://freedns.afraid.org/images/apple.gif",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://www.mumuplayer.com/redirect/customerservice/_wig",
"https://www.mumuplayer.com/redirect/customerservice/fB)y",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth",
"https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"http://consolefoundry.date/one/gate.php",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453",
"display_name": "Win.Trojan.Emotet-9850453",
"target": null
},
{
"id": "Win.Trojan.BlackNetRAT-7838854-0",
"display_name": "Win.Trojan.BlackNetRAT-7838854-0",
"target": null
},
{
"id": "Win.Dropper.Nanocore-10021490-0",
"display_name": "Win.Dropper.Nanocore-10021490-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win.Packed.Remcos-10024510-0",
"display_name": "Win.Packed.Remcos-10024510-0",
"target": null
},
{
"id": "Code Overlap",
"display_name": "Code Overlap",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "PSW:Win32/VB.CU",
"display_name": "PSW:Win32/VB.CU",
"target": "/malware/PSW:Win32/VB.CU"
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1541",
"name": "Foreground Persistence",
"display_name": "T1541 - Foreground Persistence"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 460,
"FileHash-SHA1": 437,
"FileHash-SHA256": 4483,
"SSLCertFingerprint": 2,
"URL": 6487,
"hostname": 1772,
"domain": 652,
"CVE": 3,
"email": 5
},
"indicator_count": 14301,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "160 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "690e8b773dc39921d88abd44",
"name": "Nanocore - Affected",
"description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|",
"modified": "2025-12-07T23:02:29.645000",
"created": "2025-11-08T00:14:47.600000",
"tags": [
"hgnvastlaiz",
"read c",
"medium",
"rgba",
"memcommit",
"delete",
"png image",
"unicode",
"dock",
"execution",
"malware",
"crlf line",
"speichermedium",
"productversion",
"fileversion",
"engine dll",
"internalname",
"einstellungen",
"comodo ca",
"limited st",
"yara detections",
"next pe",
"eula",
"policy",
"direct",
"opencandy",
"suspicious_write_exe",
"network_icmp",
"process_martian",
"present jun",
"present jul",
"domain",
"united",
"ip address",
"unknown ns",
"ms windows",
"intel",
"verisign",
"time stamping",
"unknown",
"class",
"write",
"markus",
"temple",
"msie",
"windows nt",
"get http",
"lehash",
"av detections",
"ids detections",
"alerts",
"file score",
"low risk",
"compromised_site_redirector_fromcharcode",
"present aug",
"passive dns",
"all ipv4",
"urls",
"files",
"hosting",
"america flag",
"win32",
"ipv4 add",
"signed file, valid signature. revoked.",
"united states",
"pws",
"atros",
"fiha",
"search",
"entries",
"present oct",
"next associated",
"show",
"high",
"wow64",
"slcc2",
"next",
"domain add",
"poland",
"poland unknown",
"ipv4",
"location poland",
"poland asn",
"et policy",
"pe exe",
"dll windows",
"amazon s3",
"location united",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"results feb",
"nanocore",
"url add",
"http",
"related nids",
"files location",
"flag united",
"malicious image",
"files domain",
"files related",
"pulses otx",
"related tags",
"resources whois",
"virustotal",
"present sep",
"status",
"present nov",
"present mar",
"trojan",
"script script",
"div div",
"link",
"a li",
"meta",
"sweden",
"invalid url",
"head title",
"title head",
"reference",
"bad request",
"server",
"netherlands",
"creation date",
"date",
"running server",
"ahmann",
"christopher",
"p",
"tam",
"legal",
"treece",
"alfrey",
"muscat",
"adversaries",
"cyber crime",
"quasi",
"government"
],
"references": [
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"www.opencandy.com",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"Yara Detections : compromised_site_redirector_fromcharcode",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Nanocore-5",
"display_name": "Win.Trojan.Nanocore-5",
"target": null
},
{
"id": "Win.Trojan.Adinstall-2",
"display_name": "Win.Trojan.Adinstall-2",
"target": null
},
{
"id": "PSW.Generic13",
"display_name": "PSW.Generic13",
"target": null
},
{
"id": "Atros.UPK",
"display_name": "Atros.UPK",
"target": null
},
{
"id": "Luhe.Fiha.A",
"display_name": "Luhe.Fiha.A",
"target": null
},
{
"id": "Pua.Optimizerpro/PCOptimizerPro",
"display_name": "Pua.Optimizerpro/PCOptimizerPro",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 753,
"FileHash-SHA1": 622,
"FileHash-SHA256": 4336,
"URL": 2448,
"domain": 300,
"hostname": 788,
"CVE": 1,
"email": 4
},
"indicator_count": 9252,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "174 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68feb98a8c1b75b4431a3e8e",
"name": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator?",
"description": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator? 1.) (userlolxxl) is also disable_duck, has an unhealthy interest in the Tsara Brashears \u2018dead yet\u2019 theory , has many profiles. His issues are self made by grabbing vulnerabilities found and linking them to a fake University website. We checked. Profile belongs to a group causing needless distraction and hooking users into the \u2018No Problems\u2019 group. \n\nWe swiftly got Regis University to take notice of Palantirs Prometheus Intelligence Technology tracking. Dean let semester begin putting students at risk despite warnings from Tsara Brashears of owa canary cookie in server, to replace computers , halt school , deal with issue. RU ignored issues, Brashears didn\u2019t. They went black , blacklisted Tsara warning of credible death threats on dark web.",
"modified": "2025-11-25T20:05:31.749000",
"created": "2025-10-27T00:15:06.191000",
"tags": [
"html internet",
"html document",
"ascii text",
"language",
"cve202323397",
"iframe tags",
"tag manager",
"gtmkvjvztk",
"anchor hrefs",
"info ta0011",
"protocol",
"layer protocol",
"port",
"t1571 encrypted",
"channel",
"t1573 malware",
"tree",
"oc0006 http",
"c0014",
"get http",
"dns resolutions",
"resolved ips",
"user",
"data",
"datacrashpad",
"edge",
"v full",
"reports v",
"chrome u",
"appdata local",
"googlechrome u",
"u ser",
"cname",
"ip address",
"http",
"accept",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"shutdown",
"extraction",
"suggested iocs",
"data upload",
"cry dee",
"stop",
"type",
"url indicator",
"enter",
"failed",
"se share",
"extrac",
"enter so",
"passive dns",
"urls",
"hostname add",
"pulse pulses",
"files",
"domain",
"files ip",
"address",
"location united",
"asn as20473",
"dynamicloader",
"directui",
"write c",
"intel",
"ms windows",
"pe32",
"element",
"delete c",
"document file",
"v2 document",
"explorer",
"trojandropper",
"write",
"markus",
"august",
"movie",
"insert",
"pulse submit",
"url analysis",
"asn as8068",
"united",
"entries",
"body",
"please",
"x msedge",
"ipv4 add",
"present sep",
"present oct",
"present feb",
"status",
"unknown ns",
"search",
"name servers",
"present jul",
"aaaa",
"present apr",
"trojan",
"medium",
"high",
"yara rule",
"globalc",
"june",
"malware",
"win64",
"unknown",
"america flag",
"twitter",
"hostname",
"domain add",
"reverse dns",
"america asn",
"present aug",
"a domains",
"moved",
"first pqc",
"unknown aaaa",
"title",
"meta",
"window",
"encrypt",
"pulse indicator",
"body doctype",
"welcome",
"ok server",
"gmt content",
"atlanta",
"abuse",
"agent",
"service",
"present jun",
"present may",
"creation date",
"record value",
"servers",
"libretv meta",
"certificate",
"value",
"whois lookup",
"loopia ab",
"userlolxxl"
],
"references": [
"http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist",
"It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!",
"pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz",
"Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com",
"docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips",
"https://hs.ecam.com/your-challenges-ecams-solutions",
"https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022",
"https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/",
"Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Wannacry",
"display_name": "Wannacry",
"target": null
},
{
"id": "Foundry",
"display_name": "Foundry",
"target": null
},
{
"id": "Trojan:Win32/Comisproc!gmb",
"display_name": "Trojan:Win32/Comisproc!gmb",
"target": "/malware/Trojan:Win32/Comisproc!gmb"
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "#Exploit:Win32/CVE- 2023 - 23397",
"display_name": "#Exploit:Win32/CVE- 2023 - 23397",
"target": "/malware/#Exploit:Win32/CVE- 2023 - 23397"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "ALF:PulZati:Worm:Win32/Mydoom",
"display_name": "ALF:PulZati:Worm:Win32/Mydoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 8,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 248,
"FileHash-SHA1": 134,
"FileHash-SHA256": 2661,
"URL": 6257,
"domain": 682,
"email": 8,
"hostname": 2077,
"CVE": 1
},
"indicator_count": 12068,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "186 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68fd0cc422cea2fd989581fd",
"name": "LevelBlue - Open Threat Exchange (Malicious Attacks)",
"description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.",
"modified": "2025-11-24T17:02:12.441000",
"created": "2025-10-25T17:45:40.291000",
"tags": [
"ipv4",
"levelblue",
"open threat",
"date sat",
"connection",
"etag w",
"cloudfront",
"sameorigin age",
"vary",
"ip address",
"kb body",
"gtmkvjvztk",
"utc gcfezl5ynvb",
"utc na",
"utc google",
"analytics na",
"utc linkedin",
"insight tag",
"learn",
"exchange og",
"levelblue open",
"threat exchange",
"exchange",
"google tag",
"iocs",
"search otx",
"included iocs",
"review iocs",
"data upload",
"extraction",
"layer protocol",
"v full",
"reports v",
"port t1571",
"t1573",
"oc0006 http",
"c0014",
"get http",
"dns resolutions",
"user",
"data",
"datacrashpad",
"edge",
"tag manager",
"us er",
"help files",
"shell",
"html",
"cve202323397",
"iframe tags",
"community score",
"url http",
"url https",
"united",
"united kingdom",
"netherlands",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"indicator role",
"title added",
"active related",
"otc oct",
"report spam",
"week ago",
"scan",
"learn more",
"filehashmd5",
"filehashsha1",
"domain",
"australia",
"does",
"josh",
"created",
"filehashsha256",
"present jul",
"present oct",
"date",
"a domains",
"script urls",
"for privacy",
"moved",
"script domains",
"meta",
"title",
"body",
"pragma",
"encrypt",
"ck ids",
"t1060",
"run keys",
"startup",
"folder",
"t1027",
"files",
"information",
"t1055",
"injection",
"capture",
"south korea",
"malaysia",
"pulses",
"fatal error",
"hacker known",
"name",
"unknown",
"risk",
"weeks ago",
"scary",
"sova",
"colorado",
"wire",
"name unknown",
"thursday",
"denver",
"types of",
"indicators hong",
"kong",
"tsara brashears",
"african",
"ethiopia",
"b8reactjs",
"india",
"america",
"x ua",
"hostname",
"dicator role",
"pulses url",
"airplane",
"icator role",
"t1432",
"access contact",
"list",
"t1525",
"image",
"security scan",
"heuristic oct",
"discovery",
"t1069",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1114",
"t1480",
"internal image",
"brian sabey",
"month ago",
"modified",
"days ago",
"green well",
"sabey stash",
"service",
"t1040",
"sniffing",
"t1045",
"packing",
"t1053",
"taskjob"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Sova",
"display_name": "Sova",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1022",
"name": "Data Encrypted",
"display_name": "T1022 - Data Encrypted"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1525",
"name": "Implant Internal Image",
"display_name": "T1525 - Implant Internal Image"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 956,
"FileHash-SHA1": 906,
"FileHash-SHA256": 2651,
"URL": 4450,
"domain": 708,
"hostname": 2403,
"CVE": 1,
"email": 5
},
"indicator_count": 12080,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "187 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2ca40b12d7f02af896284",
"name": "Exploit Kit - 77.67.27.35 Isolated",
"description": "Information hastily gathered. IP 77.67.27.35\nbelongs to a server or device, WHOIS lookup indicates domain name cloud.com, owned by P.O. Box 412, 1043 CD, Amsterdam, Noord-Holland, NL | Summary ; ASN, AS3257 GTT Communications Inc. ; BGP, 77.67.0.0/17 ; IPs | BGP Looking Glass for AS3257 / GTT Communications Inc. | http.net - IP Transit Provider | Global Services - GTT | http://www.gtt.net Company Looking Glass: http://www.as3257.net/lg/ Info from single malicious file :Win32/Heur\n, \nTrojan.Crypted-29\nIDS Detections\nET POLICY Unsupported/Fake Windows NT Version 5.0\nET TROJAN Trojan/W32.KRBanker.60928.C Checkin\nYara Detections\nNone\nAlerts:\n\u2022 infostealer_browser\n\u2022 bypass_firewall\n\u2022 persistence_autorun\n\u2022 network_bind\n\u2022 network_http\n\u2022 packer_entropy\n- IP\u2019s Contacted :\n8.8.8.8 ,\n\n77.67.27.35 ,\n\n59.13.211.166 ,\n\n118.99.41.30 ,\nDomains Contacted :\nr.qzone.qq.com",
"modified": "2025-11-04T19:02:34.015000",
"created": "2025-10-05T19:42:56.097000",
"tags": [
"win32dh",
"mxigd4et",
"united",
"passive dns",
"entries",
"next associated",
"present oct",
"win32virut feb",
"all ipv4",
"pulse pulses",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"command",
"found",
"evasion att",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"ascii text",
"pattern match",
"mitre att",
"show technique",
"null",
"refresh",
"body",
"span",
"hybrid",
"local",
"path",
"click",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart",
"information",
"whois",
"amsterdam",
"noordholland",
"summary",
"as3257 gtt",
"bgp looking",
"glass",
"as3257",
"ip transit",
"global",
"jfif",
"clsid",
"jpeg image",
"windows nt",
"gif image",
"msie",
"rgba",
"utf8 unicode",
"malware",
"copy",
"write",
"next",
"handle",
"address range",
"cidr",
"network name",
"allocation type",
"assigned pa",
"status",
"whois server",
"ripe ncc",
"ripe network"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"Korea, Republic of",
"Hong Kong"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [
"Telecom"
],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 195,
"FileHash-SHA1": 106,
"FileHash-SHA256": 254,
"URL": 603,
"hostname": 256,
"domain": 74,
"CIDR": 3,
"email": 2
},
"indicator_count": 1493,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "207 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b9fd811ffc6684ba25f7",
"name": "Isolated DoD now DoW nodes - emotional commentary",
"description": "*https://www.sentient.industries/\n*trk.b.jackrogersusa.com\n*http://trk.southerntide.com/\nOTX is auto populating this pulse. Let\u2019s see\u2026",
"modified": "2025-11-04T18:01:18.650000",
"created": "2025-10-05T18:33:33.277000",
"tags": [
"united",
"present feb",
"present may",
"aaaa",
"present jul",
"passive dns",
"ip address",
"present dec",
"present sep",
"present jun",
"url https",
"url http",
"type indicator",
"role title",
"added active",
"related pulses",
"germany",
"taiwan",
"netherlands",
"china",
"search",
"copy md5",
"copy sha1",
"copy sha256",
"sha256",
"sha1",
"ascii text",
"size",
"pattern match",
"mitre att",
"ck id",
"null",
"refresh",
"body",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart",
"filehashmd5",
"hostname",
"filehashsha256",
"types of",
"indicator role",
"title added",
"active related",
"pulses url",
"ruby",
"jeffrey reimer",
"target",
"tsara",
"information",
"capture",
"gather victim",
"report spam",
"kill targets",
"created",
"starfield",
"show technique",
"date"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1333,
"domain": 355,
"URL": 5874,
"hostname": 1066,
"FileHash-SHA1": 101,
"FileHash-MD5": 88,
"SSLCertFingerprint": 2
},
"indicator_count": 8819,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "207 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"",
"https://forms.sonymusicfans.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"https://otx.alienvault.com/indicator/file/b57042ed9a7d7dbe1f7c7f32de74d2b367ee835d",
"iphonegermany.com",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"URL http://url8878.e.sonymusicfans.com/ls/click \u2022 https://forms.sonymusicfans.com/campaign/all",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"Same legal , and quasi governmental pattern identified",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://aspmx.l.google.com/",
"https://otx.alienvault.com/indicator/domain/cat-are-here.ru",
"http://213.209.143.24/x32 \u2022 https://250-mail.simswap.in \u2022 https://mail.simswap.in",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"Tracking LummaC2 Infrastructure with Cats (byAlienVault) https://otx.alienvault.com/pulse/6839003a3028827e1ebbfb1a",
"Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading",
"My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://www.mumuplayer.com/redirect/customerservice/_wig",
"Redirect: schemas.microsoft.com",
"IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth",
"It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!",
"Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"Antivirus Detections: Unix.Trojan.Mirai-10028259-0 | Mirai (ELF) Mirai (Windows",
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips",
"monitoring.eurovision.net",
"www.opencandy.com",
"https://l.us-1.a.mimecastprotect.com/l",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"https://www.mumuplayer.com/redirect/customerservice/fB)y",
"http://url8878.e.sonymusicfans.com/ \u2022 http://url8878.e.sonymusicfans.com/ls/click",
"Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"IP\u2019s Contacted: 32.227.223.238 107.74.143.88 69.196.71.159 96.16.197.80 101.80.61.229 125.101.205.34",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below",
"http://apple.support.com/ht***** redirect",
"Interesting relationships: LummaC2 , Mirai Botnet , Sony Music Group , Apple",
"Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"Abused Domains Contacted: xred.mooo.com freedns.afraid.org",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"It appears there are 5-7 known affected that I was able to find",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"https://forms.sonymusicfans.com/campaign/all \u2022 https://forms.sonymusicfans.com/campaign/mmph/",
"http://audaxgroup.appleid.com/",
"http://consolefoundry.date/one/gate.php",
"push.apple.com \u2022 emails.redvue.com \u2022 apple-dns.net \u2022 57.122.151.130 \u2022 https://teja8.kuikr.com/i6/20181130/Apple",
"smtp2.icl-privaterelay.appleid.com",
"CloudFlare Domain: apple-dns.net",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/",
"sonymusicfans.com \u2022 forms.sonymusicfans.com \u2022 image.emails.sonymusicfans.com \u2022 url8878.e.sonymusicfans.com",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"https://forms.sonymusicfans.com/wp-content/plugins/smf-core/assets/css/campaign_333c4e8b19a72989caf8.css",
"Cloudflare URL: https://forms.sonymusicfans.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js",
"OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist",
"https://image.emails.sonymusicfans.com/lib/fe9a12747566007d70/m/1/eb6e3ce4-7a7b-4435-a2cd-968f7277e6e0.png",
"cat-are-here.ru",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Yara Detections : compromised_site_redirector_fromcharcode",
"docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com",
"by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"All Domains Contacted: thekittler.ru newkittler.ru cats-master.ru",
"Yara Detections: LZMA",
"https://hs.ecam.com/your-challenges-ecams-solutions",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry",
"http://kittler.ru/arm5 \u2022 http://kittler.ru/mpsl \u2022 http://thekittler.ru/rep.arm7",
"Alerts: packer_unknown",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"CloudFlare IP\u2019s: 104.18.36.237 ,104.18.37.237",
"IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545",
"http://www.icloud-sms-alert.com/",
"https://icloud.ch/",
"https://forms.sonymusicfans.com/campaign/cannons-all-i-need-pre-add-pre-save/",
"https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022",
"http://kittler.ru/rep.sh4 \u2022 http://kittler.ru/x32 \u2022 http://cats-master.ru/x86_64",
"oas-japac-domains-applecomputer.cn",
"Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com",
"IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org",
"Requires further research.",
"div>
",
"I apologize for the lack of reference.",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"http://freedns.afraid.org/images/apple.gif",
"https://icloud.ch/cn/ipod-touch/",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"https://image.emails.sonymusicfans.com/lib/fe9412747566057a72/m/1/b381d305-8e17-49be-bc99-e5fab3a7cd17.gif",
"https://view.emails.sonymusicfans.com/Error.aspx",
"apple.com(-inc.cc)",
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"monitor.kyos.ninja",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn",
"https://otx.alienvault.com/pulse/694898db3a9999fecfd893cb",
"mac.store",
"IP\u2019s Contacted: 16.85.50.206 215.160.125.18 40.71.227.8 57.122.151.130",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"robert-aebi.appleid.com",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips",
"Malicious IP Contacted: 69.42.215.252",
"http://213.209.143.24/ppc \u2022 http://213.209.143.24/rep.i486 \u2022 http://213.209.143.24/rep.sh4",
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/",
"Verification failure observed in automated verification handlers during sandbox replay."
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others"
],
"malware_families": [
"Xloader for ios - s0490",
"Alf:pulzati:worm:win32/mydoom",
"Skynet",
"#lowfi:exploit:java/cve-2012-0507",
"Pegasus for android - mob-s0032",
"Code overlap",
"Foundry",
"Other malware",
"Trojandropper:win32/vb.il",
"Zeroaccess - s0027",
"#lowfi:siga:trojandownloader:msil/genmaldow",
"Win.trojan.emotet-9850453",
"Pegasus for ios - s0289",
"Trojan:js/berbew",
"Win.dropper.nanocore-10021490-0",
"#lowfitrojan:html/iframe",
"#lowfi:lua:dllsuspiciousexport.a",
"Worm:win32/bloored",
"Graphite (pegasus variant)",
"Win.trojan.adinstall-2",
"Trojan:win32/comisproc!gmb",
"Psw.generic13",
"Icedid",
"Win.malware.elenooka-6996044-0",
"Trojandownloader:linux/mirai",
"Alf:backdoor:powershell/reverseshell",
"Pegasus rdp module for windows",
"Psw:win32/vb.cu",
"Atros.upk",
"Emotet",
"#hstr:hacktool:win32/remoteshell",
"Unix.trojan.mirai-10028259-0",
"Worm:win32/autorun!atmn",
"Luhe.fiha.a",
"Wannacry",
"Pegasus for mac",
"Win.packed.remcos-10024510-0",
"Starfighter (javascript)",
"Careto",
"#lowfi:hstr:win32/mediadownloader",
"Pua.optimizerpro/pcoptimizerpro",
"Mirai (elf)",
"Backdoor:linux/mirai",
"Unix.trojan.gafgyt-6981160-0",
"Html smuggling",
"Mirai (windows)",
"Alf:html/phishing",
"Alf:backdoor:java/webshell",
"Sova",
"Trojan:win32/icedid.di!mtb",
"Trojan:win32/smkldr.h!mtb",
"Win.trojan.blacknetrat-7838854-0",
"Win.trojan.nanocore-5",
"Paragon (pegasus variant)",
"Pegasus",
"#exploit:win32/cve- 2023 - 23397",
"Mydoom"
],
"industries": [
"Telecom",
"Technology",
"Civilians",
"Civil",
"People",
"Legal",
"Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in"
],
"unique_indicators": 481949
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/kuikr.com",
"whois": "http://whois.domaintools.com/kuikr.com",
"domain": "kuikr.com",
"hostname": "teja8.kuikr.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 25,
"pulses": [
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-05-17T15:52:35.396000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 28000,
"FileHash-SHA256": 48374,
"FileHash-MD5": 42596,
"FileHash-SHA1": 23243,
"hostname": 35654,
"URL": 75758,
"SSLCertFingerprint": 30,
"CVE": 7585,
"email": 316,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"URI": 5,
"IPv4": 574,
"Mutex": 1
},
"indicator_count": 288350,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 92,
"modified_text": "13 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64eccb5d39a90a3c391e",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:32.565000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 152,
"modified_text": "65 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69bf64e1d5e06aa6207f78de",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:21.863000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 149,
"modified_text": "65 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b92a27c47d4e28927364",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:26.110000",
"created": "2026-03-12T13:01:30.067000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 72,
"modified_text": "79 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b9295603a6100edfa8c8",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:25.387000",
"created": "2026-03-12T13:01:29.284000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "79 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b927aa7f10e82639d204",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.872000",
"created": "2026-03-12T13:01:27.872000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b927c086397130c5d114",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.275000",
"created": "2026-03-12T13:01:27.275000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b926871746ed8a1bc324",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:26.440000",
"created": "2026-03-12T13:01:26.440000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "79 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://teja8.kuikr.com/i6/20181126/Model",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://teja8.kuikr.com/i6/20181126/Model",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780226634.311965
}