{ "type": "URL", "indicator": "https://test-sim-mgmt.doptools.pl", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://test-sim-mgmt.doptools.pl", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3878369614, "indicator": "https://test-sim-mgmt.doptools.pl", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "698e906da16336f8e87c3b90", "name": "CoinHive Clone ", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-02-13T02:46:05.544000", "tags": [ "united", "td tr", "a domains", "history group", "state", "b td", "present sep", "find", "alabama", "iowa", "apache", "content type", "passive dns", "meta http", "content", "gmt server", "pragma", "title", "linksys eseries", "device rce", "inbound", "et exploit", "attempt", "et webserver", "suspicious user", "user agent", "et worm", "policy python", "python", "agent", "generic", "malware", "nids", "dst_ip", "\"sid\": 2017515,", "2020/08/23", "dst_port\": 8080", "suricata", "network_icmp", "tcp_syn_scan", "unix", "mirai", "infection", "port 8080", "aitm", "mitm", "xfinity", "lumen backbone", "xfinity cf", "et info", "useragent", "webserver", "android", "linux", "statistically stripped", "local", "Jefferson County", "Colorado", "State", "is__elf", "is__war", "cyber warfare", "marking", "targeting", "stalking", "impersonating", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "mitre att", "ck matrix", "february", "hybrid", "general", "path", "encrypt", "click", "strings", "attack", "ssl certificate", "ascii text", "dynamicloader", "yara rule", "ff d5", "medium", "high", "eb d8", "f0 ff", "ff bb", "host", "unknown", "explorer", "virtool", "write", "next", "Douglas County", "Michael Roberts", "Brian Sabey", "Chris\u2019Buzz\u2019 Ahmann", "Mirai BotMaster", "file type", "pexe", "pe32", "intel", "ms windows", "date march", "am size", "imphash", "otx logo", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "moved", "urls", "expiration date", "all hostname", "files", "media", "present feb", "present jan", "present dec", "present nov", "ip address", "present", "codex", "sf.net", "next associated", "ipv4 add", "location united", "america flag", "spawns", "found", "t1480 execution", "pattern match", "present aug", "search", "name servers", "showing", "record value", "meta", "accept", "div div", "request blocked", "helvetica neue", "helvetica segoe", "ui arial", "denver", "yandex", "post", "entries", "post http", "show", "post liquor", "execution", "port", "destination", "icmp traffic", "dns query", "include", "top source" ], "references": [ "https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in", "genealogytrails.com", "It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT", "Has been present throughout a specific campaign", "Mirai", "IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt", "IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS", "IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests", "IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)", "IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden", "ET INFO User-Agent (python-requests) Inbound to Webserver", "Suspicious User Agent | ETPRO POLICY Python Requests", "src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105", "\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,", "TCP SYN packets were observed", "ET WORM TheMoon.linksys.router", "ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound", "\"ET WEB_SERVER WebShell Generic - wget http - POST", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX", "Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication", "Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc", "Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject", "File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:", "upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4", "192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net", "Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB", "IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz", "IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin", "Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process", "Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert", "Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options", "Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..", "IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193", "IPs Contacted: 149.56.240.31 172.66.136.209", "Domains Contacted: c.statcounter.com sstatic1.histats.com", "Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com", "Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com", "Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com", "Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com", "Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com", "Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com", "Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com", "Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Unix.Trojan.Mirai-7646352-0", "display_name": "Unix.Trojan.Mirai-7646352-0", "target": null }, { "id": "SpyFu", "display_name": "SpyFu", "target": null }, { "id": "Win.Trojan.VB-83922", "display_name": "Win.Trojan.VB-83922", "target": null }, { "id": "virtool:Win32/VBInject.gen!JB", "display_name": "virtool:Win32/VBInject.gen!JB", "target": "/malware/virtool:Win32/VBInject.gen!JB" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" } ], "industries": [], "TLP": "white", "cloned_from": "698966742c9fd9691396bb3a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5836, "domain": 857, "FileHash-MD5": 185, "FileHash-SHA1": 147, "hostname": 1842, "email": 7, "FileHash-SHA256": 947, "CVE": 43, "SSLCertFingerprint": 8 }, "indicator_count": 9872, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698966742c9fd9691396bb3a", "name": "CoinHive In-Browser Miner | ET EXPLOIT Linksys E-Series Device RCE Attempt via \u2018AI chat\u2019 Xfinity Commercial Fleet vehicle parked /AITM", "description": "Merits further research. Work no is consistent with a man advocate named Michael\nRoberts of Rexxfield and Miles2/ Mile2 / seen frequently in attacks against females | targeted individual apparently was using an AI browser search when a keyword triggered glitches.\nSearch of a URL\ntarget has never heard of or seen found in device search results. Targets device injected, Mirai botnet found, Other suspicious findings. TBConrinued..:.\n[OTX. Auto populated Significantly more details have been revealed about the GoDaddy.com domain, which has been listed as an unregistered domain by the Internet Service Authority (icann). and its users are not allowed to use it.] #man_jn_tve_midxle #drive_ by_compromise #injection.", "modified": "2026-03-11T04:02:50.189000", "created": "2026-02-09T04:45:40.250000", "tags": [ "united", "td tr", "a domains", "history group", "state", "b td", "present sep", "find", "alabama", "iowa", "apache", "content type", "passive dns", "meta http", "content", "gmt server", "pragma", "title", "linksys eseries", "device rce", "inbound", "et exploit", "attempt", "et webserver", "suspicious user", "user agent", "et worm", "policy python", "python", "agent", "generic", "malware", "nids", "dst_ip", "\"sid\": 2017515,", "2020/08/23", "dst_port\": 8080", "suricata", "network_icmp", "tcp_syn_scan", "unix", "mirai", "infection", "port 8080", "aitm", "mitm", "xfinity", "lumen backbone", "xfinity cf", "et info", "useragent", "webserver", "android", "linux", "statistically stripped", "local", "Jefferson County", "Colorado", "State", "is__elf", "is__war", "cyber warfare", "marking", "targeting", "stalking", "impersonating", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "mitre att", "ck matrix", "february", "hybrid", "general", "path", "encrypt", "click", "strings", "attack", "ssl certificate", "ascii text", "dynamicloader", "yara rule", "ff d5", "medium", "high", "eb d8", "f0 ff", "ff bb", "host", "unknown", "explorer", "virtool", "write", "next", "Douglas County", "Michael Roberts", "Brian Sabey", "Chris\u2019Buzz\u2019 Ahmann", "Mirai BotMaster", "file type", "pexe", "pe32", "intel", "ms windows", "date march", "am size", "imphash", "otx logo", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "moved", "urls", "expiration date", "all hostname", "files", "media", "present feb", "present jan", "present dec", "present nov", "ip address", "present", "codex", "sf.net", "next associated", "ipv4 add", "location united", "america flag", "spawns", "found", "t1480 execution", "pattern match", "present aug", "search", "name servers", "showing", "record value", "meta", "accept", "div div", "request blocked", "helvetica neue", "helvetica segoe", "ui arial", "denver", "yandex", "post", "entries", "post http", "show", "post liquor", "execution", "port", "destination", "icmp traffic", "dns query", "include", "top source" ], "references": [ "https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in", "genealogytrails.com", "It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT", "Has been present throughout a specific campaign", "Mirai", "IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt", "IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS", "IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests", "IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)", "IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden", "ET INFO User-Agent (python-requests) Inbound to Webserver", "Suspicious User Agent | ETPRO POLICY Python Requests", "src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105", "\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,", "TCP SYN packets were observed", "ET WORM TheMoon.linksys.router", "ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound", "\"ET WEB_SERVER WebShell Generic - wget http - POST", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX", "Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication", "Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc", "Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject", "File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:", "upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4", "192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net", "Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB", "IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz", "IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin", "Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process", "Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert", "Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options", "Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..", "IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193", "IPs Contacted: 149.56.240.31 172.66.136.209", "Domains Contacted: c.statcounter.com sstatic1.histats.com", "Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com", "Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com", "Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com", "Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com", "Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com", "Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com", "Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com", "Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Unix.Trojan.Mirai-7646352-0", "display_name": "Unix.Trojan.Mirai-7646352-0", "target": null }, { "id": "SpyFu", "display_name": "SpyFu", "target": null }, { "id": "Win.Trojan.VB-83922", "display_name": "Win.Trojan.VB-83922", "target": null }, { "id": "virtool:Win32/VBInject.gen!JB", "display_name": "virtool:Win32/VBInject.gen!JB", "target": "/malware/virtool:Win32/VBInject.gen!JB" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5779, "domain": 730, "FileHash-MD5": 185, "FileHash-SHA1": 147, "hostname": 1790, "email": 5, "FileHash-SHA256": 947, "CVE": 3, "SSLCertFingerprint": 8 }, "indicator_count": 9594, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951f52a5af00a9be445ad41", "name": "Mirai - HoneyPot | Pegasus | Therahand HoneyPot Bot Network", "description": "A HoneyPot Bot Network created to protect a criminal who worked for a company formerly known as Therahand Wellness. This company employed an unquestioned but admittedly guilty SA\u2019r. | Name tactics used in an attempt to draw in victims to leave truthful negative reviews about Jeffrey Reimer | The website is extremely malicious. NSO Pegasus & Palantir relationship.\n\nWhat a pity there is no work done in the state of Colorado to convict medical unprofessionals unless they are poor assistants , Latin, African American or , Native. | Colorado has a known race issue. \n\nColorado ranks poor for getting rape kits tested.\nPoor possibly outranking Baltimore,MD in police brutality. \nPoor at solving it attempting to solve crimes. Law enforcement literally collects paper, evidence and turns evidence away at times. \n\nThis system allows the actual criminal\nto track victim.\nIf he wants to be the victim of this crime against persons let him be. \n\n *Pegasus & Israel and 99% of all tags auto populated by OTX.", "modified": "2026-01-28T02:03:16.337000", "created": "2025-12-29T03:27:38.183000", "tags": [ "no expiration", "expiration", "url http", "url https", "iocs", "enter source", "url or", "name servers", "a domains", "accept encoding", "urls", "emails", "servers", "url add", "http", "files domain", "files related", "related tags", "united", "gmt contenttype", "ipv4 add", "url analysis", "files", "present dec", "cname", "virtool", "cryp", "ip address", "trojan", "win32", "therahand", "jeffrey reimer", "reimer dpt", "msie", "chrome", "unknown ns", "unknown cname", "record value", "accept", "encrypt", "passive dns", "moved", "wp engine", "meta", "wordpress", "pegasus", "america flag", "america asn", "reverse dns", "flag", "bad traffic", "et info", "tls handshake", "failure", "analysis", "tor analysis", "dns requests", "united states", "hostname", "pulse submit", "domain", "files ip", "eva lisa", "eva reimer", "all ipv4", "dynamic_content", "fingerprinting", "size", "pattern match", "mitre att", "ck id", "hybrid", "general", "local", "path", "click", "strings", "status", "hostname add", "evasion", "proximity", "pulse pulses", "address", "learn", "adversaries", "name tactics", "suspicious", "informative", "defense evasion", "command", "initial access", "spawns", "present mar", "present jun", "title", "windows nt", "wow64", "slcc2", "media center", "data recovery", "ms windows", "process32nextw", "intel", "pe32", "format", "mozilla", "installcapital", "generic", "write", "unknown", "malware", "next", "installer", "template", "div div", "request blocked", "helvetica neue", "helvetica segoe", "ui arial", "script script", "pragma", "port", "destination", "binbusybox", "high", "post", "icmp traffic", "dns query", "newstatusurl", "mirai", "prefetch8", "ck matrix", "localappdata", "info", "ssl certificate", "czech republic", "prefetch1", "prefetch2", "israel israel", "analysis tip", "href", "ascii text", "null", "refresh", "span", "iframe", "error", "tools", "look", "verify", "restart", "t1480 execution", "beginstring", "windir", "openurl c", "programfiles", "related nids", "files location", "flag united", "dynamicloader", "medium", "named pipe", "win64", "download", "delphi", "smartassembly", "m. brian sabey", "quasi government", "no such agency", "facebook", "search", "date", "showing", "ukraine", "\u2018buzz\u2019", "alex karp", "peter theil", "elon musk", "ff d5", "yara rule", "ee fc", "generic http", "exe upload", "f0 ff", "eb e1", "ff bb", "show process", "sha1", "sub domain", "show technique", "network traffic", "class", "starfield", "cyber crime", "yara detections", "top source", "top destination", "source source", "filehash", "sha256 add", "av detections", "ids detections", "alerts", "show", "dock", "execution", "present feb", "value", "content type", "mirai", "sha256", "body", "gmt content", "ddos", "mtb sep", "hosting", "domain robot", "expiration date", "welcome", "apple", "christopher p. ahmann", "tsara", "monitored target", "github https", "github", "smart assembly", "red hat", "hackers", "google" ], "references": [ "https://therahand.com", "www.socialimages.reputationdatabase.com", "Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: dead_host network_icmp nolookup_communication p2p_cnc", "Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com", "Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government", "Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand", "https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06", "https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e", "https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e", "BinBusyBox: 0x.un5t48l3.host", "ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany", "AS24961 MyLoc Managed IT AG", "PSI | Planned Systems International https://www.plan-sys.com/cyber", "Smart Assembly | https://github.com/red-gate/SmartAssembly-demo", "https://www.red-gate.com/products/smartassembly", "https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources", "Colorado maintains a public-facing police misconduct database via the state's", "Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.", "Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!" ], "public": 1, "adversary": "NSO Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FakeAV.FOR", "display_name": "FakeAV.FOR", "target": null }, { "id": "Win32:MalOb-DB\\ [Cryp]", "display_name": "Win32:MalOb-DB\\ [Cryp]", "target": null }, { "id": "Win.Trojan.Agent-306281", "display_name": "Win.Trojan.Agent-306281", "target": null }, { "id": "VirTool:Win32/Obfuscator.KI", "display_name": "VirTool:Win32/Obfuscator.KI", "target": "/malware/VirTool:Win32/Obfuscator.KI" }, { "id": "Win32:MalOb-DB\\ [Cryp]", "display_name": "Win32:MalOb-DB\\ [Cryp]", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "ELF:Gafgyt-DZ\\ [Trj]", "display_name": "ELF:Gafgyt-DZ\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Mirai-5607483-0", "display_name": "Unix.Trojan.Mirai-5607483-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 523, "FileHash-SHA1": 402, "FileHash-SHA256": 2165, "URL": 4953, "domain": 1118, "hostname": 1951, "email": 12, "SSLCertFingerprint": 52, "CVE": 2 }, "indicator_count": 11178, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692d02f096f3ec8b5b507496", "name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace", "description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.", "modified": "2025-12-31T02:01:50.101000", "created": "2025-12-01T02:52:32.483000", "tags": [ "business", "enterprise", "drive", "english", "google drive", "try drive", "business small", "workspace", "sign", "strong", "find", "life", "tools", "protect", "cloud", "simple", "android", "indonesia", "video", "mb download", "shared may", "shared", "learn", "drive drive", "name date", "javascript", "dynamicloader", "medium", "minimal headers", "high", "observed get", "get http", "united", "yara rule", "http", "write", "guard", "malware", "read c", "ms windows", "intel", "png image", "rgba", "pe32", "get na", "explorer", "music", "virlock", "media", "ho chi", "minh city", "viet nam", "storage company", "limited", "google", "address as", "luutruso", "cloudflar", "domain", "asn15169", "asn56153", "asn13335", "cisco", "umbrella rank", "apex domain", "url https", "kb stylesheet", "kb font", "kb image", "image", "kb script", "november", "resource path", "size", "type mimetype", "primary request", "redirect chain", "kb document", "urls", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "t1590 gather", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "domain address", "rsdsq jfu", "ollydbg ollydbg", "wireshark", "external", "binary file", "mitre att", "ck matrix", "aaaa", "cong ty", "co phan", "code", "province hcm", "files", "ip address", "request", "flag", "country", "contacted hosts", "process details", "link initial", "t1480 execution", "domains", "moved", "gmt content", "all ipv4", "url analysis", "location viet", "title", "error", "problem", "url add", "related nids", "files location", "flag united", "development att", "name server", "markmonitor", "localappdata", "programfiles", "edge", "hyundai", "social engineering", ".mil", "hackers", "phishing eml", "summary", "cisco umbrella", "google safe", "browsing", "current dns", "a record", "ip information", "ipasns ip", "detail domain", "domain tree", "links apex", "transfer", "b script", "b stylesheet", "frame b830", "b document", "value", "december", "degurafregistry", "gat object", "jsl object", "gapijstiming", "iframe function", "domainpath name", "nid value", "source level", "files domain", "files related", "tags", "related tags", "virustotal", "foundry", "pulse otx", "dark", "vietnam", "present aug", "present nov", "present jul", "present sep", "unknown aaaa", "search", "name servers", "present oct", "trojan", "data upload", "extraction", "se https", "include review", "exclude sugges", "find s", "failed", "typ don", "faith", "study", "romeo\u2019s", "juliettes", "femme fatales", "strategy", "honey pot", "honey traps", "spy", "helix", "anons", "passive dns", "pulse pulses", "files ip", "address", "location united", "asn as400519", "whois registrar", "ms defender", "files matching", "number", "sample analysis", "hide samples", "date hash", "cameras", "cams", "spycam", "botnet", "vietnam", "company limited", "dnssec", "status", "india unknown", "present may", "espionage", "hostname add", "generic", "cnc activity", "backdoor", "ipv4", "anonsecbotnet", "iptv" ], "references": [ "drive.google.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "zalo.me | href | Binary File | ATT&CK ID T1566.002", "https://account.helix.com/activate/start", "anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022", "https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]", "Terse Unencrypted Request for Google - Likely Connectivity Check", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6", "cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com", "https://hyundaibariavungtau3s.com/vehicle/stargazer", "https://hyundaibariavungtau3s.com/vehicle/ioniq-5", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade", "https://hyundaibariavungtau3s.com/vehicle/hyundai-custin", "https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/", "https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com", "https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com", "http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/", "http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466", "https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam", "feedback-pa.clients6.google.com/v1/survey/trigger/", "https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg", "anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Virus.Virlock-6804475-0", "display_name": "Win.Virus.Virlock-6804475-0", "target": null }, { "id": "Win.Malware.Bzub-6727003-0", "display_name": "Win.Malware.Bzub-6727003-0", "target": null }, { "id": "Win.Trojan.Generic-9801687-0", "display_name": "Win.Trojan.Generic-9801687-0", "target": null }, { "id": "NID", "display_name": "NID", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Dropper.njRAT-10015886-0", "display_name": "Win.Dropper.njRAT-10015886-0", "target": null }, { "id": "Win.Packed.Generic-9795615-0", "display_name": "Win.Packed.Generic-9795615-0", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ GC!", "display_name": "Backdoor:MSIL/Bladabindi.AJ GC!", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!" }, { "id": "Win.Packed.Generic-9795615-0\t.", "display_name": "Win.Packed.Generic-9795615-0\t.", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ", "display_name": "Backdoor:MSIL/Bladabindi.AJ", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ" }, { "id": "Win.Packed.Fecn-7077459-0", "display_name": "Win.Packed.Fecn-7077459-0", "target": null }, { "id": "Trojan:MSIL/Ranos.A", "display_name": "Trojan:MSIL/Ranos.A", "target": "/malware/Trojan:MSIL/Ranos.A" }, { "id": "Win.Trojan.Generic-6417450-0", "display_name": "Win.Trojan.Generic-6417450-0", "target": null }, { "id": "ALF:Backdoor:MSIL/Noancooe.KA", "display_name": "ALF:Backdoor:MSIL/Noancooe.KA", "target": null }, { "id": "Win.Packed.Msilperseus-9956592-0", "display_name": "Win.Packed.Msilperseus-9956592-0", "target": null }, { "id": "Trojan:MSIL/ClipBanker", "display_name": "Trojan:MSIL/ClipBanker", "target": "/malware/Trojan:MSIL/ClipBanker" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1194", "name": "Spearphishing via Service", "display_name": "T1194 - Spearphishing via Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1911, "hostname": 714, "FileHash-SHA256": 1304, "FileHash-MD5": 159, "FileHash-SHA1": 71, "SSLCertFingerprint": 2, "domain": 421, "CVE": 1, "email": 4 }, "indicator_count": 4587, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692cb6dc24da17618e3d9da6", "name": "Mirai Botnet | HackTool Powershell targets LinkedIn User | 192.168.1.1 \u2022 Remote Inbound Outbound Connection", "description": "Linux Malware - LinkedIn- True Mirai Botnet (192.168.1.1) (Never Connect) Incredibly powerful attack targeting LinkedIn users. In this instance the target is an ex husband of a target. |\nNDO Group relationships seen. This is a Botnet. \n\nMay be \u2018framing\u2019 attack that was launched in 2014. Attackers sent a clear message to target that she + husband would be arrested and charged with possession of 1000\u2019s of \u2018child pornography\u2019 pictures. \n\nAttack 10/10 malicious. Worked from separate system in separate location. Hackers unlocked a device, zero clicks, removed PSW. Tulach malware seen a profile \u2018Michael Robert\u2019s of Rexxfield\u2019 may be entity (NSA) with a face like Tulach. Uses the most WILD compromises. Government contractors? \n\nSame attackers brought down Prudentials \u2018Assurance\u2019 Medicare system forever.\n ESET hackers only allowing \u2018bad traffic\u2019 .", "modified": "2025-12-30T19:04:40.430000", "created": "2025-11-30T21:27:56.239000", "tags": [ "enter", "extract", "enter source", "urls", "address", "remote connect", "private ip", "sql", "inject", "montserrat", "script urls", "germany unknown", "xml title", "wiesinger", "style", "ip address", "script domains", "body doctype", "encrypt", "botnet", "dropper", "unix", "resolverror", "et exploit", "outbound", "mirai variant", "useragent", "inbound", "et trojan", "et webserver", "scan mirai", "hello", "execution", "mirai", "malware", "shell", "nids", "ids detections", "wget command", "http headers", "dlink devices", "home network", "mvpower dvr", "shell uce", "mirai elf", "linux malware", "is__elf", "cnc", "meta http", "content", "gmt server", "files", "reverse dns", "germany", "ismaning", "germany asn", "as5539 spacenet", "germany https", "auto generated security (?)", "redacted for", "name servers", "aaaa", "search", "for privacy", "title", "intel", "ms windows", "pe32", "process32nextw", "write c", "mssql port", "hash", "beapy", "bit32bit", "agent", "write", "hacktool", "win32", "next", "suspicious user", "pybeapy cnc", "checkin", "w32beapy cnc", "beacon", "module load", "external ip", "lookup", "home assistant", "intptr", "uint32", "type", "parameter", "oldprotectflag", "mandatory", "throw", "position", "lkshkdandl", "success", "info", "powershell", "null", "error", "date hash", "next yara", "detections name", "medium", "graph tree", "sample", "sample hash", "exec bypass", "c ipconfig", "world", "jaws webserver", "chmod usage", "strings", "extraction", "data upload", "extre", "include data", "hos hos", "y se", "sugges", "find s", "typ hos", "hos data", "hos hostname", "hos host", "extr data", "tethering", "tulach", "114.114.114.114", "passive dns", "pulse pulses", "http", "related nids", "files location", "united", "flag united", "files domain", "next associated", "ipv4 add", "delphi", "read c", "packing t1045", "t1045", "worm", "code", "june", "irc nick command", "irc", "meta", "status", "record value", "unknown aaaa", "expiration", "url http", "indicator role", "pulses url", "no expiration", "url https", "url url", "o url", "request review", "hosting", "unknown", "medium security", "extra data", "failed", "linkedin", "url add", "ireland flag", "ireland", "dublin", "ireland asn", "as16509", "spyware", "nso", "nso group", "pegasus related", "nso related", "framing", "porn", "python", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "apple", "192.168.1.1", "law", "attorney" ], "references": [ "192.168.1.1 - WOW! Use your old equipment in a non - residential environment", "http://xn.com/ \u2022 www.xn--linkedinxn-6u6e.com \u2022 http://www.linkedin-xn.com/ \u2022 www.linkedin-xn.com", "Powerful Exploit: https://otx.alienvault.com/indicator/file/ba32802bdd1f0b91cf8c667b94426d73ee654ba0", "Mirai Botnet - *Inbound & Outbound connection", "IDS Detections: *WGET Command Specifying Output in HTTP Headers", "IDS Detections: *D-Link Devices Home Network Administration Protocol Command Execution", "IDS Detections: *JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: *MVPower DVR Shell UCE *Mirai Variant User-Agent (Outbound)", "Yara : Yara Detections : SUSP_XORed_Mozilla , Linux_MiningSoftware , is__elf", "Alerts : dead_host nids_exploit_alert nids_malware_alert persistency_initd network_icmp", "Alerts : tcp_syn_scan nolookup_communication network_cnc_http network_http", "Alerts : network_http_post nids_alert chmod_syscall writes_to_stdout", "Other Mitre ATT&CK T1480 T1553.00 T1027.013 T1057 T1069.002 T1071\tT1071.004", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/video/search?search=tsara+brashears", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "pornokind.vgt.pl \u2022 https://pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl/", "pornlynx.com \u2022 www.pornhub.com \u2022 www.anyxxxtube.com", "https://frostty12ice.info/ \u2022 https://lawhubh.info", "Needs researching: http://lib.jerusalem.muni.il.il \u2022 https://lib.jerusalem.muni.il.il" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Botnet-6566040-0", "display_name": "Unix.Dropper.Botnet-6566040-0", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Montserrat", "display_name": "Montserrat", "target": null }, { "id": "Beapy", "display_name": "Beapy", "target": null }, { "id": "HackTool:Win32/PowerSploit!rfn", "display_name": "HackTool:Win32/PowerSploit!rfn", "target": "/malware/HackTool:Win32/PowerSploit!rfn" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Worm:Win32/Mydoom.PB!MTB", "display_name": "Worm:Win32/Mydoom.PB!MTB", "target": "/malware/Worm:Win32/Mydoom.PB!MTB" } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0036", "name": "Exfiltration", "display_name": "TA0036 - Exfiltration" }, { "id": "TA0039", "name": "Remote Service Effects", "display_name": "TA0039 - Remote Service Effects" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" } ], "industries": [ "Government", "Legal", "Healthcare", "Insurance", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4147, "domain": 871, "hostname": 2194, "FileHash-MD5": 279, "FileHash-SHA1": 257, "FileHash-SHA256": 2183, "CVE": 6, "email": 3, "SSLCertFingerprint": 1 }, "indicator_count": 9941, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ef0516013ca78448bf4e5", "name": "Foundry \u2022 Reflected Networks Pornhub Malvertising Subsidiary", "description": "Foundry ? Pornhub\nsanfoundry.com\ncompliance.fifoundry.net- Pornhub subsidiary. Targets networks, devices, routers, used for promoting pornography and her music. Producer revealed her hooks were used for Justin Bieber & Tori Kelly songs that. A producer stated her songs had been grifted. Both Tsara Brashears & a studio were in Pegasus & attacked by \u2018Lazarus\u2019 Group. She was told in detail how her songs can be used by music insiders if they choose. Target trolled by mocking hackers re: the JB and Kelly song.. Trojan:Win32/DisableUAC.A!bit\n, MSIL:Suspicious:ScreenCapture.S01\nIDS Detections\nLokiBot Checkin\nLokiBot User-Agent (Charon/Inferno)\nLokiBot Application/Credential Data Exfiltration Detected M1\nLokiBot Request for C2 Commands Detected M1\nLokiBot Application/Credential Data Exfiltration Detected M2\nLokiBot Request for C2 Commands Detected M2\nTrojan Generic - POST To gate.php with no referer\nSSL excessive fatal alerts (possible POODLE attack against server)\nI will revisit this. Gloryhole Foundation?", "modified": "2025-09-02T04:01:31.218000", "created": "2025-08-03T05:14:57.402000", "tags": [ "united", "moved", "entries", "passive dns", "detected m1", "next associated", "mtb apr", "mtb aug", "server", "gmt content", "trojandropper", "trojan", "body", "lokibot request", "c2 commands", "detected m2", "otx telemetry", "historical otx", "twitter running", "open ports", "cves", "time", "dynamicloader", "port", "search", "show", "destination", "alerts", "copy", "dynamic", "medium", "write", "creation date", "hostmaster", "urls", "domain", "showing", "hostname add", "pulse pulses", "date", "flag", "falcon sandbox", "name server", "markmonitor", "analysis", "mitre att", "anonymous", "upgrade", "hybrid", "contact", "usa windows", "december", "input threat", "level analysis", "summary", "february", "hwp support", "january", "october", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "calls", "command", "javascript", "object model", "model", "windir", "json data", "localappdata", "ascii text", "temp", "getprocaddress", "script", "license", "runtime process", "copy md5", "facebook", "roboto", "error", "win64", "path", "blink", "meta", "factory", "general", "comspec", "click", "strings", "damage", "mini", "stop", "core", "expl", "win32", "gmt server", "ecacc saa83dd", "ipv4 add", "twitter", "cobalt strike", "mozilla" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 263, "FileHash-SHA1": 256, "FileHash-SHA256": 837, "hostname": 4415, "URL": 1918, "domain": 1884, "email": 2, "SSLCertFingerprint": 2 }, "indicator_count": 9577, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688343b9e60e8693f50e515f", "name": "Cycbot & worse - Palantir Monitoring Target/s", "description": "Palantir \u2022 Gotham \u2022 Foundry Top tier sells tools used to monitor, harass, smear , invoke fear, even \u2018kill\u2019. Used by military., too many partners to name (includes the entire government., heavy military, NSA use) of course Twitter, Apple Facebook, Pegasus related, possibly Paragon if what I\u2019ve read and researched is true. *There are 188 Palantir Foundry links in this pulse. ||\nMonitored target || Apparently ,\u2018tool\u2019 is weaponized against civilians for unknown and unwarranted purposes. || Lofty and unclear how or why a manner of death of target was predicted and posted online 12 years ago. || More research is needed.\n\nMalware named was found in research. \n\n #targeted #rip #palantir #foundry #gotham #twitter #techbromafia #silencing #overreach #quasi_gov #ongoing #active #moved #dangerous", "modified": "2025-08-24T06:01:34.920000", "created": "2025-07-25T08:43:37.734000", "tags": [ "status", "united", "unknown ns", "passive dns", "urls", "creation date", "search", "emails", "date", "expiration date", "tcp include", "top source", "top destination", "show", "source source", "data upload", "extraction", "showing", "moved", "certificate", "ip address", "domain", "body", "present jul", "present jun", "present aug", "present sep", "trojan", "name servers", "twitter", "vtflooder", "foundry", "virustotal", "gotham", "palantir", "tools", "destination", "port", "msie", "windows nt", "unknown", "read c", "etpro trojan", "malware", "copy", "write", "infostealer", "possible", "virustotal", "copyleft", "present jan", "entries", "next associated", "ipv4 add", "pulse submit", "url analysis", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "discovery att", "hostname add", "files", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "ascii text", "mitre att", "pattern match", "show technique", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "look", "verify", "restart", "se extri", "referen", "etpro tr", "virtool", "referencec", "failed", "se extra", "eanioae", "include review", "exclude sugges", "includec review", "exclude", "suggest data", "open ports", "reverse dns", "location united", "america flag", "boardman", "t1045", "ck ids", "packing", "t1060", "run keys", "startup", "folder", "t1057", "discovery", "t1071", "value emails", "name domain", "org microsoft", "microsoft way", "city redmond", "country us", "dnssec", "t1012", "t1047", "instrumentation", "t1053", "taskjob", "spyware", "source", "signing defense", "size", "meta", "onload", "dynamicloader", "unicode text", "crlf line", "utf8", "medium", "write c", "default", "delphi", "win32", "code", "stream", "next", "akamai rank", "show process", "prefetch2", "dns server", "network traffic", "virus", "monitored target", "tofsee", "generic http", "exe upload", "inbound", "outbound", "delete", "yara detections", "markus", "flowid22101", "pixelevtid11771", "dvid", "urls show", "date checked", "188 palantir results", "adversaries", "development att", "ssl certificate", "flag", "stop", "facebook", "4328", "5943", "stealer", "unknown aaaa", "present may", "domain add", "hyundaitx", "twitter", "monitored tsara", "brashears", "apple", "ios", "remote", "cycbot", "maudio fw", "heur", "productversion", "fileversion", "maudio firewire" ], "references": [ "palantirfoundry.com \u2022 https://edenglobalpartners.palantirfoundry.com/", "247seekscenter.com \u2022 ns-1986.awsdns-56.co.uk: | 365-notifcation.com", "ETPRO TROJAN Win32/Oderoor Checkin \u2022 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain", "Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)", "ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection", "platform.twitter.co \u2022 rm.twitter.co \u2022 upload.twitter.co \u2022 http://2fsyndication.twitter.co/", "http://legal.twitter.co \u2022 http://mobile.twitter.co/", "ec2-44-228-94-74.us-west-2.compute.amazonaws.com \u2022 defender.palantirfoundry.com", "https://embaxter.palantirfoundry.com \u2022 https://amgistudios.palantirfoundry.com", "https://ametrine-containers.palantirfoundry.com \u2022 https://amfp.palantirfoundry.com", "https://ameteklms.palantirfoundry.com \u2022 https://ametrine-compute.palantirfoundry.com", "https://amiable-constellation.palantirfoundry.com \u2022 https://amplifi.palantirfoundry.com", "https://oscar.palantirfoundry.com/ \u2022 https://replica.palantirfoundry.com/", "https://statemed.palantirgov.com/workspace/settings/notifications \u2022 https://cchbc.palantirfoundry.com", "https://test-1.washington.palantircloud.com \u2022 https://tarn.palantirgov.com \u2022 https://stateplatform.palantirgov.com", "https://imperium-dev-1.palantircloud.com \u2022 https://hii.palantirgov.com \u2022 https://genoa.washington.palantircloud.com", "tsystems.palantirfoundry.com \u2022 https://statemed.palantirgov.com \u2022 https://statecms.palantirgov.com", "https://replica.palantirfoundry.com/ \u2022 https://spacejam.palantirfoundry.com/ \u2022", "https://pl.pornhub.mrst.one/ \u2022 hotamateurpornsite.xxx \u2022 squirting.porn \u2022 https://de-pornhub.mrst.one/", "Hostname: hcl-dna-sandbox.palantirfoundry.com", "https://www.hyundaitx.com/", "ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check", "https://remote.downloadnow-1.com/", "Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp", "Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection", "Monitored Target - Spawned process \"iexplore.exe\" w/commandline \"SCODEF:5860 CREDAT:275457 /prefetch:2\" (Show Process) source", "Monitored Target: Queries DNS server details \"www.hyundaitx.com\" source Network Traffic T1071.004", "Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |", "ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Vtflooder-9783271-0", "display_name": "Win.Malware.Vtflooder-9783271-0", "target": null }, { "id": "Trojan.Kazy-237", "display_name": "Trojan.Kazy-237", "target": null }, { "id": "Trojan.Vundo-5335", "display_name": "Trojan.Vundo-5335", "target": null }, { "id": "Generic31.BKFG", "display_name": "Generic31.BKFG", "target": null }, { "id": "Win.Packed.Krucky-6941986-0", "display_name": "Win.Packed.Krucky-6941986-0", "target": null }, { "id": "ALF:HSTR:KrunchyMalPacker!MTB", "display_name": "ALF:HSTR:KrunchyMalPacker!MTB", "target": null }, { "id": "Win.Trojan.Agent-920890", "display_name": "Win.Trojan.Agent-920890", "target": null }, { "id": "Win.Trojan.Jorik-10365", "display_name": "Win.Trojan.Jorik-10365", "target": null }, { "id": "Trojan.Adload-2492", "display_name": "Trojan.Adload-2492", "target": null }, { "id": "Trojan.Spy-59563", "display_name": "Trojan.Spy-59563", "target": null }, { "id": "Ransom:Win32/Cryptor", "display_name": "Ransom:Win32/Cryptor", "target": "/malware/Ransom:Win32/Cryptor" }, { "id": "Win32/Blacked", "display_name": "Win32/Blacked", "target": null }, { "id": "Win.Trojan.Cycbot-764", "display_name": "Win.Trojan.Cycbot-764", "target": null }, { "id": "Trojan.VB-47534", "display_name": "Trojan.VB-47534", "target": null }, { "id": "Backdoor:Win32/Drixed.J ,", "display_name": "Backdoor:Win32/Drixed.J ,", "target": "/malware/Backdoor:Win32/Drixed.J ," }, { "id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "Malware Tool", "display_name": "Malware Tool", "target": null }, { "id": "Palantir Spyware", "display_name": "Palantir Spyware", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4203, "domain": 1218, "email": 9, "hostname": 2006, "FileHash-SHA256": 2740, "FileHash-MD5": 424, "FileHash-SHA1": 419, "SSLCertFingerprint": 12 }, "indicator_count": 11031, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6882e2a53af80b1af320079d", "name": "VirusTotal - Palantir- KrunchyMalPacker | Vflooder", "description": "-> Hostname: \u2022 edenglobalpartners.palantirfoundry.com\n\u2022 c.twitterintegration.com\n*Trojan:Win32/Vflooder.E\nIDS Detections:\n- Win32/Flooder.Agent.NAS CnC Domain in DNS Lookup\n\u2022 Virus Total vtapi DOS\n\u2022 Generic HTTP EXE Upload Inbound\n\u2022 Observed Suspicious UA (Mozilla/5.0)\n\u2022 Generic HTTP EXE Upload Outbound || \n*ALF:HSTR:KrunchyMalPacker!MTB\t\n IDS Detections\n-Win32/Vflooder.B Checkin\n\u2022 TLS Handshake Failure\nYara Detections: \nkkrunchy023alpha2\nAlerts:\n\u2022 static_pe_anomaly\n\u2022 suricata_alert\n\u2022 dynamic_function_loading\n\u2022 network_cnc_https_generic\n\u2022 reads_self\n\u2022 network_cnc_http\n\u2022 network_http\n\u2022 packer_unknown_pe_section_name\n\u2022 packer_entropy\n\u2022 injection_rwx ||\n__________\nIP\u2019s Contacted:\n\u2022 34.54.88.138\n\u2022 162.159.140.229\nDomains Contacted\n\u2022 twitter.com (SBKA - Palantir?)\n\u2022 www.virustotal.com\n#botnetresulttesting #virustotal_unsafe #vtflooder #palantir #twitter #gotham foundry #brian_sabey_has_a_new_toy #targeting #tsara_brashears", "modified": "2025-08-24T01:04:01.801000", "created": "2025-07-25T01:49:25.325000", "tags": [ "windows nt", "dynamicloader", "contentlength", "tls handshake", "failure", "host", "show", "medium", "search", "entries", "copy", "write", "malware", "generic http", "exe upload", "inbound", "outbound", "domain", "trojan", "u0019", "trojandropper", "backdoor", "mtb jul", "united", "passive dns", "open ports", "win32berbew jul", "ipv4 add", "present jul", "present jun", "cname", "present aug", "present sep", "status", "certificate", "date", "twitter", "unknown ns", "name servers", "servers", "showing", "urls", "creation date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1903, "hostname": 806, "FileHash-SHA256": 1594, "FileHash-MD5": 264, "FileHash-SHA1": 297, "SSLCertFingerprint": 1, "domain": 515, "email": 5 }, "indicator_count": 5385, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc", "pornlynx.com \u2022 www.pornhub.com \u2022 www.anyxxxtube.com", "ec2-44-228-94-74.us-west-2.compute.amazonaws.com \u2022 defender.palantirfoundry.com", "Terse Unencrypted Request for Google - Likely Connectivity Check", "https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com", "Smart Assembly | https://github.com/red-gate/SmartAssembly-demo", "ET INFO User-Agent (python-requests) Inbound to Webserver", "https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in", "cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com", "https://account.helix.com/activate/start", "https://foundry2-lbl.dvr.dn2.n-helix.com/", "IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)", "IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz", "ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "Alerts : tcp_syn_scan nolookup_communication network_cnc_http network_http", "https://ameteklms.palantirfoundry.com \u2022 https://ametrine-compute.palantirfoundry.com", "Suspicious User Agent | ETPRO POLICY Python Requests", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX", "Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication", "https://www.red-gate.com/products/smartassembly", "IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt", "Needs researching: http://lib.jerusalem.muni.il.il \u2022 https://lib.jerusalem.muni.il.il", "Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB", "Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com", "Mirai Botnet - *Inbound & Outbound connection", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue", "Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)", "IDS Detections: *D-Link Devices Home Network Administration Protocol Command Execution", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "Domains Contacted: c.statcounter.com sstatic1.histats.com", "https://remote.downloadnow-1.com/", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade", "https://oscar.palantirfoundry.com/ \u2022 https://replica.palantirfoundry.com/", "https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]", "Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com", "www.socialimages.reputationdatabase.com", "ETPRO TROJAN Win32/Oderoor Checkin \u2022 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain", "ET WORM TheMoon.linksys.router", "https://imperium-dev-1.palantircloud.com \u2022 https://hii.palantirgov.com \u2022 https://genoa.washington.palantircloud.com", "IPs Contacted: 149.56.240.31 172.66.136.209", "genealogytrails.com", "Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government", "Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com", "https://test-1.washington.palantircloud.com \u2022 https://tarn.palantirgov.com \u2022 https://stateplatform.palantirgov.com", "IDS Detections: *WGET Command Specifying Output in HTTP Headers", "https://frostty12ice.info/ \u2022 https://lawhubh.info", "https://ametrine-containers.palantirfoundry.com \u2022 https://amfp.palantirfoundry.com", "IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS", "Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |", "upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4", "192.168.1.1 - WOW! Use your old equipment in a non - residential environment", "https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources", "https://statemed.palantirgov.com/workspace/settings/notifications \u2022 https://cchbc.palantirfoundry.com", "\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,", "Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options", "https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06", "Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject", "https://pl.pornhub.mrst.one/ \u2022 hotamateurpornsite.xxx \u2022 squirting.porn \u2022 https://de-pornhub.mrst.one/", "Other Mitre ATT&CK T1480 T1553.00 T1027.013 T1057 T1069.002 T1071\tT1071.004", "https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/", "Has been present throughout a specific campaign", "IDS Detections: *JAWS Webserver Unauthenticated Shell Command Execution", "Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com", "Monitored Target: Queries DNS server details \"www.hyundaitx.com\" source Network Traffic T1071.004", "Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand", "Yara : Yara Detections : SUSP_XORed_Mozilla , Linux_MiningSoftware , is__elf", "https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com", "Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process", "192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net", "IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193", "http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466", "src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105", "https://therahand.com", "feedback-pa.clients6.google.com/v1/survey/trigger/", "https://hyundaibariavungtau3s.com/vehicle/stargazer", "https://amiable-constellation.palantirfoundry.com \u2022 https://amplifi.palantirfoundry.com", "ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996", "Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "pornokind.vgt.pl \u2022 https://pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl/", "palantirfoundry.com \u2022 https://edenglobalpartners.palantirfoundry.com/", "ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany", "https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/", "anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022", "Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections", "Mirai", "Alerts : dead_host nids_exploit_alert nids_malware_alert persistency_initd network_icmp", "Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com", "platform.twitter.co \u2022 rm.twitter.co \u2022 upload.twitter.co \u2022 http://2fsyndication.twitter.co/", "It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT", "AS24961 MyLoc Managed IT AG", "Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com", "IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden", "https://hyundaibariavungtau3s.com/vehicle/ioniq-5", "Powerful Exploit: https://otx.alienvault.com/indicator/file/ba32802bdd1f0b91cf8c667b94426d73ee654ba0", "https://www.hyundaitx.com/", "PSI | Planned Systems International https://www.plan-sys.com/cyber", "http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/", "drive.google.com/", "zalo.me | href | Binary File | ATT&CK ID T1566.002", "Colorado maintains a public-facing police misconduct database via the state's", "IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin", "http://xn.com/ \u2022 www.xn--linkedinxn-6u6e.com \u2022 http://www.linkedin-xn.com/ \u2022 www.linkedin-xn.com", "Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert", "\"ET WEB_SERVER WebShell Generic - wget http - POST", "https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg", "Monitored Target - Spawned process \"iexplore.exe\" w/commandline \"SCODEF:5860 CREDAT:275457 /prefetch:2\" (Show Process) source", "Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.", "Alerts: dead_host network_icmp nolookup_communication p2p_cnc", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6", "https://hyundaibariavungtau3s.com/vehicle/hyundai-custin", "Hostname: hcl-dna-sandbox.palantirfoundry.com", "anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net", "Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp", "TCP SYN packets were observed", "Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com", "Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com", "https://embaxter.palantirfoundry.com \u2022 https://amgistudios.palantirfoundry.com", "ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound", "Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com", "Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!", "IDS Detections: *MVPower DVR Shell UCE *Mirai Variant User-Agent (Outbound)", "Alerts : network_http_post nids_alert chmod_syscall writes_to_stdout", "Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..", "https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam", "https://www.pornhub.com/video/search?search=tsara+brashears", "BinBusyBox: 0x.un5t48l3.host", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests", "https://replica.palantirfoundry.com/ \u2022 https://spacejam.palantirfoundry.com/ \u2022", "247seekscenter.com \u2022 ns-1986.awsdns-56.co.uk: | 365-notifcation.com", "http://legal.twitter.co \u2022 http://mobile.twitter.co/", "ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection", "Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection", "tsystems.palantirfoundry.com \u2022 https://statemed.palantirgov.com \u2022 https://statecms.palantirgov.com", "File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO Pegasus" ], "malware_families": [ "Malware tool", "Pegasus", "Win.packed.generic-9795615-0", "Virtool:win32/obfuscator.ki", "Montserrat", "Win.trojan.agent-920890", "Backdoor:msil/bladabindi.aj gc!", "Trojan.vb-47534", "Spyfu", "Elf:mirai-gh\\ [trj]", "Trojan.adload-2492", "Tulach", "Elf:gafgyt-dz\\ [trj]", "Win.virus.virlock-6804475-0", "Trojan:win32/floxif.e", "Win.packed.msilperseus-9956592-0", "Win.trojan.agent-306281", "Win.packed.krucky-6941986-0", "Ransom:win32/cryptor", "Et", "Alf:heraklezeval:pws:win32/ldpinch!rfn", "Trojan:msil/ranos.a", "Backdoor:msil/bladabindi.aj", "Other malware", "Mirai", "Worm:win32/mydoom.pb!mtb", "Win.packed.fecn-7077459-0", "Win32/blacked", "Palantir spyware", "Hacktool:win32/powersploit!rfn", "Trojan.spy-59563", "Alf:backdoor:msil/noancooe.ka", "Unix.dropper.botnet-6566040-0", "Win.trojan.cycbot-764", "Unix.trojan.mirai-5607483-0", "Trojan:msil/clipbanker", "Win.trojan.vb-83922", "Win.malware.vtflooder-9783271-0", "Fakeav.for", "Win32:malob-db\\ [cryp]", "Win.packed.generic-9795615-0\t.", "Win.trojan.generic-9801687-0", "Trojan.vundo-5335", "Win.trojan.jorik-10365", "Trojan.kazy-237", "Alf:hstr:krunchymalpacker!mtb", "Nids", "Nid", "Backdoor:win32/drixed.j ,", "Win.trojan.generic-6417450-0", "Win.dropper.njrat-10015886-0", "Generic31.bkfg", "Virtool:win32/vbinject.gen!jb", "Beapy", "Win.malware.bzub-6727003-0", "Unix.trojan.mirai-7646352-0" ], "industries": [ "Healthcare", "Government", "Civil society", "Legal", "Insurance" ], "unique_indicators": 56541 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/doptools.pl", "whois": "http://whois.domaintools.com/doptools.pl", "domain": "doptools.pl", "hostname": "test-sim-mgmt.doptools.pl" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "698e906da16336f8e87c3b90", "name": "CoinHive Clone ", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-02-13T02:46:05.544000", "tags": [ "united", "td tr", "a domains", "history group", "state", "b td", "present sep", "find", "alabama", "iowa", "apache", "content type", "passive dns", "meta http", "content", "gmt server", "pragma", "title", "linksys eseries", "device rce", "inbound", "et exploit", "attempt", "et webserver", "suspicious user", "user agent", "et worm", "policy python", "python", "agent", "generic", "malware", "nids", "dst_ip", "\"sid\": 2017515,", "2020/08/23", "dst_port\": 8080", "suricata", "network_icmp", "tcp_syn_scan", "unix", "mirai", "infection", "port 8080", "aitm", "mitm", "xfinity", "lumen backbone", "xfinity cf", "et info", "useragent", "webserver", "android", "linux", "statistically stripped", "local", "Jefferson County", "Colorado", "State", "is__elf", "is__war", "cyber warfare", "marking", "targeting", "stalking", "impersonating", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "mitre att", "ck matrix", "february", "hybrid", "general", "path", "encrypt", "click", "strings", "attack", "ssl certificate", "ascii text", "dynamicloader", "yara rule", "ff d5", "medium", "high", "eb d8", "f0 ff", "ff bb", "host", "unknown", "explorer", "virtool", "write", "next", "Douglas County", "Michael Roberts", "Brian Sabey", "Chris\u2019Buzz\u2019 Ahmann", "Mirai BotMaster", "file type", "pexe", "pe32", "intel", "ms windows", "date march", "am size", "imphash", "otx logo", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "moved", "urls", "expiration date", "all hostname", "files", "media", "present feb", "present jan", "present dec", "present nov", "ip address", "present", "codex", "sf.net", "next associated", "ipv4 add", "location united", "america flag", "spawns", "found", "t1480 execution", "pattern match", "present aug", "search", "name servers", "showing", "record value", "meta", "accept", "div div", "request blocked", "helvetica neue", "helvetica segoe", "ui arial", "denver", "yandex", "post", "entries", "post http", "show", "post liquor", "execution", "port", "destination", "icmp traffic", "dns query", "include", "top source" ], "references": [ "https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in", "genealogytrails.com", "It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT", "Has been present throughout a specific campaign", "Mirai", "IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt", "IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS", "IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests", "IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)", "IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden", "ET INFO User-Agent (python-requests) Inbound to Webserver", "Suspicious User Agent | ETPRO POLICY Python Requests", "src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105", "\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,", "TCP SYN packets were observed", "ET WORM TheMoon.linksys.router", "ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound", "\"ET WEB_SERVER WebShell Generic - wget http - POST", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX", "Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication", "Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc", "Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject", "File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:", "upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4", "192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net", "Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB", "IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz", "IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin", "Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process", "Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert", "Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options", "Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..", "IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193", "IPs Contacted: 149.56.240.31 172.66.136.209", "Domains Contacted: c.statcounter.com sstatic1.histats.com", "Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com", "Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com", "Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com", "Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com", "Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com", "Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com", "Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com", "Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Unix.Trojan.Mirai-7646352-0", "display_name": "Unix.Trojan.Mirai-7646352-0", "target": null }, { "id": "SpyFu", "display_name": "SpyFu", "target": null }, { "id": "Win.Trojan.VB-83922", "display_name": "Win.Trojan.VB-83922", "target": null }, { "id": "virtool:Win32/VBInject.gen!JB", "display_name": "virtool:Win32/VBInject.gen!JB", "target": "/malware/virtool:Win32/VBInject.gen!JB" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" } ], "industries": [], "TLP": "white", "cloned_from": "698966742c9fd9691396bb3a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5836, "domain": 857, "FileHash-MD5": 185, "FileHash-SHA1": 147, "hostname": 1842, "email": 7, "FileHash-SHA256": 947, "CVE": 43, "SSLCertFingerprint": 8 }, "indicator_count": 9872, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698966742c9fd9691396bb3a", "name": "CoinHive In-Browser Miner | ET EXPLOIT Linksys E-Series Device RCE Attempt via \u2018AI chat\u2019 Xfinity Commercial Fleet vehicle parked /AITM", "description": "Merits further research. Work no is consistent with a man advocate named Michael\nRoberts of Rexxfield and Miles2/ Mile2 / seen frequently in attacks against females | targeted individual apparently was using an AI browser search when a keyword triggered glitches.\nSearch of a URL\ntarget has never heard of or seen found in device search results. Targets device injected, Mirai botnet found, Other suspicious findings. TBConrinued..:.\n[OTX. Auto populated Significantly more details have been revealed about the GoDaddy.com domain, which has been listed as an unregistered domain by the Internet Service Authority (icann). and its users are not allowed to use it.] #man_jn_tve_midxle #drive_ by_compromise #injection.", "modified": "2026-03-11T04:02:50.189000", "created": "2026-02-09T04:45:40.250000", "tags": [ "united", "td tr", "a domains", "history group", "state", "b td", "present sep", "find", "alabama", "iowa", "apache", "content type", "passive dns", "meta http", "content", "gmt server", "pragma", "title", "linksys eseries", "device rce", "inbound", "et exploit", "attempt", "et webserver", "suspicious user", "user agent", "et worm", "policy python", "python", "agent", "generic", "malware", "nids", "dst_ip", "\"sid\": 2017515,", "2020/08/23", "dst_port\": 8080", "suricata", "network_icmp", "tcp_syn_scan", "unix", "mirai", "infection", "port 8080", "aitm", "mitm", "xfinity", "lumen backbone", "xfinity cf", "et info", "useragent", "webserver", "android", "linux", "statistically stripped", "local", "Jefferson County", "Colorado", "State", "is__elf", "is__war", "cyber warfare", "marking", "targeting", "stalking", "impersonating", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "mitre att", "ck matrix", "february", "hybrid", "general", "path", "encrypt", "click", "strings", "attack", "ssl certificate", "ascii text", "dynamicloader", "yara rule", "ff d5", "medium", "high", "eb d8", "f0 ff", "ff bb", "host", "unknown", "explorer", "virtool", "write", "next", "Douglas County", "Michael Roberts", "Brian Sabey", "Chris\u2019Buzz\u2019 Ahmann", "Mirai BotMaster", "file type", "pexe", "pe32", "intel", "ms windows", "date march", "am size", "imphash", "otx logo", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "moved", "urls", "expiration date", "all hostname", "files", "media", "present feb", "present jan", "present dec", "present nov", "ip address", "present", "codex", "sf.net", "next associated", "ipv4 add", "location united", "america flag", "spawns", "found", "t1480 execution", "pattern match", "present aug", "search", "name servers", "showing", "record value", "meta", "accept", "div div", "request blocked", "helvetica neue", "helvetica segoe", "ui arial", "denver", "yandex", "post", "entries", "post http", "show", "post liquor", "execution", "port", "destination", "icmp traffic", "dns query", "include", "top source" ], "references": [ "https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in", "genealogytrails.com", "It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT", "Has been present throughout a specific campaign", "Mirai", "IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt", "IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS", "IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests", "IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)", "IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden", "ET INFO User-Agent (python-requests) Inbound to Webserver", "Suspicious User Agent | ETPRO POLICY Python Requests", "src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105", "\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,", "TCP SYN packets were observed", "ET WORM TheMoon.linksys.router", "ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound", "\"ET WEB_SERVER WebShell Generic - wget http - POST", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX", "Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication", "Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc", "Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject", "File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:", "upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4", "192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net", "Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB", "IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz", "IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin", "Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process", "Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert", "Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options", "Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..", "IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193", "IPs Contacted: 149.56.240.31 172.66.136.209", "Domains Contacted: c.statcounter.com sstatic1.histats.com", "Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com", "Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com", "Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com", "Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com", "Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com", "Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com", "Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com", "Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Unix.Trojan.Mirai-7646352-0", "display_name": "Unix.Trojan.Mirai-7646352-0", "target": null }, { "id": "SpyFu", "display_name": "SpyFu", "target": null }, { "id": "Win.Trojan.VB-83922", "display_name": "Win.Trojan.VB-83922", "target": null }, { "id": "virtool:Win32/VBInject.gen!JB", "display_name": "virtool:Win32/VBInject.gen!JB", "target": "/malware/virtool:Win32/VBInject.gen!JB" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5779, "domain": 730, "FileHash-MD5": 185, "FileHash-SHA1": 147, "hostname": 1790, "email": 5, "FileHash-SHA256": 947, "CVE": 3, "SSLCertFingerprint": 8 }, "indicator_count": 9594, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951f52a5af00a9be445ad41", "name": "Mirai - HoneyPot | Pegasus | Therahand HoneyPot Bot Network", "description": "A HoneyPot Bot Network created to protect a criminal who worked for a company formerly known as Therahand Wellness. This company employed an unquestioned but admittedly guilty SA\u2019r. | Name tactics used in an attempt to draw in victims to leave truthful negative reviews about Jeffrey Reimer | The website is extremely malicious. NSO Pegasus & Palantir relationship.\n\nWhat a pity there is no work done in the state of Colorado to convict medical unprofessionals unless they are poor assistants , Latin, African American or , Native. | Colorado has a known race issue. \n\nColorado ranks poor for getting rape kits tested.\nPoor possibly outranking Baltimore,MD in police brutality. \nPoor at solving it attempting to solve crimes. Law enforcement literally collects paper, evidence and turns evidence away at times. \n\nThis system allows the actual criminal\nto track victim.\nIf he wants to be the victim of this crime against persons let him be. \n\n *Pegasus & Israel and 99% of all tags auto populated by OTX.", "modified": "2026-01-28T02:03:16.337000", "created": "2025-12-29T03:27:38.183000", "tags": [ "no expiration", "expiration", "url http", "url https", "iocs", "enter source", "url or", "name servers", "a domains", "accept encoding", "urls", "emails", "servers", "url add", "http", "files domain", "files related", "related tags", "united", "gmt contenttype", "ipv4 add", "url analysis", "files", "present dec", "cname", "virtool", "cryp", "ip address", "trojan", "win32", "therahand", "jeffrey reimer", "reimer dpt", "msie", "chrome", "unknown ns", "unknown cname", "record value", "accept", "encrypt", "passive dns", "moved", "wp engine", "meta", "wordpress", "pegasus", "america flag", "america asn", "reverse dns", "flag", "bad traffic", "et info", "tls handshake", "failure", "analysis", "tor analysis", "dns requests", "united states", "hostname", "pulse submit", "domain", "files ip", "eva lisa", "eva reimer", "all ipv4", "dynamic_content", "fingerprinting", "size", "pattern match", "mitre att", "ck id", "hybrid", "general", "local", "path", "click", "strings", "status", "hostname add", "evasion", "proximity", "pulse pulses", "address", "learn", "adversaries", "name tactics", "suspicious", "informative", "defense evasion", "command", "initial access", "spawns", "present mar", "present jun", "title", "windows nt", "wow64", "slcc2", "media center", "data recovery", "ms windows", "process32nextw", "intel", "pe32", "format", "mozilla", "installcapital", "generic", "write", "unknown", "malware", "next", "installer", "template", "div div", "request blocked", "helvetica neue", "helvetica segoe", "ui arial", "script script", "pragma", "port", "destination", "binbusybox", "high", "post", "icmp traffic", "dns query", "newstatusurl", "mirai", "prefetch8", "ck matrix", "localappdata", "info", "ssl certificate", "czech republic", "prefetch1", "prefetch2", "israel israel", "analysis tip", "href", "ascii text", "null", "refresh", "span", "iframe", "error", "tools", "look", "verify", "restart", "t1480 execution", "beginstring", "windir", "openurl c", "programfiles", "related nids", "files location", "flag united", "dynamicloader", "medium", "named pipe", "win64", "download", "delphi", "smartassembly", "m. brian sabey", "quasi government", "no such agency", "facebook", "search", "date", "showing", "ukraine", "\u2018buzz\u2019", "alex karp", "peter theil", "elon musk", "ff d5", "yara rule", "ee fc", "generic http", "exe upload", "f0 ff", "eb e1", "ff bb", "show process", "sha1", "sub domain", "show technique", "network traffic", "class", "starfield", "cyber crime", "yara detections", "top source", "top destination", "source source", "filehash", "sha256 add", "av detections", "ids detections", "alerts", "show", "dock", "execution", "present feb", "value", "content type", "mirai", "sha256", "body", "gmt content", "ddos", "mtb sep", "hosting", "domain robot", "expiration date", "welcome", "apple", "christopher p. ahmann", "tsara", "monitored target", "github https", "github", "smart assembly", "red hat", "hackers", "google" ], "references": [ "https://therahand.com", "www.socialimages.reputationdatabase.com", "Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: dead_host network_icmp nolookup_communication p2p_cnc", "Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com", "Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government", "Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand", "https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06", "https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e", "https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e", "BinBusyBox: 0x.un5t48l3.host", "ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany", "AS24961 MyLoc Managed IT AG", "PSI | Planned Systems International https://www.plan-sys.com/cyber", "Smart Assembly | https://github.com/red-gate/SmartAssembly-demo", "https://www.red-gate.com/products/smartassembly", "https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources", "Colorado maintains a public-facing police misconduct database via the state's", "Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.", "Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!" ], "public": 1, "adversary": "NSO Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FakeAV.FOR", "display_name": "FakeAV.FOR", "target": null }, { "id": "Win32:MalOb-DB\\ [Cryp]", "display_name": "Win32:MalOb-DB\\ [Cryp]", "target": null }, { "id": "Win.Trojan.Agent-306281", "display_name": "Win.Trojan.Agent-306281", "target": null }, { "id": "VirTool:Win32/Obfuscator.KI", "display_name": "VirTool:Win32/Obfuscator.KI", "target": "/malware/VirTool:Win32/Obfuscator.KI" }, { "id": "Win32:MalOb-DB\\ [Cryp]", "display_name": "Win32:MalOb-DB\\ [Cryp]", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "ELF:Gafgyt-DZ\\ [Trj]", "display_name": "ELF:Gafgyt-DZ\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Mirai-5607483-0", "display_name": "Unix.Trojan.Mirai-5607483-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 523, "FileHash-SHA1": 402, "FileHash-SHA256": 2165, "URL": 4953, "domain": 1118, "hostname": 1951, "email": 12, "SSLCertFingerprint": 52, "CVE": 2 }, "indicator_count": 11178, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692d02f096f3ec8b5b507496", "name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace", "description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.", "modified": "2025-12-31T02:01:50.101000", "created": "2025-12-01T02:52:32.483000", "tags": [ "business", "enterprise", "drive", "english", "google drive", "try drive", "business small", "workspace", "sign", "strong", "find", "life", "tools", "protect", "cloud", "simple", "android", "indonesia", "video", "mb download", "shared may", "shared", "learn", "drive drive", "name date", "javascript", "dynamicloader", "medium", "minimal headers", "high", "observed get", "get http", "united", "yara rule", "http", "write", "guard", "malware", "read c", "ms windows", "intel", "png image", "rgba", "pe32", "get na", "explorer", "music", "virlock", "media", "ho chi", "minh city", "viet nam", "storage company", "limited", "google", "address as", "luutruso", "cloudflar", "domain", "asn15169", "asn56153", "asn13335", "cisco", "umbrella rank", "apex domain", "url https", "kb stylesheet", "kb font", "kb image", "image", "kb script", "november", "resource path", "size", "type mimetype", "primary request", "redirect chain", "kb document", "urls", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "t1590 gather", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "domain address", "rsdsq jfu", "ollydbg ollydbg", "wireshark", "external", "binary file", "mitre att", "ck matrix", "aaaa", "cong ty", "co phan", "code", "province hcm", "files", "ip address", "request", "flag", "country", "contacted hosts", "process details", "link initial", "t1480 execution", "domains", "moved", "gmt content", "all ipv4", "url analysis", "location viet", "title", "error", "problem", "url add", "related nids", "files location", "flag united", "development att", "name server", "markmonitor", "localappdata", "programfiles", "edge", "hyundai", "social engineering", ".mil", "hackers", "phishing eml", "summary", "cisco umbrella", "google safe", "browsing", "current dns", "a record", "ip information", "ipasns ip", "detail domain", "domain tree", "links apex", "transfer", "b script", "b stylesheet", "frame b830", "b document", "value", "december", "degurafregistry", "gat object", "jsl object", "gapijstiming", "iframe function", "domainpath name", "nid value", "source level", "files domain", "files related", "tags", "related tags", "virustotal", "foundry", "pulse otx", "dark", "vietnam", "present aug", "present nov", "present jul", "present sep", "unknown aaaa", "search", "name servers", "present oct", "trojan", "data upload", "extraction", "se https", "include review", "exclude sugges", "find s", "failed", "typ don", "faith", "study", "romeo\u2019s", "juliettes", "femme fatales", "strategy", "honey pot", "honey traps", "spy", "helix", "anons", "passive dns", "pulse pulses", "files ip", "address", "location united", "asn as400519", "whois registrar", "ms defender", "files matching", "number", "sample analysis", "hide samples", "date hash", "cameras", "cams", "spycam", "botnet", "vietnam", "company limited", "dnssec", "status", "india unknown", "present may", "espionage", "hostname add", "generic", "cnc activity", "backdoor", "ipv4", "anonsecbotnet", "iptv" ], "references": [ "drive.google.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "zalo.me | href | Binary File | ATT&CK ID T1566.002", "https://account.helix.com/activate/start", "anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022", "https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]", "Terse Unencrypted Request for Google - Likely Connectivity Check", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6", "cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com", "https://hyundaibariavungtau3s.com/vehicle/stargazer", "https://hyundaibariavungtau3s.com/vehicle/ioniq-5", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade", "https://hyundaibariavungtau3s.com/vehicle/hyundai-custin", "https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/", "https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com", "https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com", "http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/", "http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466", "https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam", "feedback-pa.clients6.google.com/v1/survey/trigger/", "https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg", "anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Virus.Virlock-6804475-0", "display_name": "Win.Virus.Virlock-6804475-0", "target": null }, { "id": "Win.Malware.Bzub-6727003-0", "display_name": "Win.Malware.Bzub-6727003-0", "target": null }, { "id": "Win.Trojan.Generic-9801687-0", "display_name": "Win.Trojan.Generic-9801687-0", "target": null }, { "id": "NID", "display_name": "NID", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Dropper.njRAT-10015886-0", "display_name": "Win.Dropper.njRAT-10015886-0", "target": null }, { "id": "Win.Packed.Generic-9795615-0", "display_name": "Win.Packed.Generic-9795615-0", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ GC!", "display_name": "Backdoor:MSIL/Bladabindi.AJ GC!", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!" }, { "id": "Win.Packed.Generic-9795615-0\t.", "display_name": "Win.Packed.Generic-9795615-0\t.", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ", "display_name": "Backdoor:MSIL/Bladabindi.AJ", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ" }, { "id": "Win.Packed.Fecn-7077459-0", "display_name": "Win.Packed.Fecn-7077459-0", "target": null }, { "id": "Trojan:MSIL/Ranos.A", "display_name": "Trojan:MSIL/Ranos.A", "target": "/malware/Trojan:MSIL/Ranos.A" }, { "id": "Win.Trojan.Generic-6417450-0", "display_name": "Win.Trojan.Generic-6417450-0", "target": null }, { "id": "ALF:Backdoor:MSIL/Noancooe.KA", "display_name": "ALF:Backdoor:MSIL/Noancooe.KA", "target": null }, { "id": "Win.Packed.Msilperseus-9956592-0", "display_name": "Win.Packed.Msilperseus-9956592-0", "target": null }, { "id": "Trojan:MSIL/ClipBanker", "display_name": "Trojan:MSIL/ClipBanker", "target": "/malware/Trojan:MSIL/ClipBanker" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1194", "name": "Spearphishing via Service", "display_name": "T1194 - Spearphishing via Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1911, "hostname": 714, "FileHash-SHA256": 1304, "FileHash-MD5": 159, "FileHash-SHA1": 71, "SSLCertFingerprint": 2, "domain": 421, "CVE": 1, "email": 4 }, "indicator_count": 4587, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692cb6dc24da17618e3d9da6", "name": "Mirai Botnet | HackTool Powershell targets LinkedIn User | 192.168.1.1 \u2022 Remote Inbound Outbound Connection", "description": "Linux Malware - LinkedIn- True Mirai Botnet (192.168.1.1) (Never Connect) Incredibly powerful attack targeting LinkedIn users. In this instance the target is an ex husband of a target. |\nNDO Group relationships seen. This is a Botnet. \n\nMay be \u2018framing\u2019 attack that was launched in 2014. Attackers sent a clear message to target that she + husband would be arrested and charged with possession of 1000\u2019s of \u2018child pornography\u2019 pictures. \n\nAttack 10/10 malicious. Worked from separate system in separate location. Hackers unlocked a device, zero clicks, removed PSW. Tulach malware seen a profile \u2018Michael Robert\u2019s of Rexxfield\u2019 may be entity (NSA) with a face like Tulach. Uses the most WILD compromises. Government contractors? \n\nSame attackers brought down Prudentials \u2018Assurance\u2019 Medicare system forever.\n ESET hackers only allowing \u2018bad traffic\u2019 .", "modified": "2025-12-30T19:04:40.430000", "created": "2025-11-30T21:27:56.239000", "tags": [ "enter", "extract", "enter source", "urls", "address", "remote connect", "private ip", "sql", "inject", "montserrat", "script urls", "germany unknown", "xml title", "wiesinger", "style", "ip address", "script domains", "body doctype", "encrypt", "botnet", "dropper", "unix", "resolverror", "et exploit", "outbound", "mirai variant", "useragent", "inbound", "et trojan", "et webserver", "scan mirai", "hello", "execution", "mirai", "malware", "shell", "nids", "ids detections", "wget command", "http headers", "dlink devices", "home network", "mvpower dvr", "shell uce", "mirai elf", "linux malware", "is__elf", "cnc", "meta http", "content", "gmt server", "files", "reverse dns", "germany", "ismaning", "germany asn", "as5539 spacenet", "germany https", "auto generated security (?)", "redacted for", "name servers", "aaaa", "search", "for privacy", "title", "intel", "ms windows", "pe32", "process32nextw", "write c", "mssql port", "hash", "beapy", "bit32bit", "agent", "write", "hacktool", "win32", "next", "suspicious user", "pybeapy cnc", "checkin", "w32beapy cnc", "beacon", "module load", "external ip", "lookup", "home assistant", "intptr", "uint32", "type", "parameter", "oldprotectflag", "mandatory", "throw", "position", "lkshkdandl", "success", "info", "powershell", "null", "error", "date hash", "next yara", "detections name", "medium", "graph tree", "sample", "sample hash", "exec bypass", "c ipconfig", "world", "jaws webserver", "chmod usage", "strings", "extraction", "data upload", "extre", "include data", "hos hos", "y se", "sugges", "find s", "typ hos", "hos data", "hos hostname", "hos host", "extr data", "tethering", "tulach", "114.114.114.114", "passive dns", "pulse pulses", "http", "related nids", "files location", "united", "flag united", "files domain", "next associated", "ipv4 add", "delphi", "read c", "packing t1045", "t1045", "worm", "code", "june", "irc nick command", "irc", "meta", "status", "record value", "unknown aaaa", "expiration", "url http", "indicator role", "pulses url", "no expiration", "url https", "url url", "o url", "request review", "hosting", "unknown", "medium security", "extra data", "failed", "linkedin", "url add", "ireland flag", "ireland", "dublin", "ireland asn", "as16509", "spyware", "nso", "nso group", "pegasus related", "nso related", "framing", "porn", "python", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "apple", "192.168.1.1", "law", "attorney" ], "references": [ "192.168.1.1 - WOW! Use your old equipment in a non - residential environment", "http://xn.com/ \u2022 www.xn--linkedinxn-6u6e.com \u2022 http://www.linkedin-xn.com/ \u2022 www.linkedin-xn.com", "Powerful Exploit: https://otx.alienvault.com/indicator/file/ba32802bdd1f0b91cf8c667b94426d73ee654ba0", "Mirai Botnet - *Inbound & Outbound connection", "IDS Detections: *WGET Command Specifying Output in HTTP Headers", "IDS Detections: *D-Link Devices Home Network Administration Protocol Command Execution", "IDS Detections: *JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: *MVPower DVR Shell UCE *Mirai Variant User-Agent (Outbound)", "Yara : Yara Detections : SUSP_XORed_Mozilla , Linux_MiningSoftware , is__elf", "Alerts : dead_host nids_exploit_alert nids_malware_alert persistency_initd network_icmp", "Alerts : tcp_syn_scan nolookup_communication network_cnc_http network_http", "Alerts : network_http_post nids_alert chmod_syscall writes_to_stdout", "Other Mitre ATT&CK T1480 T1553.00 T1027.013 T1057 T1069.002 T1071\tT1071.004", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/video/search?search=tsara+brashears", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "pornokind.vgt.pl \u2022 https://pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl \u2022 https://www.pornokind.vgt.pl/", "pornlynx.com \u2022 www.pornhub.com \u2022 www.anyxxxtube.com", "https://frostty12ice.info/ \u2022 https://lawhubh.info", "Needs researching: http://lib.jerusalem.muni.il.il \u2022 https://lib.jerusalem.muni.il.il" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Botnet-6566040-0", "display_name": "Unix.Dropper.Botnet-6566040-0", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Montserrat", "display_name": "Montserrat", "target": null }, { "id": "Beapy", "display_name": "Beapy", "target": null }, { "id": "HackTool:Win32/PowerSploit!rfn", "display_name": "HackTool:Win32/PowerSploit!rfn", "target": "/malware/HackTool:Win32/PowerSploit!rfn" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Worm:Win32/Mydoom.PB!MTB", "display_name": "Worm:Win32/Mydoom.PB!MTB", "target": "/malware/Worm:Win32/Mydoom.PB!MTB" } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0036", "name": "Exfiltration", "display_name": "TA0036 - Exfiltration" }, { "id": "TA0039", "name": "Remote Service Effects", "display_name": "TA0039 - Remote Service Effects" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" } ], "industries": [ "Government", "Legal", "Healthcare", "Insurance", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4147, "domain": 871, "hostname": 2194, "FileHash-MD5": 279, "FileHash-SHA1": 257, "FileHash-SHA256": 2183, "CVE": 6, "email": 3, "SSLCertFingerprint": 1 }, "indicator_count": 9941, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ef0516013ca78448bf4e5", "name": "Foundry \u2022 Reflected Networks Pornhub Malvertising Subsidiary", "description": "Foundry ? Pornhub\nsanfoundry.com\ncompliance.fifoundry.net- Pornhub subsidiary. Targets networks, devices, routers, used for promoting pornography and her music. Producer revealed her hooks were used for Justin Bieber & Tori Kelly songs that. A producer stated her songs had been grifted. Both Tsara Brashears & a studio were in Pegasus & attacked by \u2018Lazarus\u2019 Group. She was told in detail how her songs can be used by music insiders if they choose. Target trolled by mocking hackers re: the JB and Kelly song.. Trojan:Win32/DisableUAC.A!bit\n, MSIL:Suspicious:ScreenCapture.S01\nIDS Detections\nLokiBot Checkin\nLokiBot User-Agent (Charon/Inferno)\nLokiBot Application/Credential Data Exfiltration Detected M1\nLokiBot Request for C2 Commands Detected M1\nLokiBot Application/Credential Data Exfiltration Detected M2\nLokiBot Request for C2 Commands Detected M2\nTrojan Generic - POST To gate.php with no referer\nSSL excessive fatal alerts (possible POODLE attack against server)\nI will revisit this. Gloryhole Foundation?", "modified": "2025-09-02T04:01:31.218000", "created": "2025-08-03T05:14:57.402000", "tags": [ "united", "moved", "entries", "passive dns", "detected m1", "next associated", "mtb apr", "mtb aug", "server", "gmt content", "trojandropper", "trojan", "body", "lokibot request", "c2 commands", "detected m2", "otx telemetry", "historical otx", "twitter running", "open ports", "cves", "time", "dynamicloader", "port", "search", "show", "destination", "alerts", "copy", "dynamic", "medium", "write", "creation date", "hostmaster", "urls", "domain", "showing", "hostname add", "pulse pulses", "date", "flag", "falcon sandbox", "name server", "markmonitor", "analysis", "mitre att", "anonymous", "upgrade", "hybrid", "contact", "usa windows", "december", "input threat", "level analysis", "summary", "february", "hwp support", "january", "october", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "calls", "command", "javascript", "object model", "model", "windir", "json data", "localappdata", "ascii text", "temp", "getprocaddress", "script", "license", "runtime process", "copy md5", "facebook", "roboto", "error", "win64", "path", "blink", "meta", "factory", "general", "comspec", "click", "strings", "damage", "mini", "stop", "core", "expl", "win32", "gmt server", "ecacc saa83dd", "ipv4 add", "twitter", "cobalt strike", "mozilla" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 263, "FileHash-SHA1": 256, "FileHash-SHA256": 837, "hostname": 4415, "URL": 1918, "domain": 1884, "email": 2, "SSLCertFingerprint": 2 }, "indicator_count": 9577, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688343b9e60e8693f50e515f", "name": "Cycbot & worse - Palantir Monitoring Target/s", "description": "Palantir \u2022 Gotham \u2022 Foundry Top tier sells tools used to monitor, harass, smear , invoke fear, even \u2018kill\u2019. Used by military., too many partners to name (includes the entire government., heavy military, NSA use) of course Twitter, Apple Facebook, Pegasus related, possibly Paragon if what I\u2019ve read and researched is true. *There are 188 Palantir Foundry links in this pulse. ||\nMonitored target || Apparently ,\u2018tool\u2019 is weaponized against civilians for unknown and unwarranted purposes. || Lofty and unclear how or why a manner of death of target was predicted and posted online 12 years ago. || More research is needed.\n\nMalware named was found in research. \n\n #targeted #rip #palantir #foundry #gotham #twitter #techbromafia #silencing #overreach #quasi_gov #ongoing #active #moved #dangerous", "modified": "2025-08-24T06:01:34.920000", "created": "2025-07-25T08:43:37.734000", "tags": [ "status", "united", "unknown ns", "passive dns", "urls", "creation date", "search", "emails", "date", "expiration date", "tcp include", "top source", "top destination", "show", "source source", "data upload", "extraction", "showing", "moved", "certificate", "ip address", "domain", "body", "present jul", "present jun", "present aug", "present sep", "trojan", "name servers", "twitter", "vtflooder", "foundry", "virustotal", "gotham", "palantir", "tools", "destination", "port", "msie", "windows nt", "unknown", "read c", "etpro trojan", "malware", "copy", "write", "infostealer", "possible", "virustotal", "copyleft", "present jan", "entries", "next associated", "ipv4 add", "pulse submit", "url analysis", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "discovery att", "hostname add", "files", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "ascii text", "mitre att", "pattern match", "show technique", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "look", "verify", "restart", "se extri", "referen", "etpro tr", "virtool", "referencec", "failed", "se extra", "eanioae", "include review", "exclude sugges", "includec review", "exclude", "suggest data", "open ports", "reverse dns", "location united", "america flag", "boardman", "t1045", "ck ids", "packing", "t1060", "run keys", "startup", "folder", "t1057", "discovery", "t1071", "value emails", "name domain", "org microsoft", "microsoft way", "city redmond", "country us", "dnssec", "t1012", "t1047", "instrumentation", "t1053", "taskjob", "spyware", "source", "signing defense", "size", "meta", "onload", "dynamicloader", "unicode text", "crlf line", "utf8", "medium", "write c", "default", "delphi", "win32", "code", "stream", "next", "akamai rank", "show process", "prefetch2", "dns server", "network traffic", "virus", "monitored target", "tofsee", "generic http", "exe upload", "inbound", "outbound", "delete", "yara detections", "markus", "flowid22101", "pixelevtid11771", "dvid", "urls show", "date checked", "188 palantir results", "adversaries", "development att", "ssl certificate", "flag", "stop", "facebook", "4328", "5943", "stealer", "unknown aaaa", "present may", "domain add", "hyundaitx", "twitter", "monitored tsara", "brashears", "apple", "ios", "remote", "cycbot", "maudio fw", "heur", "productversion", "fileversion", "maudio firewire" ], "references": [ "palantirfoundry.com \u2022 https://edenglobalpartners.palantirfoundry.com/", "247seekscenter.com \u2022 ns-1986.awsdns-56.co.uk: | 365-notifcation.com", "ETPRO TROJAN Win32/Oderoor Checkin \u2022 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain", "Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)", "ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection", "platform.twitter.co \u2022 rm.twitter.co \u2022 upload.twitter.co \u2022 http://2fsyndication.twitter.co/", "http://legal.twitter.co \u2022 http://mobile.twitter.co/", "ec2-44-228-94-74.us-west-2.compute.amazonaws.com \u2022 defender.palantirfoundry.com", "https://embaxter.palantirfoundry.com \u2022 https://amgistudios.palantirfoundry.com", "https://ametrine-containers.palantirfoundry.com \u2022 https://amfp.palantirfoundry.com", "https://ameteklms.palantirfoundry.com \u2022 https://ametrine-compute.palantirfoundry.com", "https://amiable-constellation.palantirfoundry.com \u2022 https://amplifi.palantirfoundry.com", "https://oscar.palantirfoundry.com/ \u2022 https://replica.palantirfoundry.com/", "https://statemed.palantirgov.com/workspace/settings/notifications \u2022 https://cchbc.palantirfoundry.com", "https://test-1.washington.palantircloud.com \u2022 https://tarn.palantirgov.com \u2022 https://stateplatform.palantirgov.com", "https://imperium-dev-1.palantircloud.com \u2022 https://hii.palantirgov.com \u2022 https://genoa.washington.palantircloud.com", "tsystems.palantirfoundry.com \u2022 https://statemed.palantirgov.com \u2022 https://statecms.palantirgov.com", "https://replica.palantirfoundry.com/ \u2022 https://spacejam.palantirfoundry.com/ \u2022", "https://pl.pornhub.mrst.one/ \u2022 hotamateurpornsite.xxx \u2022 squirting.porn \u2022 https://de-pornhub.mrst.one/", "Hostname: hcl-dna-sandbox.palantirfoundry.com", "https://www.hyundaitx.com/", "ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check", "https://remote.downloadnow-1.com/", "Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp", "Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection", "Monitored Target - Spawned process \"iexplore.exe\" w/commandline \"SCODEF:5860 CREDAT:275457 /prefetch:2\" (Show Process) source", "Monitored Target: Queries DNS server details \"www.hyundaitx.com\" source Network Traffic T1071.004", "Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |", "ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Vtflooder-9783271-0", "display_name": "Win.Malware.Vtflooder-9783271-0", "target": null }, { "id": "Trojan.Kazy-237", "display_name": "Trojan.Kazy-237", "target": null }, { "id": "Trojan.Vundo-5335", "display_name": "Trojan.Vundo-5335", "target": null }, { "id": "Generic31.BKFG", "display_name": "Generic31.BKFG", "target": null }, { "id": "Win.Packed.Krucky-6941986-0", "display_name": "Win.Packed.Krucky-6941986-0", "target": null }, { "id": "ALF:HSTR:KrunchyMalPacker!MTB", "display_name": "ALF:HSTR:KrunchyMalPacker!MTB", "target": null }, { "id": "Win.Trojan.Agent-920890", "display_name": "Win.Trojan.Agent-920890", "target": null }, { "id": "Win.Trojan.Jorik-10365", "display_name": "Win.Trojan.Jorik-10365", "target": null }, { "id": "Trojan.Adload-2492", "display_name": "Trojan.Adload-2492", "target": null }, { "id": "Trojan.Spy-59563", "display_name": "Trojan.Spy-59563", "target": null }, { "id": "Ransom:Win32/Cryptor", "display_name": "Ransom:Win32/Cryptor", "target": "/malware/Ransom:Win32/Cryptor" }, { "id": "Win32/Blacked", "display_name": "Win32/Blacked", "target": null }, { "id": "Win.Trojan.Cycbot-764", "display_name": "Win.Trojan.Cycbot-764", "target": null }, { "id": "Trojan.VB-47534", "display_name": "Trojan.VB-47534", "target": null }, { "id": "Backdoor:Win32/Drixed.J ,", "display_name": "Backdoor:Win32/Drixed.J ,", "target": "/malware/Backdoor:Win32/Drixed.J ," }, { "id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "Malware Tool", "display_name": "Malware Tool", "target": null }, { "id": "Palantir Spyware", "display_name": "Palantir Spyware", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4203, "domain": 1218, "email": 9, "hostname": 2006, "FileHash-SHA256": 2740, "FileHash-MD5": 424, "FileHash-SHA1": 419, "SSLCertFingerprint": 12 }, "indicator_count": 11031, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6882e2a53af80b1af320079d", "name": "VirusTotal - Palantir- KrunchyMalPacker | Vflooder", "description": "-> Hostname: \u2022 edenglobalpartners.palantirfoundry.com\n\u2022 c.twitterintegration.com\n*Trojan:Win32/Vflooder.E\nIDS Detections:\n- Win32/Flooder.Agent.NAS CnC Domain in DNS Lookup\n\u2022 Virus Total vtapi DOS\n\u2022 Generic HTTP EXE Upload Inbound\n\u2022 Observed Suspicious UA (Mozilla/5.0)\n\u2022 Generic HTTP EXE Upload Outbound || \n*ALF:HSTR:KrunchyMalPacker!MTB\t\n IDS Detections\n-Win32/Vflooder.B Checkin\n\u2022 TLS Handshake Failure\nYara Detections: \nkkrunchy023alpha2\nAlerts:\n\u2022 static_pe_anomaly\n\u2022 suricata_alert\n\u2022 dynamic_function_loading\n\u2022 network_cnc_https_generic\n\u2022 reads_self\n\u2022 network_cnc_http\n\u2022 network_http\n\u2022 packer_unknown_pe_section_name\n\u2022 packer_entropy\n\u2022 injection_rwx ||\n__________\nIP\u2019s Contacted:\n\u2022 34.54.88.138\n\u2022 162.159.140.229\nDomains Contacted\n\u2022 twitter.com (SBKA - Palantir?)\n\u2022 www.virustotal.com\n#botnetresulttesting #virustotal_unsafe #vtflooder #palantir #twitter #gotham foundry #brian_sabey_has_a_new_toy #targeting #tsara_brashears", "modified": "2025-08-24T01:04:01.801000", "created": "2025-07-25T01:49:25.325000", "tags": [ "windows nt", "dynamicloader", "contentlength", "tls handshake", "failure", "host", "show", "medium", "search", "entries", "copy", "write", "malware", "generic http", "exe upload", "inbound", "outbound", "domain", "trojan", "u0019", "trojandropper", "backdoor", "mtb jul", "united", "passive dns", "open ports", "win32berbew jul", "ipv4 add", "present jul", "present jun", "cname", "present aug", "present sep", "status", "certificate", "date", "twitter", "unknown ns", "name servers", "servers", "showing", "urls", "creation date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1903, "hostname": 806, "FileHash-SHA256": 1594, "FileHash-MD5": 264, "FileHash-SHA1": 297, "SSLCertFingerprint": 1, "domain": 515, "email": 5 }, "indicator_count": 5385, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://test-sim-mgmt.doptools.pl", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://test-sim-mgmt.doptools.pl", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776611413.9184458 }