{
"type": "URL",
"indicator": "https://test.josht.ca/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://test.josht.ca/",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4113501111,
"indicator": "https://test.josht.ca/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 42,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b49ad5dd40a24d83cd6a72",
"name": "Chris P. Ahmann \u2022 PRIVATE PROPERTY Colorado State Fixer!",
"description": "",
"modified": "2026-03-13T23:16:37.716000",
"created": "2026-03-13T23:16:37.716000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69631fbd16e306ee2b76c4da",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b496396ca4987e95ad37d1",
"name": "Chris Buzz by QVashni (wow)",
"description": "",
"modified": "2026-03-13T22:56:57.314000",
"created": "2026-03-13T22:56:57.314000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69482caa00d327da8f0a87bc",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b49587dd104e342dda1628",
"name": "C Ahman Attorney Clone by Top Tier, Q.Vashti",
"description": "",
"modified": "2026-03-13T22:53:59.112000",
"created": "2026-03-13T22:53:59.112000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b7cb05b2098c1d2bf20f",
"name": "federal goverment clone cellbrite credit q vashti",
"description": "",
"modified": "2026-03-12T12:55:39.046000",
"created": "2026-03-12T12:55:39.046000",
"tags": [
"url https",
"url http",
"germany",
"united",
"ukraine",
"japan",
"extraction",
"data upload",
"urls",
"url analysis",
"enter sc",
"extr",
"iocs",
"active",
"france unknown",
"present jan",
"servers",
"homair sweet",
"grabber",
"encrypt",
"ipv4",
"role title",
"divx",
"pitfall",
"internet",
"ip role",
"america asn",
"extraction data",
"leveibielabs",
"all se",
"enter source",
"url or",
"texirag",
"drop",
"present nov",
"united states",
"america",
"levdibidelabs",
"failed",
"idron anv",
"include manualv",
"review data",
"iterng",
"name servers",
"passive dns",
"incapsula",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"script head",
"request",
"cookie",
"indicator",
"msie",
"chrome",
"backdoor",
"gmt content",
"ipv4 add",
"twitter",
"title",
"process32nextw",
"ms windows",
"intel",
"pe32",
"regopenkeyexa",
"read c",
"medium",
"class",
"write",
"template",
"present oct",
"present jul",
"aaaa",
"present sep",
"present aug",
"url add",
"http",
"hostname",
"related tags",
"kx81xdbx0f",
"x86xd3",
"xa7xe28x06",
"x82xd4",
"delete c",
"regsetvalueexa",
"regbinary",
"xa1xf1",
"xe8xc2x14",
"malware",
"stream",
"unknown",
"win32",
"persistence",
"execution",
"push",
"present dec",
"italy",
"present jun",
"embeddedwb",
"whitelisted",
"windows nt",
"dns traffic",
"russia",
"cname",
"accept",
"destination",
"port",
"et smtp",
"message",
"et trojan",
"components",
"suspicious",
"download",
"hostile",
"next",
"logic",
"gather victim",
"et info",
"etpro trojan",
"trojan",
"report spam",
"interesting",
"created",
"pegasus",
"manipulation",
"service",
"capture",
"et",
"etpro",
"host",
"attack",
"mtb description",
"windows",
"shellexecuteexw",
"writeconsolew",
"registry",
"t1031",
"modify existing",
"dock",
"type indicator",
"added active",
"related pulses",
"arcflex",
"filehashsha1",
"types of",
"learn more",
"filehashsha256",
"cellebrite",
"white label",
"search",
"sha1",
"france",
"cmanual jan",
"expiration date",
"domain add",
"pulse submit",
"files",
"ip address",
"gmt cache",
"sameorigin",
"reverse dns",
"unknown ns",
"admin org",
"zipcode",
"gmt server",
"pulse pulses",
"entries",
"hostname add",
"verdict",
"germany unknown",
"status",
"domain",
"xpirat",
"netherlands",
"netherlands asn",
"as35280 acorus",
"dns resolutions",
"error",
"files ip",
"copy",
"telnet login",
"suspicious path",
"busybox",
"login attempt",
"gpl telnet",
"high",
"tcp syn",
"telnet root",
"path",
"mirai",
"emails",
"domain name",
"jlu11q",
"tqbplo",
"hours ago",
"found",
"yahoo",
"gmail",
"yandex",
"https://cellebrite.com/en/federal-government/",
"monitoring",
"monitored target",
"dangerous",
"spyware",
"80211",
"colorado",
"x amz",
"government",
"mirai login attempt",
"emotet",
"c2",
".ru",
".com",
"denver",
"indicator role",
"title added",
"active related",
"pulses hostname",
"dead connect",
"hostile",
"adversarial",
"abuse",
"criminal intent",
"block messages",
"botnet"
],
"references": [
"fastwebnet.it | Cellebrite White Label Spyware Service",
"putrhnwl.exe",
"Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"IP\u2019s Contacted : 54.230.129.165",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"Domains Contacted: pitfall.divx.com www.google.com",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Yara: Detections Tofsee",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"ET TROJAN Suspicious double Server Header",
"ET DNS DNS Query to a .tk domain - Likey",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"Needs to be sorted. Actively being exploited on US",
"162.159.134.42 \u2022 https://cellebrite.com/",
"https://cellebrite.com/en/federal-government/",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Germany",
"Ireland",
"Switzerland",
"Poland",
"Belgium",
"Netherlands",
"Sweden"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
},
{
"id": "Trojan:Win32/Emotet.PC!MTB",
"display_name": "Trojan:Win32/Emotet.PC!MTB",
"target": "/malware/Trojan:Win32/Emotet.PC!MTB"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Trojan:Win32/Danabot",
"display_name": "Trojan:Win32/Danabot",
"target": "/malware/Trojan:Win32/Danabot"
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Trojan:Win32/Aptdrop.RU",
"display_name": "Trojan:Win32/Aptdrop.RU",
"target": "/malware/Trojan:Win32/Aptdrop.RU"
},
{
"id": "Ransomware/Win.Stop.R4529",
"display_name": "Ransomware/Win.Stop.R4529",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32/BackdoorX",
"display_name": "Win32/BackdoorX",
"target": null
},
{
"id": "Win.Trojan.Dialog-9873788-0",
"display_name": "Win.Trojan.Dialog-9873788-0",
"target": null
},
{
"id": "Tsunami-6981155-0",
"display_name": "Tsunami-6981155-0",
"target": null
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1196",
"name": "Control Panel Items",
"display_name": "T1196 - Control Panel Items"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1414",
"name": "Capture Clipboard Data",
"display_name": "T1414 - Capture Clipboard Data"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1556",
"name": "Modify Authentication Process",
"display_name": "T1556 - Modify Authentication Process"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1581",
"name": "Geofencing",
"display_name": "T1581 - Geofencing"
},
{
"id": "T1582",
"name": "SMS Control",
"display_name": "T1582 - SMS Control"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1587",
"name": "Develop Capabilities",
"display_name": "T1587 - Develop Capabilities"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Journalists",
"Government",
"Civil Society"
],
"TLP": "green",
"cloned_from": "696f7d467763ed4d4e74d133",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4994,
"domain": 2519,
"hostname": 3281,
"FileHash-SHA256": 4467,
"FileHash-MD5": 1118,
"FileHash-SHA1": 1056,
"email": 12,
"SSLCertFingerprint": 1
},
"indicator_count": 17448,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6afd744c55bd596ed6e",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:27.248000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6a601f06adcd1ed22fc",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:18.022000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d69ecbc0497f97e28618",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:10.502000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6975c5cd4db6104ea1a3d69b",
"name": "The Blender Foundation BouncyCastle-Virut | Malware /Stealer Empty FileHash | Eternal7 (Shadow Broker) Related",
"description": "Empty FileHash isn\u2019t benign. Interesting relationships to the Eternal 7. Malware, Stealer and Suspicious History File Operation. BouncyCastle-Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys / Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"modified": "2026-02-24T06:02:43.853000",
"created": "2026-01-25T07:27:09.640000",
"tags": [
"empty",
"blender",
"eurostile",
"augustin",
"butterfield",
"cook",
"drummer",
"erickson",
"fjsv",
"flynn",
"gorman",
"holmes",
"easy",
"rada",
"xanadu",
"config",
"reboot",
"screen",
"microsoft",
"commerce server",
"edition",
"draw",
"exchange server",
"tools",
"linux",
"ideal link",
"nsrl test",
"nist",
"file",
"cultureneutral",
"fix pack",
"free download",
"bouncycastle",
"read c",
"search",
"et trojan",
"w32kegotip cnc",
"whitelisted",
"ids detections",
"intel",
"write",
"trojan",
"malware",
"yara detections",
"productversion",
"fileversion",
"av detections",
"alerts",
"analysis date",
"file score",
"united",
"aaaa",
"passive dns",
"ip address",
"present dec",
"body html",
"head meta",
"title",
"urls",
"url https",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"beacon",
"et",
"ipv4",
"files",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"related pulses",
"show",
"win32virut",
"destination",
"port",
"ms windows",
"pe32",
"medium",
"suspicious",
"virustotal",
"startul",
"shadowbrokers",
"total",
"delete",
"artemis",
"win32.injector",
"trendmicro",
"data upload",
"extraction",
"included iocs"
],
"references": [
"The Blender Foundation",
"website \u2022 http://oldapps.com/blender.php?old_blender=7584",
"oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]",
"Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community",
"Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks",
"ET TROJAN W32/Kegotip CnC Beacon",
"IDS Detections ET POLICY Suspicious User-Agent Containing .exe",
"Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit",
"Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /",
"Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "BouncyCastle",
"display_name": "BouncyCastle",
"target": null
},
{
"id": "Sf:ShellCode-AU",
"display_name": "Sf:ShellCode-AU",
"target": null
},
{
"id": "Win.Trojan.Fareit-82",
"display_name": "Win.Trojan.Fareit-82",
"target": null
},
{
"id": "Win.Trojan.Agent-245901",
"display_name": "Win.Trojan.Agent-245901",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "W32/Kegotip CnC",
"display_name": "W32/Kegotip CnC",
"target": null
},
{
"id": "W32.Virut.ci",
"display_name": "W32.Virut.ci",
"target": null
},
{
"id": "Downloader.Generic13.CMTW",
"display_name": "Downloader.Generic13.CMTW",
"target": null
},
{
"id": "Downloader.Generic13.BOBZ",
"display_name": "Downloader.Generic13.BOBZ",
"target": null
},
{
"id": "Win.Trojan.Injector-12138",
"display_name": "Win.Trojan.Injector-12138",
"target": null
},
{
"id": "Generic36.ADTY",
"display_name": "Generic36.ADTY",
"target": null
},
{
"id": "Generic36.AIAA.Dropper",
"display_name": "Generic36.AIAA.Dropper",
"target": null
},
{
"id": "Generic36.AJSM",
"display_name": "Generic36.AJSM",
"target": null
},
{
"id": "Win32/Virut",
"display_name": "Win32/Virut",
"target": null
},
{
"id": "Win32/Ramnit.A",
"display_name": "Win32/Ramnit.A",
"target": null
},
{
"id": "Worm.Autorun-6180",
"display_name": "Worm.Autorun-6180",
"target": null
},
{
"id": "Hider.BIY",
"display_name": "Hider.BIY",
"target": null
},
{
"id": "Win.Trojan.Rootkit-4532",
"display_name": "Win.Trojan.Rootkit-4532",
"target": null
},
{
"id": "Win32/Blacked",
"display_name": "Win32/Blacked",
"target": null
},
{
"id": "Win32.Injector",
"display_name": "Win32.Injector",
"target": null
},
{
"id": "TrendMicro",
"display_name": "TrendMicro",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 71,
"FileHash-SHA256": 853,
"URL": 1639,
"domain": 288,
"FileHash-MD5": 78,
"hostname": 545
},
"indicator_count": 3474,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "54 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69754a5dd138f73f5cfdf78c",
"name": "EternalRocks (SHADOW BROKERS) MicroBotMassiveNet - NSA Exploits",
"description": "Exploited | Active | Continuous \n\u201cEternalRocks\u201d (also known as MicroBotMassiveNet) is a sophisticated computer worm discovered in May 2017 that targets Windows machines, utilizing seven different NSA-leaked exploits\u2014far more than the two used by the infamous WannaCry ransomware. Trend Micro and other security researchers highlighted the danger of this malware because, unlike WannaCry, it does not have a \"kill switch\" and is designed to create a backdoor for future, more severe, and adaptable attacks * While initially, it appeared to only act as a downloader for other tools, the danger lay in its potential to be weaponized for launching ransomware, Remote Access Trojans (RATs), or other malware at a later date. \nThank you Winston & Vogt",
"modified": "2026-02-23T19:02:00.548000",
"created": "2026-01-24T22:40:29.680000",
"tags": [
"regsetvalueexa",
"default",
"regdword",
"regbinary",
"module download",
"tls handshake",
"high",
"regsetvalueexw",
"malware",
"write",
"win32",
"ids detections",
"download tls",
"eternalrocks",
"nsa exploits",
"worm",
"cryptojackers",
"shadow brokers",
"ransom",
"ingress tool",
"channel",
"udp a83f8110",
"get http",
"get https",
"dns resolutions",
"root path",
"encrypted",
"native",
"required.exe",
"stolen toolset",
"cyber weapons",
"cyber warfare",
"autonomous",
"tor",
"dark web",
"black paper",
"nsa weapons",
"2017",
"tao?",
"targeting",
"breach",
"equation group tools",
"installer",
"stealer",
"apt",
"empty",
"not an exit node",
"empty file",
"tor relay router",
"traffic groups",
"traffic group 815",
"el tor",
"tor relay",
"traffic group 778",
"traffic group 238",
"traffic group 333",
"traffic group 333",
"node",
"traffic group 252",
"open_source_tool",
"confuserex",
"susp_net_name_confuserex",
"eternalrocks",
"svchost",
"eternalrocks_svchost_fr",
"obfuscated",
"susp_confuserex_obfuscated",
"encryption",
"module",
"msil",
"net",
"bing",
"android",
"libre",
"mcsf",
"microsoft",
"active attack",
"financial crimes",
"EternalBlue",
"EternalChampion",
"EternalRocks",
"Stealth",
"EternalSynergy",
"EternalRomance",
"checks-network-adapters",
"checks-user-input",
"crypto",
"detect-deb",
"environment",
"direct-cpu-clock-access",
"long-sleeps",
"runtime-modules"
],
"references": [
"EternalRocks MALWARE RANSOM TROJAN EVADER",
"The 2017 timeline accurately fits victim\u2019s major financial and other continuous First attacks began in 10/2013. Upgraded",
"With so many \u2018officials\u2019 involved, it\u2019s hard to believe \u2018 The Shadow Brokers\u2019 isnt a government entity.",
"Strangely NSO Group The Lazarus Group The Shadow Brokers and others attack an individual",
"Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,TrojanDownloader:Win32/Eterock.A",
"IDS Detections: Possible ETERNALROCKS .Net Module Download TLS Handshake Failure",
"Yara Detections: SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost ,",
"Yara Detections: EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Alerts: network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_i",
"NSA Exploits Used: The malware uses seven Shadow Brokers-leaked tools, including EternalBlue, EternalChampion,",
"EternalRomance, and EternalSynergy. Stealth",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Yara Matches",
"Matches rule EternalRocks_svchost from ruleset crime_eternalrocks by Florian Roth (Nextron Systems)",
"Matches rule SUSP_NET_NAME_ConfuserEx from ruleset gen_github_net_redteam_tools_names by Arnim Rupp",
"Matches rule INDICATOR_EXE_Packed_ConfuserEx from ruleset indicator_packed",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Sigma Matches",
"Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Uncommon Svchost Command Line Parameter by Liran Ravich",
"Matches rule Uncommon Schost Parent Process by Florian Roth (Nextron Systems)",
"Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Shelton, Nasreddine Bencherchali (Nextron stems",
"Matches rule Windows Processes Suspicious Parent Directory by vburov",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced IDS rules",
"Matches rule DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt",
"Matches rule MALWARE-CNC DNS Fast Flux attempt",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 778",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 815",
"Matches rule ET POLICY TLS possible TOR SSL traffic",
"Matches rule ET JA3 Hash - Possible Malwar RigEK/Cryptowall/Dridex",
"Matches rule ET JA3 Hash - [Abuse.ch] Possible Ransomware",
"Matches rule SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware)",
"Matches rule POLICY-OTHER TOR Project domain request",
"Dynamic sandbox CZAE flags this file as: STEALER",
"https://github.com/stamparm/EternalRocks",
"(The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION,",
"ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.",
"REFERENCE: https://twitter.com/stamparm/status/864865144748298242 RULE_AUTHOR: Florian Roth",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/EternalRocks_svchost_FR",
"DESCRIPTION: Detects EternalRocks Malware - file taskhost.exe",
"TNULL: unknown empty EMPTY FILEHASH-MD5 d41d8cd98f00b204e9800998ecf8427e",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Matches rule Suspicious History File Operat Mikhail Larin, oscd.community",
"Matches rule SURICATA STREAM Packet with invalid timestamp"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "EternalRocks",
"display_name": "EternalRocks",
"target": null
},
{
"id": "CVE-2017-0148",
"display_name": "CVE-2017-0148",
"target": null
},
{
"id": "Exploit:PowerShell/CVE-2017-0143",
"display_name": "Exploit:PowerShell/CVE-2017-0143",
"target": "/malware/Exploit:PowerShell/CVE-2017-0143"
},
{
"id": "trojan.eternalrocks/shadowbrokers",
"display_name": "trojan.eternalrocks/shadowbrokers",
"target": null
}
],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
}
],
"industries": [
"Finance",
"Government",
"Insurance",
"Civilians",
"Health"
],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 82,
"FileHash-SHA1": 76,
"FileHash-SHA256": 700,
"URL": 280,
"domain": 46,
"hostname": 233,
"CVE": 2
},
"indicator_count": 1419,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "54 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "697488f095f69d392afd00fb",
"name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes",
"description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.",
"modified": "2026-02-23T07:04:04.285000",
"created": "2026-01-24T08:55:12.845000",
"tags": [
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"ck techniques",
"evasion att",
"t1480 execution",
"href",
"ascii text",
"pattern match",
"mitre att",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"form",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"active related",
"url https",
"related pulses",
"url http",
"united",
"czechia",
"hong kong",
"ipv4",
"indicators hong",
"kong",
"south korea",
"netherlands",
"germany",
"ireland",
"denmark",
"sweden",
"active",
"government",
"finance",
"security",
"type indicator",
"yara detections",
"av detections",
"ids detections",
"alerts",
"analysis date",
"mcsf",
"microsoft",
"yara",
"insurance",
"fidelity investments",
"description",
"fidelity international",
"ms windows",
"pe32",
"writeconsolew",
"read c",
"pe32 executable",
"t1045",
"susp",
"write",
"win64",
"malware",
"modified",
"ck ids",
"t1040",
"sniffing",
"packing",
"t1112",
"packing t1045",
"icmp traffic",
"memcommit",
"pe section",
"low software",
"pe resource",
"win32",
"trojan",
"april",
"sara ligorria",
"tramp advert",
"black paper",
"createdate",
"subject laser",
"title laser",
"format",
"types of",
"japan",
"regsetvalueexa",
"regdword",
"regbinary",
"module download",
"tls handshake",
"high",
"defense evasion",
"discovery att",
"adversaries",
"title",
"role",
"flag",
"name server",
"server",
"domain address",
"markmonitor",
"clicktale ltd",
"enom",
"whoisguard",
"medium",
"unicode",
"rgba",
"delete",
"crlf line",
"next",
"dock",
"execution",
"date",
"users",
"tls sni",
"total",
"cnc domain",
"search",
"oamazon",
"cnamazon rsa",
"push",
"failure yara",
"contacted",
"hours ago",
"created",
"cia",
"fbi",
"telegram",
"tulach",
"sabey",
"state",
"gov",
"ahmann",
"financial fraud",
"t-mobile",
"walmartmobile",
"life insurance",
"fidelity life",
"guarantee",
"team",
"role title",
"added active",
"scan",
"iocs",
"learn more",
"filehashsha1",
"filehashmd5",
"kw3recepten",
"domainname0",
"searchbox0",
"kw1brinta",
"kw2muesli",
"indicator role",
"title added",
"pulses url",
"cve cve20170147",
"apple",
"apple id"
],
"references": [
"https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226",
"https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com",
"http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com",
"https://bhive.nectar.social/rKvoMY",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,",
"TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161",
"Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.",
"EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name",
"Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.",
"Domains Contacted api.nuget.org",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png",
"https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.fidelity.com/ https://www.fidelity.com/",
"cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99",
"cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl",
"https://www.anyxxxtube.net/search-porn/",
"https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears",
"fidelity-account.com e http://fidelity-account.com/fidelity/code.html",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex",
"http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022",
"\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:",
"https://bhive.nectar.social/rKvoMY",
"apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co",
"http://appleid.app",
"https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win64:Trojan-gen",
"display_name": "Win64:Trojan-gen",
"target": null
},
{
"id": "Trojan:MSIL/Ursu.KP",
"display_name": "Trojan:MSIL/Ursu.KP",
"target": "/malware/Trojan:MSIL/Ursu.KP"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F",
"target": null
},
{
"id": "Trojan:PDF/Phish.RR!MTB",
"display_name": "Trojan:PDF/Phish.RR!MTB",
"target": "/malware/Trojan:PDF/Phish.RR!MTB"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": ": ALF:Trojan:MSIL/Azorult.AC!",
"display_name": ": ALF:Trojan:MSIL/Azorult.AC!",
"target": null
},
{
"id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB",
"display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB",
"target": null
},
{
"id": "Trojan:Win32/Conbea!rfn",
"display_name": "Trojan:Win32/Conbea!rfn",
"target": "/malware/Trojan:Win32/Conbea!rfn"
},
{
"id": "Trojan:Win32/Ausiv!rfn",
"display_name": "Trojan:Win32/Ausiv!rfn",
"target": "/malware/Trojan:Win32/Ausiv!rfn"
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat",
"target": null
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "TrojanDropper:Win32/Qhost",
"display_name": "TrojanDropper:Win32/Qhost",
"target": "/malware/TrojanDropper:Win32/Qhost"
},
{
"id": "Trojan:Win32/Miner.KA!MTB",
"display_name": "Trojan:Win32/Miner.KA!MTB",
"target": "/malware/Trojan:Win32/Miner.KA!MTB"
},
{
"id": "DNSTrojan",
"display_name": "DNSTrojan",
"target": null
},
{
"id": "EternalRocks",
"display_name": "EternalRocks",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Government",
"Finance",
"Insurance"
],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2793,
"URL": 6639,
"FileHash-SHA256": 2462,
"domain": 1070,
"FileHash-MD5": 307,
"FileHash-SHA1": 186,
"SSLCertFingerprint": 1,
"email": 1,
"CVE": 3
},
"indicator_count": 13462,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "55 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696f7d467763ed4d4e74d133",
"name": "Federal Government-Cellebrite Attack found actively targeting iOS and other devices | Mirai login attempts | TelNet Login",
"description": "https://cellebrite.com/en/federal-government/ | Found on a crime victims devices. Targets abused by spyware in an unethical manner by andvesarial \u2018governmental\u2019 possibly \u2018contracted\u2019 entities. Waged against targets such as victims of crime , journalists , researchers , students. Target Users: Serves public safety, enterprise, and government sectors, aiding first responders, investigators, prosecutors, and analysts. How it's Used Law enforcement uses it to unlock devices and retrieve evidence like messages, location history, and app data for criminal investigations. It helps uncover critical information from digital devices, even recovering data that users thought was permanently deleted. Controversy & Privacy Concerns While marketed as a tool for lawful investigations, its powerful data extraction capabilities raise significant privacy concerns and ethical debates.",
"modified": "2026-02-19T12:05:47.166000",
"created": "2026-01-20T13:04:06.622000",
"tags": [
"url https",
"url http",
"germany",
"united",
"ukraine",
"japan",
"extraction",
"data upload",
"urls",
"url analysis",
"enter sc",
"extr",
"iocs",
"active",
"france unknown",
"present jan",
"servers",
"homair sweet",
"grabber",
"encrypt",
"ipv4",
"role title",
"divx",
"pitfall",
"internet",
"ip role",
"america asn",
"extraction data",
"leveibielabs",
"all se",
"enter source",
"url or",
"texirag",
"drop",
"present nov",
"united states",
"america",
"levdibidelabs",
"failed",
"idron anv",
"include manualv",
"review data",
"iterng",
"name servers",
"passive dns",
"incapsula",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"script head",
"request",
"cookie",
"indicator",
"msie",
"chrome",
"backdoor",
"gmt content",
"ipv4 add",
"twitter",
"title",
"process32nextw",
"ms windows",
"intel",
"pe32",
"regopenkeyexa",
"read c",
"medium",
"class",
"write",
"template",
"present oct",
"present jul",
"aaaa",
"present sep",
"present aug",
"url add",
"http",
"hostname",
"related tags",
"kx81xdbx0f",
"x86xd3",
"xa7xe28x06",
"x82xd4",
"delete c",
"regsetvalueexa",
"regbinary",
"xa1xf1",
"xe8xc2x14",
"malware",
"stream",
"unknown",
"win32",
"persistence",
"execution",
"push",
"present dec",
"italy",
"present jun",
"embeddedwb",
"whitelisted",
"windows nt",
"dns traffic",
"russia",
"cname",
"accept",
"destination",
"port",
"et smtp",
"message",
"et trojan",
"components",
"suspicious",
"download",
"hostile",
"next",
"logic",
"gather victim",
"et info",
"etpro trojan",
"trojan",
"report spam",
"interesting",
"created",
"pegasus",
"manipulation",
"service",
"capture",
"et",
"etpro",
"host",
"attack",
"mtb description",
"windows",
"shellexecuteexw",
"writeconsolew",
"registry",
"t1031",
"modify existing",
"dock",
"type indicator",
"added active",
"related pulses",
"arcflex",
"filehashsha1",
"types of",
"learn more",
"filehashsha256",
"cellebrite",
"white label",
"search",
"sha1",
"france",
"cmanual jan",
"expiration date",
"domain add",
"pulse submit",
"files",
"ip address",
"gmt cache",
"sameorigin",
"reverse dns",
"unknown ns",
"admin org",
"zipcode",
"gmt server",
"pulse pulses",
"entries",
"hostname add",
"verdict",
"germany unknown",
"status",
"domain",
"xpirat",
"netherlands",
"netherlands asn",
"as35280 acorus",
"dns resolutions",
"error",
"files ip",
"copy",
"telnet login",
"suspicious path",
"busybox",
"login attempt",
"gpl telnet",
"high",
"tcp syn",
"telnet root",
"path",
"mirai",
"emails",
"domain name",
"jlu11q",
"tqbplo",
"hours ago",
"found",
"yahoo",
"gmail",
"yandex",
"https://cellebrite.com/en/federal-government/",
"monitoring",
"monitored target",
"dangerous",
"spyware",
"80211",
"colorado",
"x amz",
"government",
"mirai login attempt",
"emotet",
"c2",
".ru",
".com",
"denver",
"indicator role",
"title added",
"active related",
"pulses hostname",
"dead connect",
"hostile",
"adversarial",
"abuse",
"criminal intent",
"block messages",
"botnet"
],
"references": [
"fastwebnet.it | Cellebrite White Label Spyware Service",
"putrhnwl.exe",
"Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"IP\u2019s Contacted : 54.230.129.165",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"Domains Contacted: pitfall.divx.com www.google.com",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Yara: Detections Tofsee",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"ET TROJAN Suspicious double Server Header",
"ET DNS DNS Query to a .tk domain - Likey",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"Needs to be sorted. Actively being exploited on US",
"162.159.134.42 \u2022 https://cellebrite.com/",
"https://cellebrite.com/en/federal-government/",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Germany",
"Ireland",
"Switzerland",
"Poland",
"Belgium",
"Netherlands",
"Sweden"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
},
{
"id": "Trojan:Win32/Emotet.PC!MTB",
"display_name": "Trojan:Win32/Emotet.PC!MTB",
"target": "/malware/Trojan:Win32/Emotet.PC!MTB"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Trojan:Win32/Danabot",
"display_name": "Trojan:Win32/Danabot",
"target": "/malware/Trojan:Win32/Danabot"
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Trojan:Win32/Aptdrop.RU",
"display_name": "Trojan:Win32/Aptdrop.RU",
"target": "/malware/Trojan:Win32/Aptdrop.RU"
},
{
"id": "Ransomware/Win.Stop.R4529",
"display_name": "Ransomware/Win.Stop.R4529",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32/BackdoorX",
"display_name": "Win32/BackdoorX",
"target": null
},
{
"id": "Win.Trojan.Dialog-9873788-0",
"display_name": "Win.Trojan.Dialog-9873788-0",
"target": null
},
{
"id": "Tsunami-6981155-0",
"display_name": "Tsunami-6981155-0",
"target": null
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1196",
"name": "Control Panel Items",
"display_name": "T1196 - Control Panel Items"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1414",
"name": "Capture Clipboard Data",
"display_name": "T1414 - Capture Clipboard Data"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1556",
"name": "Modify Authentication Process",
"display_name": "T1556 - Modify Authentication Process"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1581",
"name": "Geofencing",
"display_name": "T1581 - Geofencing"
},
{
"id": "T1582",
"name": "SMS Control",
"display_name": "T1582 - SMS Control"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1587",
"name": "Develop Capabilities",
"display_name": "T1587 - Develop Capabilities"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Journalists",
"Government",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4994,
"domain": 2519,
"hostname": 3281,
"FileHash-SHA256": 4467,
"FileHash-MD5": 1118,
"FileHash-SHA1": 1056,
"email": 12,
"SSLCertFingerprint": 1
},
"indicator_count": 17448,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "59 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac438a696c993b672106d",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:28.261000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac4327b5bc2e8be34f78a",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:22.323000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac416596cd89cf76bce55",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:04:53.997000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6953775a0aed71947ca3f90e",
"name": "Ransom WannaCrypt- Hackers masquerade as a law firm | Social Engineering |",
"description": "Hackers , likely Colorado State employees masquerading as legal, entities, social\nengineering, financial exchanges involved. Fraud. Dangerous enterprise. Found in an \u2018alleged \u2018 Plaintiff Law Firms malicious link discovered in old print out, also seen in earlier pulse. [OTX generated description: Adversaries may be able to evade detection and network filtering by blending in with existing traffic, as well as using web protocols, in order to avoid detection/network filtering. and other measures.]",
"modified": "2026-01-29T06:09:08.504000",
"created": "2025-12-30T06:55:22.105000",
"tags": [
"united",
"urls",
"moved",
"files",
"ip address",
"gmt content",
"x adblock",
"encrypt",
"backdoor",
"bq dec",
"virtool",
"ipv4 add",
"ascii text",
"pattern match",
"ck id",
"mitre att",
"meta",
"general",
"local",
"path",
"click",
"strings",
"unknown",
"simplified",
"etpro trojan",
"possible virut",
"dga nxdomain",
"responses",
"virus",
"medium",
"virustotal",
"vipre",
"baidu",
"vitro",
"drweb",
"mcafee",
"panda",
"malware",
"write",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"yara rule",
"simda",
"internal",
"learn",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"defense evasion",
"t1480 execution",
"discovery att",
"ck matrix",
"network traffic",
"t1071",
"t1057",
"hybrid",
"yara detections",
"composite",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"none related",
"passive dns",
"hosting",
"reverse dns",
"location united",
"title",
"ences s",
"data upload",
"extraction",
"status",
"hostname add",
"url analysis",
"push",
"present sep",
"present may",
"present jul",
"present jan",
"win32small dec",
"ransom",
"write c",
"show",
"search",
"high",
"et exploit",
"probe ms17010",
"eternal blue",
"englewood colorado",
"wannacry",
"wannacrypt",
"ransom",
"wanna"
],
"references": [
"https://aws.hirecar.net/",
"w32.virut.cf \u2022 win32.virut.am \u2022 virut.cf \u2022 http://w32.virut.cf \u2022http://w32.virut.cf/ \u2022 https://w32.virut.cf",
"pandacookie2018.xyz",
"Antivirus Detections: Win.Ransomware.Wanna-9769986-0 , Ransom:Win32/WannaCrypt.H",
"IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS",
"DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) Possible ETERNALBLUE Probe MS17-010 (Generic Flags) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic , MS17_010_WanaCry_worm , stack_string More Alerts 25 Alerts suspicious_iocontrol_codes persistence_autorun persistence_autorun_tasks stealth_file suricata_alert antivm_generic_disk anomalous_deletefil",
"Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com \u2022\u2019survey-smiles.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Backdoor:Win32/Small.IR",
"display_name": "Backdoor:Win32/Small.IR",
"target": "/malware/Backdoor:Win32/Small.IR"
},
{
"id": "Win.Trojan.Agent-31853",
"display_name": "Win.Trojan.Agent-31853",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "Win.Ransomware.Wanna-9769986-0",
"display_name": "Win.Ransomware.Wanna-9769986-0",
"target": null
},
{
"id": "Ransom:Win32/WannaCrypt.H",
"display_name": "Ransom:Win32/WannaCrypt.H",
"target": "/malware/Ransom:Win32/WannaCrypt.H"
},
{
"id": "Virtool:Win32/Injector.gen!BQ",
"display_name": "Virtool:Win32/Injector.gen!BQ",
"target": "/malware/Virtool:Win32/Injector.gen!BQ"
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
}
],
"industries": [
"Government",
"Technology",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8605,
"domain": 1228,
"email": 2,
"hostname": 1981,
"FileHash-SHA256": 1617,
"FileHash-SHA1": 184,
"FileHash-MD5": 206,
"SSLCertFingerprint": 2
},
"indicator_count": 13825,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "80 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69631fbd16e306ee2b76c4da",
"name": "Chris P. Ahmann \u2022 STAY Away!f PRIVATE PROPERTY Colorado State Fixer!",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2026-01-11T03:57:49.242000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "695557ee134b978b00883c29",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "88 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "695557ee134b978b00883c29",
"name": "Chris P. Ahmann \u2022 Stay out of PRIVATE PROPERTY HITMAN! Colorado State",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-12-31T17:05:50.134000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "88 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "691f4d4ef0a2a570b8b21cd2",
"name": "Chris P. Ahmann Colorado State Criminal Defense Attorney",
"description": "Chris P. Ahmann Colorado State Criminal Defense attorney hired by quasi government Workers Compensation to completely destroy Tsara Brashears literally to death. None of her spinal cord injuries , and other assault injuries discussed or compensated for in rushed settlement case. Her awful racist attorney refused to represent plaintiffs in hearing. Never met with in person for no good reason. Tsara represented herself. Less that 24 hour notice. No briefings, no awareness or mention that Ahmann was representing Jeffrey Scott Reimer for assault\n case. Brashears required 24 hour care by end of life. Received 0 workers compsarion payments. But if this doesn\u2019t prove Reimer\u2019s guilt what does? Continued harassment of associated. \n\nNotice the outages? You\u2019ve cost BILLIONS? Stop threatening everyone.",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-11-20T17:18:06.929000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "88 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69482caa00d327da8f0a87bc",
"name": "Chris P.\u2019 Buzz\u2019 Ahmann Colorado State Criminal Defense Attorney (22.20.2025)",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-12-21T17:21:46.434000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "88 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6946ef0ba069c6b92160f8f6",
"name": "Doomscroller \u2022 BrowserHappy | Part 1",
"description": "Comments reserved for Part 2.\nOTX I extraction keeps timing out for me. Possibly location/signal related.",
"modified": "2026-01-19T17:03:32.999000",
"created": "2025-12-20T18:46:35.660000",
"tags": [
"servers",
"united states",
"united",
"script script",
"cnc beacon",
"x5drh",
"ipv4",
"urls",
"twitter",
"trojandropper",
"ipv4 add",
"reverse dns",
"ransom",
"mtb may",
"backdoor",
"trojanspy",
"loee7oiy",
"trojan",
"win32",
"susp",
"mtb jul",
"virtool",
"mtb aug",
"worm",
"avast avg",
"lowfi",
"multiplug jun",
"urls show",
"url hostname",
"server response",
"ip address",
"google safe",
"results dec",
"k dec",
"read c",
"process32nextw",
"tls handshake",
"search",
"show",
"et info",
"failure",
"unknown",
"service",
"malware",
"tools",
"win64",
"write",
"revil",
"sodinokibi",
"titan",
"mtb trojan",
"mtb alf",
"win32dinwod may"
],
"references": [
"Xpirat = doomscroller.io",
"IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers",
"Win32/Agent.BH PUP/PUA Downloader CnC Checkin",
"Terse HTTP 1.0 Request Possible Nivdort Trojan-Banker.Win32.Agent.ree Checkin Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 4 AlphaCrypt CnC Beacon 3 WS/JS Downloader Mar 07 2017 M1 Koobface HTTP Request (2) Alphacrypt/TeslaCrypt Ransomware CnC Beacon",
"Trojan-Banker.Win32.Agent.ree Checkin Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 4 AlphaCrypt CnC Beacon 3 WS/JS Downloader Mar 07 2017 M1 Koobface HTTP Request (2) Alphacrypt/TeslaCrypt Ransomware CnC Beacon"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanDownloader:Win32/Upatre.AA",
"display_name": "TrojanDownloader:Win32/Upatre.AA",
"target": "/malware/TrojanDownloader:Win32/Upatre.AA"
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Sodinoki",
"display_name": "Sodinoki",
"target": null
},
{
"id": "Ransom:Win32/Revil.A",
"display_name": "Ransom:Win32/Revil.A",
"target": "/malware/Ransom:Win32/Revil.A"
},
{
"id": "Cutwail",
"display_name": "Cutwail",
"target": null
},
{
"id": "!#HSTR:SigGen0136cb6c",
"display_name": "!#HSTR:SigGen0136cb6c",
"target": null
},
{
"id": "Bayrob",
"display_name": "Bayrob",
"target": null
},
{
"id": "Win.Malware",
"display_name": "Win.Malware",
"target": null
},
{
"id": "TrojanSpy:Win32/Nivdort.BG",
"display_name": "TrojanSpy:Win32/Nivdort.BG",
"target": "/malware/TrojanSpy:Win32/Nivdort.BG"
},
{
"id": "#Lowfi:Lua:Mampa:99!ml",
"display_name": "#Lowfi:Lua:Mampa:99!ml",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "#Lowfi:HSTR:Installer:Multiplug",
"display_name": "#Lowfi:HSTR:Installer:Multiplug",
"target": null
},
{
"id": "TrojanDropper:Win32/Dinwod",
"display_name": "TrojanDropper:Win32/Dinwod",
"target": "/malware/TrojanDropper:Win32/Dinwod"
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
},
{
"id": "TrojanSpy:Win32/Nivdort.CB",
"display_name": "TrojanSpy:Win32/Nivdort.CB",
"target": "/malware/TrojanSpy:Win32/Nivdort.CB"
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Trojan:Win32/Zbot.SIBB6!MTB",
"display_name": "Trojan:Win32/Zbot.SIBB6!MTB",
"target": "/malware/Trojan:Win32/Zbot.SIBB6!MTB"
},
{
"id": "Ploprolo",
"display_name": "Ploprolo",
"target": null
},
{
"id": "#Lowfi:HSTR:VirTool:Win32/Obfuscator!Diplugem.F",
"display_name": "#Lowfi:HSTR:VirTool:Win32/Obfuscator!Diplugem.F",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 692,
"URL": 1666,
"FileHash-SHA256": 630,
"hostname": 804,
"FileHash-MD5": 441,
"FileHash-SHA1": 437,
"SSLCertFingerprint": 1,
"CVE": 1
},
"indicator_count": 4672,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "89 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "693adba47b2cce69440c726a",
"name": "TESLA HACKERS | Login Google",
"description": "Attackers target victims Google account, Google browser, Google homepage.\n\nTesla Hackers in the job. Tesla hackers are very young , angry, kids who chased target around mercilessly in their vehicles, photographed target, drive threateningly. Nothing sophisticated about the stalker crewl. This is intentional. Finding troubled individuals who are desperate for power is pretty easy. \n\nThe hit men range from gang members, white , black , Hispanic to the highly educated, Hit man who attempted to take target out was a spoiled, angry , aggressive, sneering POC. He walked in Denver. The next morning , the area target was driven if roadway was closed off and filled with a rather large road crew, work continues to work on this area. (Charlie Kirk like). Alleged traffic officer claims cameras pointed in different directions that night. He was identified as a computer science major by a PI. This feels so dangerous.",
"modified": "2026-01-10T13:01:53.320000",
"created": "2025-12-11T14:56:36.874000",
"tags": [
"tlsv1",
"united",
"oamazon",
"cnamazon rsa",
"jfif",
"ogoogle trust",
"cngts ca",
"exif standard",
"tiff image",
"xresolution74",
"execution",
"dock",
"write",
"persistence",
"malware",
"encrypt",
"ca https",
"no expiration",
"iocs",
"url https",
"enter source",
"url or",
"text drag",
"drop or",
"browse to",
"select file",
"ipv4",
"url http",
"type indicator",
"sec ch",
"ch ua",
"unknown",
"ua full",
"ua platform",
"as44273 host",
"ua bitness",
"msie",
"chrome",
"backdoor",
"trojandropper",
"passive dns",
"forbidden",
"body",
"twitter",
"trojan",
"cookie",
"title",
"windows nt",
"wow64",
"slcc2",
"media center",
"read c",
"port",
"destination",
"local",
"moved",
"integration all",
"urls",
"files",
"reverse dns",
"location united",
"america flag",
"name servers",
"hostname",
"unique",
"expires wed",
"gmt date",
"server",
"date wed",
"connection",
"use linux",
"cybersecurity",
"http",
"ip address",
"files location",
"flag united",
"win32",
"urls show",
"date checked",
"url hostname",
"server response",
"virtool",
"date hash",
"avast avg",
"heur",
"lowfi",
"k sep",
"contacted",
"related tags",
"none file",
"type",
"present dec",
"present nov",
"mtb mar",
"aaaa",
"hacktool",
"indicator role",
"domain",
"url add",
"as20940",
"as16625 akamai",
"present mar",
"present may",
"as54113",
"present apr",
"ipv4 add",
"url analysis",
"servers",
"emails",
"hostname add",
"present aug",
"present sep",
"present oct",
"status",
"present jul",
"data upload",
"extraction",
"as208722 yandex",
"russia unknown",
"a domains",
"expirestue",
"path",
"certificate",
"medium",
"alerts show",
"ck technique",
"technique id",
"installs",
"pe32",
"intel",
"ms windows",
"high",
"icmp traffic",
"dns query",
"packing t1045",
"t1045",
"screenshots",
"file type",
"date february",
"pm size",
"imphash pehash",
"guard",
"syst",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"initial access",
"spawns",
"t1590 gather",
"flag",
"united kingdom",
"command decode",
"belgium belgium",
"federation",
"france france",
"ireland ireland",
"canada canada",
"suricata ipv4",
"click",
"tesla hackers",
"elon musk",
"show",
"richhash",
"external",
"virustotal api",
"comments",
"vendor finding",
"notes clamav",
"ms defender",
"files matching",
"copy",
"found",
"ssl certificate",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"yara rule",
"reads",
"number",
"sample analysis",
"hide samples",
"entries",
"samples show",
"next yara",
"detections name",
"devcv5 ujrb",
"ujrb",
"uja1t",
"show technique",
"mitre att",
"ck matrix",
"ascii text",
"pattern match",
"sha1",
"network traffic",
"show process",
"general"
],
"references": [
"https://www.teslarati.com/spacex",
"https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57",
"https://cdn.teslarati.com \u2022 https://forums.teslarati.com/",
"https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/",
"https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/",
"https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/",
"https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/",
"https://www.teslarati.com/wp-content/themes/teslarati-mag/map/",
"https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/",
"https://www.teslarati.com/",
"https://www.teslarati.com/spacex",
"https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/",
"https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/",
"https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/",
"https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/",
"pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx",
"http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\",
"http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears",
"http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm",
"HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious",
"Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189",
"External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |",
"Source : Binary File ATT&CK ID T1566.002",
"Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .",
"Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes",
"Detected Non-Google domain serving Google homepage details",
"Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers",
"Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.",
"CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.",
"Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True",
"Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true",
"CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany",
"Japan"
],
"malware_families": [
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB",
"display_name": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB",
"target": "/malware/Ms Defender\tTrojan:Win32/Qbot.KVD!MTB"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Malware.Jaik-9940406-0",
"display_name": "Win.Malware.Jaik-9940406-0",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn",
"target": null
},
{
"id": "Win.Malware.Snojan-6775202-0",
"display_name": "Win.Malware.Snojan-6775202-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
},
{
"id": "T1207",
"name": "Rogue Domain Controller",
"display_name": "T1207 - Rogue Domain Controller"
},
{
"id": "T1136.002",
"name": "Domain Account",
"display_name": "T1136.002 - Domain Account"
},
{
"id": "T1003.005",
"name": "Cached Domain Credentials",
"display_name": "T1003.005 - Cached Domain Credentials"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1204.002",
"name": "Malicious File",
"display_name": "T1204.002 - Malicious File"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5894,
"FileHash-MD5": 458,
"FileHash-SHA1": 305,
"FileHash-SHA256": 2481,
"SSLCertFingerprint": 26,
"hostname": 2406,
"domain": 966,
"email": 16,
"CVE": 1
},
"indicator_count": 12553,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "99 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692f04e9fa3d782118e94aac",
"name": "LevelBlue - Open Threat Exchange - Delete AppDeployed",
"description": "I\u2019m not sure what to think. |\ndeploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev | Are these\npulses being sold or attacked? Christopher P. Ahmann of TAM Legal and his other firms has ALWAYS attacked targets phones and networks. Nothing is too outrageous for this maniac.\n\nHe is responsible for the recent attacks on devices , clouds , google accounts and a flurry of threats. Indicators in recently pulsed reports have been removed. I\u2019ve done my best to restore. \n\nI am also concerned about the safety or legitimacy of this platform.\n\nNo one is ever alerted. Simply calling someone and telling them about the compromises can equate to a big pay day for Level Blue and nothing for the victims of attacks. I need my pulses restored. \n\nIt\u2019s plausible to believe OTX was attacked by an external threat actor.\nAnything is possible when it comes to money.",
"modified": "2026-01-01T15:04:20.907000",
"created": "2025-12-02T15:25:29.158000",
"tags": [
"levelblue",
"open threat",
"dynamicloader",
"tlsv1",
"high",
"msie",
"windows nt",
"delete c",
"fwlink",
"stream",
"powershell",
"write",
"malware",
"local",
"united",
"flag",
"date",
"server",
"crazy egg",
"name server",
"gmt flag",
"domain address",
"markmonitor",
"enom",
"sugges",
"onv incude",
"data upload",
"find s",
"extraction",
"types",
"type",
"indicator",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"contacted hosts",
"search",
"entries",
"read c",
"medium",
"memcommit",
"tls handshake",
"failure",
"module load",
"next",
"execution",
"dock",
"capture",
"persistence",
"copy",
"unknown",
"suricata alert",
"et info",
"bad traffic",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"t1480 execution",
"file defense",
"write c",
"x02x82",
"xe6x15c6",
"x16f",
"xc0xc0xc0",
"revengerat",
"guard",
"service",
"encrypt",
"entries yara",
"delphi",
"win32",
"jordan",
"delete app"
],
"references": [
"https://otx.alienvault.com/indicator/domain/Tamlegal.com",
"DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz",
"endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander",
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Vmprotect-9880726-0",
"display_name": "Win.Malware.Vmprotect-9880726-0",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Legal"
],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4624,
"FileHash-SHA256": 2021,
"FileHash-MD5": 51,
"FileHash-SHA1": 20,
"SSLCertFingerprint": 10,
"hostname": 1433,
"domain": 728
},
"indicator_count": 8887,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "108 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6916dc43beba2f3839fd7c36",
"name": "Ransomware | FIREEYE.COM redirects to www.TRELLIX.com",
"description": "FireEye appears to have been a Cybersecurity that now redirects to www.trellix.com. Seen before in a malicious MO.gov w/names of 2 \u2018alleged\u2019 female SA victims. I researched was without realizing it was a CySec.We have researched Trellix , found it to be malicious ; reported false information / documentation. FEDNS1.FIREEYE.COM URL is still found in several searches. So we researched it.\nRe: Safebae the other Mo. Gov SA URL found a\u2019. \u2018non profit\u2019 for Catherine \u2018Daisy\u2019 Coleman that isn\u2019t in any way related to her. It makes me believe it\u2019s could be related to Bae systems a collaboration with Peter Thiel's company Palantir, which provides data analytics software to governments and militaries. Significance: This partnership showcases the convergence of American tech innovation and traditional defense contracting, involving companies like Palantir and BAE Systems. \n\n#foundry #josht _ca #hostile #advesarial #contacted_hosts #safebae_or_bae_systems? #honeypotbot # fireeye #trellix",
"modified": "2025-12-14T05:04:31.480000",
"created": "2025-11-14T07:37:39.794000",
"tags": [
"gmt content",
"related tags",
"found title",
"cache control",
"x request",
"runtime",
"vary",
"reverse dns",
"ashburn",
"resource",
"verdict",
"address",
"read c",
"unicode",
"high",
"memcommit",
"delete",
"dock",
"write",
"execution",
"next associated",
"server response",
"port",
"destination",
"crlf line",
"malware",
"png image",
"rgba",
"united states",
"medium",
"encrypt",
"america",
"msie",
"unknown",
"present jan",
"name servers",
"present oct",
"present may",
"present mar",
"present dec",
"present nov",
"united",
"present apr",
"present jun",
"urls show",
"url hostname",
"ip address",
"google safe",
"results jun",
"canada unknown",
"passive dns",
"canada",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"twitter",
"chrome",
"urls",
"files",
"asn as13335",
"dns resolutions",
"trojan",
"trojanspy",
"win32",
"title",
"servers",
"unknown ns",
"domain",
"present aug",
"present sep",
"files domain",
"files related",
"none google",
"safe browsing",
"unknown aaaa",
"moved",
"cloudfront x",
"meta",
"ip whois",
"registrar",
"hostname",
"files ip",
"ipv4 add",
"location united",
"america flag",
"america asn",
"present jul",
"virtool",
"record value",
"dnssec",
"meta http",
"content",
"gmt server",
"litespeed x",
"present feb",
"write c",
"as62597 nsone",
"as16509",
"module load",
"t1129",
"service",
"dynamicloader",
"windows",
"tofsee",
"stream",
"hostile",
"win64",
"delete c",
"all ipv4",
"url analysis",
"status",
"error",
"aaaa",
"ireland unknown",
"asn as14618",
"backdoor",
"a domains",
"russia",
"mtb nov",
"ransom",
"displayname",
"push",
"yara rule",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"rndchar",
"checks",
"checks system",
"filehash",
"av detections",
"ids detections",
"yara detections",
"learn",
"command",
"adversaries",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"found",
"ssl certificate",
"flag",
"server",
"cloudflare",
"csc corporate",
"domains",
"fireeye",
"contacted hosts",
"mitre att",
"pattern match",
"ck matrix",
"hybrid",
"local",
"path",
"click",
"strings",
"foundry",
"josht.ca",
"paid parking",
"parking crews"
],
"references": [
"Fireye - FEDNS1.FIREEYE.COM",
"http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==",
"http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
"https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
"https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356",
"http://p2d.josht.ca/assets/content-delivery/depots/download",
"test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca",
"http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/",
"https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022",
"https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/",
"https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg",
"https://p2d.josht.ca/api/depots/info/?depot=",
"https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/",
"Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.",
"According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021",
"Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?",
"Daisy was allegedly brutally assaulted by Matthew Barnett,",
"Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.",
"Is that where they\u2019re getting these names? Rexxfield.com. SMH",
"There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.",
"According to accounts she was afraid for her life , found to be safe then took her own life?",
"Typing a suicide note on social media is suspicious since it could come from your murderer.",
"So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?",
"Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.",
"and our limited information, is Daisy a victim or a crisis actor?",
"Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me",
"Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.",
"Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)",
"Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.",
"FireEye was there in 2 year old pulse now removed? I\u2019ll find it."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7617,
"domain": 1127,
"hostname": 3591,
"email": 9,
"FileHash-SHA256": 1160,
"FileHash-MD5": 481,
"FileHash-SHA1": 404,
"SSLCertFingerprint": 13,
"CVE": 1
},
"indicator_count": 14403,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "126 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69138421066f81131da59cc5",
"name": "Malicious Legal Google Botnet - Treece Alfrey Musat P.C.\u2022 Christopher P. Ahmann Spam - Malicious ",
"description": "",
"modified": "2025-12-03T00:01:23.660000",
"created": "2025-11-11T18:44:49.343000",
"tags": [
"status",
"date",
"name servers",
"lowfi",
"passive dns",
"urls",
"domain",
"susp",
"win32",
"search",
"win64",
"error",
"url https",
"url http",
"ipv4",
"type indicator",
"role title",
"added active",
"related pulses",
"morocco",
"united kingdom",
"united",
"present nov",
"aaaa",
"present oct",
"cname",
"brazil",
"malaysia",
"title",
"present jun",
"ip address",
"creation date",
"record value",
"emails",
"unknown aaaa",
"body",
"url add",
"pulse pulses",
"http",
"related nids",
"files location",
"flag united",
"trojan",
"trojandropper",
"virtool",
"entries",
"next associated",
"ipv4 add",
"unknown ns",
"present jul",
"present sep",
"present aug",
"win32upatre nov",
"candyopen",
"tlsv1",
"port",
"destination",
"ogoogle trust",
"cngts ca",
"show",
"read c",
"youtube",
"copy",
"dock",
"write",
"next",
"malware",
"persistence",
"execution",
"filehashmd5",
"hostname",
"filehashsha256",
"types of",
"germany",
"poland",
"indicator role",
"title added",
"active related",
"pulses url",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6907f7e98289b75f3e5ecaba",
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 400,
"URL": 2857,
"FileHash-MD5": 217,
"FileHash-SHA1": 172,
"FileHash-SHA256": 1426,
"email": 6,
"hostname": 1019,
"SSLCertFingerprint": 6
},
"indicator_count": 6103,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "137 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6907f7e98289b75f3e5ecaba",
"name": "- Treece Alfrey Musat P.C. - Malicious Legal Google Botnet",
"description": "Christopher P.\nAhmann\u2019s Google Botnet. Defense attorneys fighting worker\u2019s compensation case and ruining a targets life for years. Malicious.[OTX auto popular-HOSTNAME: Google Video.com (GOOGlevideo.COM), an unauthorised website, has been blocked by the internet service regulator, the regulator of the domain registry.]\n\n#pulsed_by_otx #private_google #legal_goigle #malicious_practices",
"modified": "2025-12-03T00:01:23.660000",
"created": "2025-11-03T00:31:37.396000",
"tags": [
"status",
"date",
"name servers",
"lowfi",
"passive dns",
"urls",
"domain",
"susp",
"win32",
"search",
"win64",
"error",
"url https",
"url http",
"ipv4",
"type indicator",
"role title",
"added active",
"related pulses",
"morocco",
"united kingdom",
"united",
"present nov",
"aaaa",
"present oct",
"cname",
"brazil",
"malaysia",
"title",
"present jun",
"ip address",
"creation date",
"record value",
"emails",
"unknown aaaa",
"body",
"url add",
"pulse pulses",
"http",
"related nids",
"files location",
"flag united",
"trojan",
"trojandropper",
"virtool",
"entries",
"next associated",
"ipv4 add",
"unknown ns",
"present jul",
"present sep",
"present aug",
"win32upatre nov",
"candyopen",
"tlsv1",
"port",
"destination",
"ogoogle trust",
"cngts ca",
"show",
"read c",
"youtube",
"copy",
"dock",
"write",
"next",
"malware",
"persistence",
"execution",
"filehashmd5",
"hostname",
"filehashsha256",
"types of",
"germany",
"poland",
"indicator role",
"title added",
"active related",
"pulses url",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 400,
"URL": 2857,
"FileHash-MD5": 217,
"FileHash-SHA1": 172,
"FileHash-SHA256": 1426,
"email": 6,
"hostname": 1019,
"SSLCertFingerprint": 6
},
"indicator_count": 6103,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "137 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68fd0cc422cea2fd989581fd",
"name": "LevelBlue - Open Threat Exchange (Malicious Attacks)",
"description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.",
"modified": "2025-11-24T17:02:12.441000",
"created": "2025-10-25T17:45:40.291000",
"tags": [
"ipv4",
"levelblue",
"open threat",
"date sat",
"connection",
"etag w",
"cloudfront",
"sameorigin age",
"vary",
"ip address",
"kb body",
"gtmkvjvztk",
"utc gcfezl5ynvb",
"utc na",
"utc google",
"analytics na",
"utc linkedin",
"insight tag",
"learn",
"exchange og",
"levelblue open",
"threat exchange",
"exchange",
"google tag",
"iocs",
"search otx",
"included iocs",
"review iocs",
"data upload",
"extraction",
"layer protocol",
"v full",
"reports v",
"port t1571",
"t1573",
"oc0006 http",
"c0014",
"get http",
"dns resolutions",
"user",
"data",
"datacrashpad",
"edge",
"tag manager",
"us er",
"help files",
"shell",
"html",
"cve202323397",
"iframe tags",
"community score",
"url http",
"url https",
"united",
"united kingdom",
"netherlands",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"indicator role",
"title added",
"active related",
"otc oct",
"report spam",
"week ago",
"scan",
"learn more",
"filehashmd5",
"filehashsha1",
"domain",
"australia",
"does",
"josh",
"created",
"filehashsha256",
"present jul",
"present oct",
"date",
"a domains",
"script urls",
"for privacy",
"moved",
"script domains",
"meta",
"title",
"body",
"pragma",
"encrypt",
"ck ids",
"t1060",
"run keys",
"startup",
"folder",
"t1027",
"files",
"information",
"t1055",
"injection",
"capture",
"south korea",
"malaysia",
"pulses",
"fatal error",
"hacker known",
"name",
"unknown",
"risk",
"weeks ago",
"scary",
"sova",
"colorado",
"wire",
"name unknown",
"thursday",
"denver",
"types of",
"indicators hong",
"kong",
"tsara brashears",
"african",
"ethiopia",
"b8reactjs",
"india",
"america",
"x ua",
"hostname",
"dicator role",
"pulses url",
"airplane",
"icator role",
"t1432",
"access contact",
"list",
"t1525",
"image",
"security scan",
"heuristic oct",
"discovery",
"t1069",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1114",
"t1480",
"internal image",
"brian sabey",
"month ago",
"modified",
"days ago",
"green well",
"sabey stash",
"service",
"t1040",
"sniffing",
"t1045",
"packing",
"t1053",
"taskjob"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Sova",
"display_name": "Sova",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1022",
"name": "Data Encrypted",
"display_name": "T1022 - Data Encrypted"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1525",
"name": "Implant Internal Image",
"display_name": "T1525 - Implant Internal Image"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 956,
"FileHash-SHA1": 906,
"FileHash-SHA256": 2651,
"URL": 4450,
"domain": 708,
"hostname": 2403,
"CVE": 1,
"email": 5
},
"indicator_count": 12080,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "145 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68fc6c64ffa5ca172fc0066c",
"name": "Ransom \u2022 Expiro \u2022 ET impact Airlines",
"description": "I\u2019m definitely not an airline anybody. I made a strong recommendation and have contacted the limited authorities. I recommend Airlines take the initiative to disable ability for passengers , employees or anyone to be able to connect to wifi. Disable it. I strongly suggest that no one would use any device on airlines for as long as possible. \n\nI trust the tip as much as I don\u2019t want to.\nThere are Denver to , London and other global entities possibly South Africa, Australia, Arizona hackers involved in upcoming hostile attacks. \n\nThis Pulse doesn\u2019t do anything to make me sound credible. Unfortunately we only received credible tips. I\u2019d rather be wrong , too safe than sorry. I received information about upcoming regional attacks on airplanes. Yesterday I received a frighteningly credible tip detailing the targeting of an exact airline. I obviously can\u2019t guarantee this information is true. Serious issues were found.\nI didn\u2019t include airline name, just vulnerabilities.",
"modified": "2025-11-24T04:02:10.160000",
"created": "2025-10-25T06:21:24.387000",
"tags": [
"name servers",
"ip address",
"servers",
"virtool",
"win32cve oct",
"avast avg",
"mtb oct",
"top source",
"top destination",
"show",
"source source",
"dynamicloader",
"query",
"observed dns",
"high",
"expiro related",
"dns query",
"known sinkhole",
"malware",
"cve",
"flights",
"wifi",
"obfuscator",
"rsdse",
"wd62",
"ids detections",
"alerts",
"domain",
"contacted",
"av detections",
"yara detections",
"win32/expiro.ndo",
"cnc activity",
"activity",
"et malware",
"http traffic",
"videos",
"music",
"guard",
"defender",
"media",
"indicator role",
"title added",
"active related",
".lol",
"samuel tulach",
"light dark",
"samuel",
"tulach",
"il2cpp",
"from firmware",
"vbs enclave",
"hyperv nov",
"using vbs",
"linux jul",
"information",
"discovery",
"t1045",
"packing",
"t1060",
"run keys",
"startup",
"folder",
"t1119",
"t1027",
"capture",
"url https",
"url http",
"t1036",
"t1040",
"sniffing",
"t1053",
"taskjob",
"t1055",
"injection",
"fraud",
"sabey",
"josht",
"eric everest",
"sha256",
"no expiration",
"filehashsha256",
"levelblue",
"open threat",
"lol crimegroup"
],
"references": [
"Global Airline Threat - though targeting seems to be involved",
"https://tulach.cc/ | Brian Sabey",
"https://www.fireeye.com/",
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html",
"Malicious Antivirus Detections #VirTool:Win32/Obfuscator.ADB",
"IDS Detections: DNS Query to Expiro Related Domain (przvgke .biz)",
"IDS Detections: DNS Query to Expiro Related Domain (knjghuig .biz) Known Sinkhole Response Header Win32/Expiro CnC Activity (POST) Win32/Expiro.NDO CnC Activity Observed DNS Query to .biz TLD Namecheap URL Forward 403 Forbidden",
"Alerts: suspicious_iocontrol_codes network_bind ransomware_file_modifications stealth_file",
"Alerts: virus polymorphic procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys",
"Alerts: antivm_generic_disk anomalous_deletefile antisandbox_sleep dynamic_function_loading",
"Alerts: resumethread_remote_process network_connection_via_suspicious_process network_cnc_http",
"Alerts: network_http packer_unknown_pe_section_name dropper",
"ConventionEngine_Term_Users",
"Observed DNS Query to .biz TLD Namecheap URL Forward GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 403 Forbidden",
"CVE FileHash-SHA256 36e49940232d00b021793c3cd7df19200c875ce3beb1992ecc59f6f8f6389be8",
"CVE FileHash-SHA256 7ca48970b1b9c076f6bd59c1b10e26c47e7acd954869510c1dcdf97dac9b8c2e",
"https://otx.alienvault.com/user/gameprofits.io"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "#VirTool:Win32/Obfuscator.",
"display_name": "#VirTool:Win32/Obfuscator.",
"target": "/malware/#VirTool:Win32/Obfuscator."
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Packed- Multiple Malware",
"display_name": "Packed- Multiple Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 262,
"URL": 496,
"FileHash-MD5": 36,
"FileHash-SHA1": 36,
"hostname": 147,
"domain": 92,
"email": 1
},
"indicator_count": 1070,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "146 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f7582b2454d926e77db68c",
"name": "AWS does have issues - Indictor removal service impacting threat hunting services",
"description": "Malicious. I hope the pulse posted yesterday didn\u2019t lead to AWS outage. I learned about it a few a few hours ago. AWS does have issues, like having a monopoly and the type of services allowed to exist on their servers. I never saw the links until I learned. I appreciate tips , opinions , and sharing.received. An issue found on targets old iOS 14 device ,due to deletions . This had me researching a link that is related to multiple links researched before. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship). There are many other malicious indicators.",
"modified": "2025-11-20T06:00:01.014000",
"created": "2025-10-21T09:53:47.767000",
"tags": [
"url http",
"url https",
"united",
"sweden",
"canada",
"search",
"type indicator",
"added active",
"related pulses",
"aws",
"passive dns",
"urls",
"files domain",
"files related",
"related tags",
"none google",
"safe browsing",
"present jun",
"present sep",
"present aug",
"present jul",
"present oct",
"present may",
"ip address",
"uruguay unknown",
"india showing",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"unknown",
"write",
"read",
"unknown www",
"et trojan",
"suspicious",
"read c",
"myagrent",
"get myagrent",
"win32",
"malware",
"ids detections",
"et",
"dynamicloader",
"medium",
"write c",
"high",
"pcratgh0st cnc",
"backdoor family",
"show",
"ms windows",
"trojandropper",
"code",
"next",
"polymorphic",
"indicator role",
"title added",
"active related",
"report spam",
"threat hunters",
"brian",
"sabey created",
"day ago",
"white indicator",
"sabey",
"worm",
"emotet",
"tags",
"malware family",
"ck ids",
"t1140",
"information",
"t1045",
"packing",
"t1060",
"dns",
"role title",
"filehashmd5",
"malware attacks",
"find encrypted",
"pulses url",
"q oct",
"dns",
"ators show",
"tbmvid",
"sourcelnms",
"ipv4",
"types",
"indicators show"
],
"references": [
"business-support.intel.com \u2022 dns0.org \u2022 http://g-ns-1047.awsdns-20.org/",
"Alerts: physical_drive_access deletes_executed_files anomalous_deletefile",
"Alerts: suspicious_iocontrol_codes polymorphic static_pe_anomaly suricata_alert",
"Alerts: injection_rwx antivm_checks_available_memory queries_computer_name",
"Alerts: resumethread_remote_process antivm_generic_disk antisandbox_sleep dynamic_function_loading",
"Alerts: enumerates_running_processes reads_self packer_unknown_pe_section_name contains_pe_overlay dropper queries_keyboard_layout",
"102 Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key",
"More PE Packer Microsoft Visual C++ Compilation | File Type PEXE - PE32 executable (GUI) Intel 80386, for MS Windows",
"IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)",
"Contacted ipp.getcash2018.com conf.f.360.cn",
"All IP\u2019s Contacted 27.102.115.143 199.232.210.172 Domains",
"IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)",
"New? patch-aws-8y03-v202542-266-2.space.prod.a0core.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Zegost",
"display_name": "Zegost",
"target": null
},
{
"id": "TrojanDropper:Win32/Zegost.B",
"display_name": "TrojanDropper:Win32/Zegost.B",
"target": "/malware/TrojanDropper:Win32/Zegost.B"
},
{
"id": "Worm:Win32/AutoRun.XXY!bit",
"display_name": "Worm:Win32/AutoRun.XXY!bit",
"target": "/malware/Worm:Win32/AutoRun.XXY!bit"
},
{
"id": "Trojan:Win32/Fugrafa",
"display_name": "Trojan:Win32/Fugrafa",
"target": "/malware/Trojan:Win32/Fugrafa"
},
{
"id": "Win32:MalwareX-gen",
"display_name": "Win32:MalwareX-gen",
"target": null
}
],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1224,
"URL": 2979,
"domain": 609,
"FileHash-SHA256": 765,
"FileHash-SHA1": 350,
"FileHash-MD5": 374,
"CVE": 1,
"email": 1
},
"indicator_count": 6303,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "150 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f80aa152fdd795fa008e2e",
"name": "Small & Comisproc Indicator Removal service Affects Threat Hunter Sevices",
"description": "",
"modified": "2025-11-19T05:02:39.961000",
"created": "2025-10-21T22:35:13.128000",
"tags": [
"url https",
"url http",
"hostname",
"b9sdwan",
"b9 no",
"united",
"passive dns",
"ipv4 add",
"urls",
"location united",
"america flag",
"san jose",
"trojan",
"canada unknown",
"hostname add",
"url analysis",
"http",
"ip address",
"related nids",
"path",
"america asn",
"as4983 intel",
"canada",
"gmt p3p",
"cp noi",
"adm dev",
"psai com",
"unknown ns",
"united states",
"twitter",
"url add",
"files location",
"flag united",
"status",
"emails",
"servers",
"mtb aug",
"win32",
"invalid url",
"lowfi",
"body html",
"head title",
"files",
"files ip",
"filehashmd5",
"iocs",
"type indicator",
"role title",
"related pulses",
"dynamicloader",
"directui",
"write c",
"element",
"classinfobase",
"forbidden",
"write",
"high",
"worm",
"delphi",
"guard",
"error",
"vmprotect",
"malware",
"defender",
"suspicious",
"port",
"read c",
"destination",
"crlf line",
"rgba",
"unicode",
"png image",
"td td",
"td tr",
"a td",
"dynamic dns",
"search",
"arial",
"trojandropper",
"null",
"enough",
"hosts",
"fast",
"afraid",
"a domains",
"welcome",
"ok server",
"gmt content",
"present sep",
"unknown soa",
"unknown cname",
"present oct",
"present aug",
"event rocket",
"title",
"cookie",
"encrypt",
"sabey type"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/AutoRun.XXY!bit",
"display_name": "Worm:Win32/AutoRun.XXY!bit",
"target": "/malware/Worm:Win32/AutoRun.XXY!bit"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68f5cfa9b74d6faa43eb6585",
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1434,
"URL": 3982,
"FileHash-MD5": 391,
"FileHash-SHA1": 309,
"FileHash-SHA256": 1525,
"domain": 758,
"email": 10,
"SSLCertFingerprint": 3,
"CVE": 1
},
"indicator_count": 8413,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "151 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f5cfa9b74d6faa43eb6585",
"name": "Indicator Removal service affecting Threat Hunters | Brian Sabey",
"description": "Indicator removal used by M. Brian Sabey to for the purpose of attacking networks and removing malicious indicators related to entities and attacks deployed by & Co. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship).\nThere are many other malicious indicators.\n\n* foundryvttcasero.roleros.cl",
"modified": "2025-11-19T05:02:39.961000",
"created": "2025-10-20T05:59:04.173000",
"tags": [
"url https",
"url http",
"hostname",
"b9sdwan",
"b9 no",
"united",
"passive dns",
"ipv4 add",
"urls",
"location united",
"america flag",
"san jose",
"trojan",
"canada unknown",
"hostname add",
"url analysis",
"http",
"ip address",
"related nids",
"path",
"america asn",
"as4983 intel",
"canada",
"gmt p3p",
"cp noi",
"adm dev",
"psai com",
"unknown ns",
"united states",
"twitter",
"url add",
"files location",
"flag united",
"status",
"emails",
"servers",
"mtb aug",
"win32",
"invalid url",
"lowfi",
"body html",
"head title",
"files",
"files ip",
"filehashmd5",
"iocs",
"type indicator",
"role title",
"related pulses",
"dynamicloader",
"directui",
"write c",
"element",
"classinfobase",
"forbidden",
"write",
"high",
"worm",
"delphi",
"guard",
"error",
"vmprotect",
"malware",
"defender",
"suspicious",
"port",
"read c",
"destination",
"crlf line",
"rgba",
"unicode",
"png image",
"td td",
"td tr",
"a td",
"dynamic dns",
"search",
"arial",
"trojandropper",
"null",
"enough",
"hosts",
"fast",
"afraid",
"a domains",
"welcome",
"ok server",
"gmt content",
"present sep",
"unknown soa",
"unknown cname",
"present oct",
"present aug",
"event rocket",
"title",
"cookie",
"encrypt",
"sabey type"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/AutoRun.XXY!bit",
"display_name": "Worm:Win32/AutoRun.XXY!bit",
"target": "/malware/Worm:Win32/AutoRun.XXY!bit"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1434,
"URL": 3982,
"FileHash-MD5": 391,
"FileHash-SHA1": 309,
"FileHash-SHA256": 1525,
"domain": 758,
"email": 10,
"SSLCertFingerprint": 3,
"CVE": 1
},
"indicator_count": 8413,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "151 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68eff0848071708f9ee0c0bd",
"name": "Gamarue \u2022 G3nasom\u2022 Simda\u2022 Ganelp affecting Assurant and T-Mobile Part 3",
"description": "",
"modified": "2025-11-14T17:02:12.746000",
"created": "2025-10-15T19:05:40.466000",
"tags": [
"ipv4",
"email abuse",
"email info",
"active related",
"passive dns",
"files related",
"related tags",
"none google",
"external",
"present aug",
"present sep",
"present jun",
"present jul",
"present oct",
"ipv4 https",
"crosscountry",
"mortgagefamily",
"port",
"read c",
"destination",
"high",
"intel",
"ms windows",
"stream",
"explorer",
"write",
"malware",
"united",
"asnone",
"et trojan",
"windows nt",
"suspicious",
"win64",
"zune",
"et",
"netherlands",
"segoe ui",
"found content",
"length",
"content type",
"ipv4 add",
"pulse pulses",
"urls",
"error",
"ip address",
"pulse submit",
"url analysis",
"files",
"domain",
"ip related",
"pulses none",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"spawns",
"command",
"found",
"defense evasion",
"ssl certificate",
"execution",
"path",
"secure",
"show technique",
"mitre att",
"ck matrix",
"maxage31536000",
"expirestue",
"brand",
"microsoft edge",
"date",
"cookie",
"sha1",
"ascii text",
"sha256",
"pattern match",
"hybrid",
"local",
"click",
"strings",
"show process",
"flag",
"programfiles",
"command decode",
"comspec",
"model",
"general",
"starfield",
"encrypt",
"iframe",
"development att",
"backdoor",
"win32",
"reverse dns",
"location india",
"india asn",
"trojan",
"mtb win32"
],
"references": [
"Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
"20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
"Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
"p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
"http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
"you.are.poor.i.got.trap.money?",
"Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"Romania",
"South Africa"
],
"malware_families": [
{
"id": "BC.Win.Packer.Troll-11",
"display_name": "BC.Win.Packer.Troll-11",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Crypt3.BOJE",
"display_name": "Crypt3.BOJE",
"target": null
},
{
"id": "Crypt3.BXMJ",
"display_name": "Crypt3.BXMJ",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.OV!MTB",
"display_name": "Trojan:Win32/Glupteba.OV!MTB",
"target": "/malware/Trojan:Win32/Glupteba.OV!MTB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "ProRat",
"display_name": "ProRat",
"target": null
},
{
"id": "Backdoor:Win32/Prorat.L",
"display_name": "Backdoor:Win32/Prorat.L",
"target": "/malware/Backdoor:Win32/Prorat.L"
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "DanaBot",
"display_name": "DanaBot",
"target": null
},
{
"id": "Atros3.AHFB",
"display_name": "Atros3.AHFB",
"target": null
},
{
"id": "Crypt5.BBYH",
"display_name": "Crypt5.BBYH",
"target": null
},
{
"id": "Crypt4.AHSW",
"display_name": "Crypt4.AHSW",
"target": null
},
{
"id": "Crypt3.COIZ",
"display_name": "Crypt3.COIZ",
"target": null
},
{
"id": "Crypt3.CMTM",
"display_name": "Crypt3.CMTM",
"target": null
},
{
"id": "Crypt3.CKTO",
"display_name": "Crypt3.CKTO",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BXGR",
"display_name": "Crypt3.BXGR",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BOQD",
"display_name": "Crypt3.BOQD",
"target": null
},
{
"id": "Crypt3.BLXP",
"display_name": "Crypt3.BLXP",
"target": null
},
{
"id": "Crypt3.BOIU",
"display_name": "Crypt3.BOIU",
"target": null
},
{
"id": "Inject2.BHBW",
"display_name": "Inject2.BHBW",
"target": null
},
{
"id": "Inject2.BIVE",
"display_name": "Inject2.BIVE",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [
"Telecommunications",
"Insurance"
],
"TLP": "white",
"cloned_from": "68efee5ba882db423d3bad8f",
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10010,
"FileHash-MD5": 150,
"FileHash-SHA1": 144,
"FileHash-SHA256": 2869,
"domain": 2046,
"email": 6,
"hostname": 3705,
"SSLCertFingerprint": 19
},
"indicator_count": 18949,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "155 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68efedf37890e1b32d60eb55",
"name": "Assurant Insurance \u2022 Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant , T-Mobile & me",
"description": "Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant and T-Mobile and me. There is truth to the tip I received. This is the 3rd time all of my networks went down , even my phone disconnected and phone number changed temporarily. \n\nJosh T found again. Online profile possibly staged. Stated he is a gamer , self trained in Lua, , CS major in Canada. He is a malicious hacker and streamer and probably an entity. Eric _E iCloud related. Found DoD & Mil hackers related. I haven\u2019t taken the time to authenticate.. Very malicious and talented hackers attacking. I can\u2019t ignore the .mil and DoD items that populated in previous pulses. \n \n[OTX Auto Populated-Trojan-gen-Glupteba, Danabot, Prorat, and other names have been identified as the names of those affected by the latest cyber-attack on the internet.]",
"modified": "2025-11-14T17:02:12.746000",
"created": "2025-10-15T18:54:43.205000",
"tags": [
"ipv4",
"email abuse",
"email info",
"active related",
"passive dns",
"files related",
"related tags",
"none google",
"external",
"present aug",
"present sep",
"present jun",
"present jul",
"present oct",
"ipv4 https",
"crosscountry",
"mortgagefamily",
"port",
"read c",
"destination",
"high",
"intel",
"ms windows",
"stream",
"explorer",
"write",
"malware",
"united",
"asnone",
"et trojan",
"windows nt",
"suspicious",
"win64",
"zune",
"et",
"netherlands",
"segoe ui",
"found content",
"length",
"content type",
"ipv4 add",
"pulse pulses",
"urls",
"error",
"ip address",
"pulse submit",
"url analysis",
"files",
"domain",
"ip related",
"pulses none",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"spawns",
"command",
"found",
"defense evasion",
"ssl certificate",
"execution",
"path",
"secure",
"show technique",
"mitre att",
"ck matrix",
"maxage31536000",
"expirestue",
"brand",
"microsoft edge",
"date",
"cookie",
"sha1",
"ascii text",
"sha256",
"pattern match",
"hybrid",
"local",
"click",
"strings",
"show process",
"flag",
"programfiles",
"command decode",
"comspec",
"model",
"general",
"starfield",
"encrypt",
"iframe",
"development att",
"backdoor",
"win32",
"reverse dns",
"location india",
"india asn",
"trojan",
"mtb win32"
],
"references": [
"Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
"20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
"Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
"p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
"http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
"you.are.poor.i.got.trap.money?",
"Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"Romania",
"South Africa"
],
"malware_families": [
{
"id": "BC.Win.Packer.Troll-11",
"display_name": "BC.Win.Packer.Troll-11",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Crypt3.BOJE",
"display_name": "Crypt3.BOJE",
"target": null
},
{
"id": "Crypt3.BXMJ",
"display_name": "Crypt3.BXMJ",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.OV!MTB",
"display_name": "Trojan:Win32/Glupteba.OV!MTB",
"target": "/malware/Trojan:Win32/Glupteba.OV!MTB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "ProRat",
"display_name": "ProRat",
"target": null
},
{
"id": "Backdoor:Win32/Prorat.L",
"display_name": "Backdoor:Win32/Prorat.L",
"target": "/malware/Backdoor:Win32/Prorat.L"
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "DanaBot",
"display_name": "DanaBot",
"target": null
},
{
"id": "Atros3.AHFB",
"display_name": "Atros3.AHFB",
"target": null
},
{
"id": "Crypt5.BBYH",
"display_name": "Crypt5.BBYH",
"target": null
},
{
"id": "Crypt4.AHSW",
"display_name": "Crypt4.AHSW",
"target": null
},
{
"id": "Crypt3.COIZ",
"display_name": "Crypt3.COIZ",
"target": null
},
{
"id": "Crypt3.CMTM",
"display_name": "Crypt3.CMTM",
"target": null
},
{
"id": "Crypt3.CKTO",
"display_name": "Crypt3.CKTO",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BXGR",
"display_name": "Crypt3.BXGR",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BOQD",
"display_name": "Crypt3.BOQD",
"target": null
},
{
"id": "Crypt3.BLXP",
"display_name": "Crypt3.BLXP",
"target": null
},
{
"id": "Crypt3.BOIU",
"display_name": "Crypt3.BOIU",
"target": null
},
{
"id": "Inject2.BHBW",
"display_name": "Inject2.BHBW",
"target": null
},
{
"id": "Inject2.BIVE",
"display_name": "Inject2.BIVE",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [
"Telecommunications",
"Insurance"
],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10010,
"FileHash-MD5": 150,
"FileHash-SHA1": 144,
"FileHash-SHA256": 2869,
"domain": 2046,
"email": 6,
"hostname": 3705,
"SSLCertFingerprint": 19
},
"indicator_count": 18949,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "155 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68efee5ba882db423d3bad8f",
"name": "Assurant & T-Mobile BLYP Checkin ET MALWARE TROJAN \u2022 Kryptic",
"description": "",
"modified": "2025-11-14T17:02:12.746000",
"created": "2025-10-15T18:56:27.950000",
"tags": [
"ipv4",
"email abuse",
"email info",
"active related",
"passive dns",
"files related",
"related tags",
"none google",
"external",
"present aug",
"present sep",
"present jun",
"present jul",
"present oct",
"ipv4 https",
"crosscountry",
"mortgagefamily",
"port",
"read c",
"destination",
"high",
"intel",
"ms windows",
"stream",
"explorer",
"write",
"malware",
"united",
"asnone",
"et trojan",
"windows nt",
"suspicious",
"win64",
"zune",
"et",
"netherlands",
"segoe ui",
"found content",
"length",
"content type",
"ipv4 add",
"pulse pulses",
"urls",
"error",
"ip address",
"pulse submit",
"url analysis",
"files",
"domain",
"ip related",
"pulses none",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"spawns",
"command",
"found",
"defense evasion",
"ssl certificate",
"execution",
"path",
"secure",
"show technique",
"mitre att",
"ck matrix",
"maxage31536000",
"expirestue",
"brand",
"microsoft edge",
"date",
"cookie",
"sha1",
"ascii text",
"sha256",
"pattern match",
"hybrid",
"local",
"click",
"strings",
"show process",
"flag",
"programfiles",
"command decode",
"comspec",
"model",
"general",
"starfield",
"encrypt",
"iframe",
"development att",
"backdoor",
"win32",
"reverse dns",
"location india",
"india asn",
"trojan",
"mtb win32"
],
"references": [
"Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
"20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
"Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
"p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
"http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
"you.are.poor.i.got.trap.money?",
"Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"Romania",
"South Africa"
],
"malware_families": [
{
"id": "BC.Win.Packer.Troll-11",
"display_name": "BC.Win.Packer.Troll-11",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Crypt3.BOJE",
"display_name": "Crypt3.BOJE",
"target": null
},
{
"id": "Crypt3.BXMJ",
"display_name": "Crypt3.BXMJ",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.OV!MTB",
"display_name": "Trojan:Win32/Glupteba.OV!MTB",
"target": "/malware/Trojan:Win32/Glupteba.OV!MTB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "ProRat",
"display_name": "ProRat",
"target": null
},
{
"id": "Backdoor:Win32/Prorat.L",
"display_name": "Backdoor:Win32/Prorat.L",
"target": "/malware/Backdoor:Win32/Prorat.L"
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "DanaBot",
"display_name": "DanaBot",
"target": null
},
{
"id": "Atros3.AHFB",
"display_name": "Atros3.AHFB",
"target": null
},
{
"id": "Crypt5.BBYH",
"display_name": "Crypt5.BBYH",
"target": null
},
{
"id": "Crypt4.AHSW",
"display_name": "Crypt4.AHSW",
"target": null
},
{
"id": "Crypt3.COIZ",
"display_name": "Crypt3.COIZ",
"target": null
},
{
"id": "Crypt3.CMTM",
"display_name": "Crypt3.CMTM",
"target": null
},
{
"id": "Crypt3.CKTO",
"display_name": "Crypt3.CKTO",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BXGR",
"display_name": "Crypt3.BXGR",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BOQD",
"display_name": "Crypt3.BOQD",
"target": null
},
{
"id": "Crypt3.BLXP",
"display_name": "Crypt3.BLXP",
"target": null
},
{
"id": "Crypt3.BOIU",
"display_name": "Crypt3.BOIU",
"target": null
},
{
"id": "Inject2.BHBW",
"display_name": "Inject2.BHBW",
"target": null
},
{
"id": "Inject2.BIVE",
"display_name": "Inject2.BIVE",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [
"Telecommunications",
"Insurance"
],
"TLP": "white",
"cloned_from": "68efedf37890e1b32d60eb55",
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10010,
"FileHash-MD5": 150,
"FileHash-SHA1": 144,
"FileHash-SHA256": 2869,
"domain": 2046,
"email": 6,
"hostname": 3705,
"SSLCertFingerprint": 19
},
"indicator_count": 18949,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "155 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68ee5ea4d51d4a1cabdb4ee9",
"name": "Gaming Studios - YouTube - MyDoom",
"description": "",
"modified": "2025-11-13T12:05:32.283000",
"created": "2025-10-14T14:31:00.172000",
"tags": [
"no expiration",
"url https",
"url http",
"iocs",
"ipv4",
"enter source",
"indicator role",
"title added",
"active related",
"united",
"present jul",
"unknown ns",
"search",
"for privacy",
"moved",
"ip address",
"encrypt",
"a domains",
"script urls",
"meta",
"pragma",
"general full",
"reverse dns",
"software",
"resource",
"security tls",
"piscataway",
"asn20473",
"asn15169",
"google",
"asvultr",
"portfolio",
"josh theriault",
"upei",
"university",
"island",
"roblox",
"jmt studios",
"moon engine",
"android",
"icpc",
"north america",
"qualifier",
"hello",
"apache",
"runner",
"eric everest",
"games",
"cloudflar",
"amazon02",
"as autonomous",
"system",
"canada",
"value",
"domainpath name",
"cgjerrieegaggq",
"name value",
"form",
"game development",
"blog",
"jmt99",
"developer",
"event",
"bullseye",
"trick or treat",
"unofficial trick or treat 2014",
"unofficial trick or treat 2015",
"egg hunt",
"gift hunt",
"hallows quest",
"studio",
"experience",
"fall",
"january",
"july",
"founder",
"studio head",
"passive dns",
"urls",
"registrar",
"title",
"roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"",
"press copyright",
"contact",
"privacy policy",
"safety how",
"youtube",
"test",
"nfl sunday",
"ticket",
"google llc",
"data upload",
"extraction",
"failed",
"files",
"twitter",
"variables",
"cgjjtbieggagla",
"nid value",
"expiration date",
"files ip",
"dynamicloader",
"write c",
"delete c",
"intel",
"ms windows",
"medium",
"default",
"write",
"guard",
"mozilla",
"malware",
"defender",
"unknown",
"domains",
"hashes",
"url analysis",
"unknown aaaa",
"script domains",
"certificate",
"game",
"servers",
"unofficial",
"settings",
"public",
"endpoints",
"currently",
"game servers",
"current",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"role title",
"related pulses",
"domain v",
"url indicator",
"nameilname",
"ascii text",
"mitre att",
"ck id",
"ck matrix",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"pe file",
"high",
"yara detections",
"dynamic",
"v hostname",
"se fos",
"include v",
"domain url",
"data",
"alltypes",
"win32mydoom oct",
"trojan",
"url add",
"http",
"related nids",
"files location",
"canada flag",
"canada hostname",
"canada unknown",
"canada",
"present aug",
"name servers",
"present sep",
"aaaa",
"present oct",
"crlf line",
"unicode text",
"music",
"suspicious",
"bricked.wtf",
"flag united",
"google safe",
"domain",
"address domain",
"united states",
"filehashsha256",
"hostname xn",
"finland unknown",
"filehashmd5",
"indicators hong",
"kong",
"south korea",
"present jun",
"present mar",
"present may",
"olet",
"cnr12",
"tlsv1",
"get updates",
"upatre",
"added active",
"apple",
"everest",
"josh paul",
"upadter",
"convagent",
"info stealing",
"delete service",
"phishing",
"fraud",
"social engineering",
"gamer",
"hacker",
"adversaries",
"icloud",
"found",
"gmt content",
"error",
"redacted for",
"meta http",
"content",
"gmt server",
"france unknown",
"poland unknown",
"content type",
"xml title",
"hostname add",
"address",
"location united",
"life",
"century link llc",
"xfinity",
"livesex",
"domain add",
"users",
"show",
"delete",
"blocked by quad9",
"showing",
"record value",
"location canada",
"canada asn",
"accept",
"cookie",
"macbook",
"ipv4 add",
"america flag",
"america asn",
"asn as714",
"less",
"woodynet",
"next associated",
"status",
"exclude sugges",
"ip related",
"t1027.013"
],
"references": [
"https://www.jmtstudios.org/farewell/",
"https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw",
"graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system",
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html",
"ConventionEngine_Term_Dropbox \u2022 Dropbox",
"http://api.jmtstudios.org/",
"bricked.wtf",
"ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com",
"http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com",
"careersandenterprise.appleid.com \u2022 http://apple.appleid.com/",
"https://forwardemail.net/es/blog/open-source/apple-email-clients",
"accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud",
"http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link",
"http://www.visitbooker.com/Dropbox-07/index.htm",
"dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/",
"Appears to be closely associated with close relative and initial victim of attack.",
"Potentially disturbing , personal , invasive, aggressive, intimate behavior of party."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Hong Kong",
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Convagent-9981433-0",
"display_name": "Win.Malware.Convagent-9981433-0",
"target": null
},
{
"id": "Upadter",
"display_name": "Upadter",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6996,
"FileHash-MD5": 281,
"FileHash-SHA1": 220,
"FileHash-SHA256": 2673,
"domain": 1747,
"email": 24,
"hostname": 2803,
"SSLCertFingerprint": 3
},
"indicator_count": 14747,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "157 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68ee5e9f8cfc5fbc73142660",
"name": "Gaming Studios - YouTube - MyDoom",
"description": "",
"modified": "2025-11-13T12:05:32.283000",
"created": "2025-10-14T14:30:55.471000",
"tags": [
"no expiration",
"url https",
"url http",
"iocs",
"ipv4",
"enter source",
"indicator role",
"title added",
"active related",
"united",
"present jul",
"unknown ns",
"search",
"for privacy",
"moved",
"ip address",
"encrypt",
"a domains",
"script urls",
"meta",
"pragma",
"general full",
"reverse dns",
"software",
"resource",
"security tls",
"piscataway",
"asn20473",
"asn15169",
"google",
"asvultr",
"portfolio",
"josh theriault",
"upei",
"university",
"island",
"roblox",
"jmt studios",
"moon engine",
"android",
"icpc",
"north america",
"qualifier",
"hello",
"apache",
"runner",
"eric everest",
"games",
"cloudflar",
"amazon02",
"as autonomous",
"system",
"canada",
"value",
"domainpath name",
"cgjerrieegaggq",
"name value",
"form",
"game development",
"blog",
"jmt99",
"developer",
"event",
"bullseye",
"trick or treat",
"unofficial trick or treat 2014",
"unofficial trick or treat 2015",
"egg hunt",
"gift hunt",
"hallows quest",
"studio",
"experience",
"fall",
"january",
"july",
"founder",
"studio head",
"passive dns",
"urls",
"registrar",
"title",
"roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"",
"press copyright",
"contact",
"privacy policy",
"safety how",
"youtube",
"test",
"nfl sunday",
"ticket",
"google llc",
"data upload",
"extraction",
"failed",
"files",
"twitter",
"variables",
"cgjjtbieggagla",
"nid value",
"expiration date",
"files ip",
"dynamicloader",
"write c",
"delete c",
"intel",
"ms windows",
"medium",
"default",
"write",
"guard",
"mozilla",
"malware",
"defender",
"unknown",
"domains",
"hashes",
"url analysis",
"unknown aaaa",
"script domains",
"certificate",
"game",
"servers",
"unofficial",
"settings",
"public",
"endpoints",
"currently",
"game servers",
"current",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"role title",
"related pulses",
"domain v",
"url indicator",
"nameilname",
"ascii text",
"mitre att",
"ck id",
"ck matrix",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"pe file",
"high",
"yara detections",
"dynamic",
"v hostname",
"se fos",
"include v",
"domain url",
"data",
"alltypes",
"win32mydoom oct",
"trojan",
"url add",
"http",
"related nids",
"files location",
"canada flag",
"canada hostname",
"canada unknown",
"canada",
"present aug",
"name servers",
"present sep",
"aaaa",
"present oct",
"crlf line",
"unicode text",
"music",
"suspicious",
"bricked.wtf",
"flag united",
"google safe",
"domain",
"address domain",
"united states",
"filehashsha256",
"hostname xn",
"finland unknown",
"filehashmd5",
"indicators hong",
"kong",
"south korea",
"present jun",
"present mar",
"present may",
"olet",
"cnr12",
"tlsv1",
"get updates",
"upatre",
"added active",
"apple",
"everest",
"josh paul",
"upadter",
"convagent",
"info stealing",
"delete service",
"phishing",
"fraud",
"social engineering",
"gamer",
"hacker",
"adversaries",
"icloud",
"found",
"gmt content",
"error",
"redacted for",
"meta http",
"content",
"gmt server",
"france unknown",
"poland unknown",
"content type",
"xml title",
"hostname add",
"address",
"location united",
"life",
"century link llc",
"xfinity",
"livesex",
"domain add",
"users",
"show",
"delete",
"blocked by quad9",
"showing",
"record value",
"location canada",
"canada asn",
"accept",
"cookie",
"macbook",
"ipv4 add",
"america flag",
"america asn",
"asn as714",
"less",
"woodynet",
"next associated",
"status",
"exclude sugges",
"ip related",
"t1027.013"
],
"references": [
"https://www.jmtstudios.org/farewell/",
"https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw",
"graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system",
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html",
"ConventionEngine_Term_Dropbox \u2022 Dropbox",
"http://api.jmtstudios.org/",
"bricked.wtf",
"ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com",
"http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com",
"careersandenterprise.appleid.com \u2022 http://apple.appleid.com/",
"https://forwardemail.net/es/blog/open-source/apple-email-clients",
"accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud",
"http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link",
"http://www.visitbooker.com/Dropbox-07/index.htm",
"dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/",
"Appears to be closely associated with close relative and initial victim of attack.",
"Potentially disturbing , personal , invasive, aggressive, intimate behavior of party."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Hong Kong",
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Convagent-9981433-0",
"display_name": "Win.Malware.Convagent-9981433-0",
"target": null
},
{
"id": "Upadter",
"display_name": "Upadter",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 23,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6996,
"FileHash-MD5": 281,
"FileHash-SHA1": 220,
"FileHash-SHA256": 2673,
"domain": 1747,
"email": 24,
"hostname": 2803,
"SSLCertFingerprint": 3
},
"indicator_count": 14747,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "157 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68edc1c2be848e73a32ab9ba",
"name": "Fatal Error - Hacker Known \u2022 Name Unknown | Lives @ risk",
"description": "I am connected to targeteds phone. My location is autonomous _ will show up in Colorado most likely. \n\nScary, this weekend a woman dressed like a peasant somehow managed to give me a letter past Thursday with information about a death in the 11th floor of an Apartment in Denver. The Sova. Alleged drug overdose may have actually been a homicide, I sound & feel crazy, there were names inside , emails , plans for Airplane attacks affecting civilians this month. I couldn\u2019t, wouldn\u2019t create this. Apparently UK born citizens sponsored by a Google hierarchy were able to weave their way into the lives a family member & Tsara Brashears . These are white males, anlso involved are citizens from African, Ethiopia, India and America deeply involved. They used fake names and I have said too much. If there is an helpful person on here please help!!! There\nis worse and it might be legal hits to insight money for war!\n#nso_related",
"modified": "2025-11-13T02:02:12.454000",
"created": "2025-10-14T03:21:38.305000",
"tags": [
"pulses ipv4",
"ipv4",
"div div",
"united",
"script script",
"a li",
"present jul",
"param",
"entries",
"present aug",
"certificate",
"global domains",
"date",
"title",
"class",
"meta",
"agent",
"stack",
"life",
"a domains",
"passive dns",
"urls",
"ok server",
"gmt content",
"type",
"hostname add",
"pulse pulses",
"files",
"win32mydoom oct",
"trojan",
"next associated",
"pulse",
"reverse dns",
"twitter",
"body",
"dynamicloader",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"unknown",
"copy",
"write",
"malware",
"push",
"next",
"autorun",
"suspicious",
"ip address",
"unknown ns",
"unknown aaaa",
"ipv4 add",
"location united",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"pattern match",
"ck id",
"show technique",
"mitre att",
"path",
"error",
"fatalerror",
"general",
"hybrid",
"local",
"click",
"strings",
"filehashsha256",
"filehashmd5",
"filehashsha1",
"iist",
"malware family",
"mydoom att",
"ck ids",
"t1060",
"run keys",
"indicator role",
"title added",
"active related",
"showing",
"url https",
"url http",
"startup",
"folder",
"web protocols",
"t1105",
"tool transfer",
"indicators hong",
"kong",
"china",
"germany",
"australia",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"wire",
"t1071"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1022",
"name": "Data Encrypted",
"display_name": "T1022 - Data Encrypted"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1525",
"name": "Implant Internal Image",
"display_name": "T1525 - Implant Internal Image"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2724,
"hostname": 1212,
"domain": 410,
"FileHash-MD5": 408,
"email": 9,
"FileHash-SHA256": 604,
"FileHash-SHA1": 307
},
"indicator_count": 5674,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "157 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68bbdb22e3d606ae8fb5cda8",
"name": "HCPF | Department of Health Care Policy and Financing",
"description": "Project Nemesis - Affects Department of Health Care Policy and Financing | Family representative repeatedly told past bills aren\u2019t being paid by United Healthcare. Argus Insurance (unknown entity) was Policy on record target never had. FR was given information regarding HCPF which was being viewed by past vendor seen in (https://otx.alienvault.com/pulse/68bbb31f6d91989d7fcd9592) | Issues with HCPF have been an issue for some time in isolated scenarios. It\u2019s unclear how at least one person keeps getting their name, bills and life pulled into this. Target PURCHASED a Healthcare policy via agent before major social engineering attacks. Same entity literally robs targets. Gift cards, phone services, cloud storage, account, insurance policies, bank account access, tax refunds, paid claims reversed & taken from target\u2019s account.\nMore research needed. Flaws in new system could jeopardize many. \n#trulymissed #rip #techbrohell #palantir",
"modified": "2025-10-06T05:01:18.794000",
"created": "2025-09-06T06:56:34.649000",
"tags": [
"federal changes",
"health first",
"colorado",
"child health",
"plan plus",
"newimpact",
"medicaidour",
"impact",
"medicaid page",
"medicaid",
"beware",
"text/html",
"trackers",
"iframes",
"external-resources",
"new relic",
"g1gv3h3sxc0",
"utc gcw970gh4gg",
"android",
"known exploited",
"google",
"salesloft drift",
"sap s4hana",
"cve202542957",
"cisa",
"sitecore",
"linux",
"france",
"meta",
"rokrat",
"lizar",
"project nemesis",
"carbanak",
"cobalt strike",
"domino",
"no expiration",
"url https",
"type indicator",
"role title",
"related pulses",
"hostname https",
"m4e5930",
"hostname",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"ascii text",
"search",
"ogoogle trust",
"cngts ca",
"execution",
"next",
"dock",
"write",
"capture",
"persistence",
"malware",
"roboto",
"present feb",
"united",
"a domains",
"present dec",
"passive dns",
"moved",
"script domains",
"script urls",
"urls",
"title",
"date",
"resolved ips",
"http traffic",
"http get",
"match info",
"downloads",
"info",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"endgame systems"
],
"references": [
"Researched: https://hcpf.colorado.gov/",
"www.onyx-ware.com \u2022 https://www.endgamesystems.com/",
"millet-usgc-1.palantirfedstart.com",
"https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html",
"https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms",
"https://passwords.google/?utm_medium=hpp&utm",
"https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html",
"Researched publicly available information provided by representative of a target\u2019s estate",
"System has placed affected on multiple policies cancelling private policy without notice.",
"Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)",
"Provided documented evidence of appealed state issued plan and disclosed financials.",
"Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes",
"I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.",
"State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.",
"Target also owned an online brokerage & lead company, was agent & insurance marketer for years.",
"September began with false information, defaulted claims , denials from authorized services rendered years prior.",
"If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lizar",
"display_name": "Lizar",
"target": null
},
{
"id": "Project Nemesis",
"display_name": "Project Nemesis",
"target": null
},
{
"id": "Carbanak",
"display_name": "Carbanak",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Domino",
"display_name": "Domino",
"target": null
}
],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [
"Hospitality",
"Financial",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1395,
"URL": 4304,
"CVE": 1,
"domain": 694,
"FileHash-SHA256": 1790,
"FileHash-MD5": 183,
"FileHash-SHA1": 103,
"SSLCertFingerprint": 5
},
"indicator_count": 8475,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "195 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68a0cb6a89a10d13623a0018",
"name": "Medicaid Mirai Botnet | United Healthcare Mirai Botnet",
"description": "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll. Medicaid Botnet work managed by Lumen Technologies as part of a massive silencing campaign. |\n\nPhone calls routed since forces and investigated disclosures of several attack resulting in great bodily harm and life threatening, ending injuries.\nThis campaign date has one start date 11/13/2013.\n#missed assaults internal investigated 10/08/2013 -11/31/ 2013.\nI\u2019m sure other targets are impacted . This stems from targets personal , documented experiences. \nFormerly k/a Century Link was confronted by associate of targets when a plain clothed male entered targets yard in 11/ 2013, told their box controlled entire neighborhood. Continuously accessed properties. \n\n\n\n#rip #lumen #botnet #fencing #malware #silencing #civil_liberties # monitored_target #remote #corruption #privacy_abuse #centurylink",
"modified": "2025-09-15T16:04:47.043000",
"created": "2025-08-16T18:18:18.657000",
"tags": [
"url https",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"entries",
"httponly",
"samesitelax",
"read c",
"medium",
"rgba",
"unicode",
"port",
"memcommit",
"delete",
"next",
"dock",
"write",
"execution",
"present aug",
"united",
"ip address",
"name servers",
"unknown ns",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"mitre att",
"ck techniques",
"evasion att",
"pattern match",
"show technique",
"ck matrix",
"refresh",
"body",
"span",
"august",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"href",
"size",
"t1480 execution",
"file defense",
"ascii text",
"trojan",
"passive dns",
"trojandropper",
"next associated",
"fastly error",
"please",
"sea p",
"mozilla",
"accept",
"ipv4 add",
"urls",
"files",
"location united",
"ipv4",
"url analysis",
"america flag",
"america asn",
"backdoor",
"win32",
"malware",
"date",
"domain",
"segoe ui",
"a domains",
"security tls",
"san jose",
"asn8075",
"reverse dns",
"software",
"resource hash",
"general full",
"status",
"emails",
"expiration date",
"asp",
"microsoft oem",
"found",
"running webserver",
"netherlands",
"creation date",
"aaaa",
"certificate",
"protocol h2",
"name value",
"hash",
"present jun",
"present apr",
"moved",
"control att",
"t1573 encrypted",
"channel command",
"decrypted ssl",
"runtime process",
"appdata",
"windows nt",
"svg scalable",
"patch",
"internal",
"core",
"high",
"tcp syn",
"icmp traffic",
"dns query",
"av detections",
"ashburn",
"ai device id",
"telnet",
"windows script",
"microsoft",
"host",
"yara detections",
"pdb path",
"pe resource",
"script host",
"test",
"hostname add",
"files ip",
"domains",
"hashes",
"ireland",
"mtb jun",
"mtb may",
"device local",
"remotewd",
"nemtih",
"url add",
"http",
"hostname",
"files domain",
"files related",
"pulses otx",
"present jul",
"domain add",
"colorado",
"quasi",
"contracts",
"botnet",
"remote access",
"virginia",
"c++",
"hacking",
"monitored target",
"silencing campaign",
"audio recording",
"cameras",
"full service",
"tactics"
],
"references": [
"Handled by Lumen Technologies | What kind of darkness is this?",
"https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider",
"dev.myhpnmedicaid.com",
"ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113",
"https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f",
"https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851",
"https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5",
"Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet",
"Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/",
"https://dotnet.microsoft.com/en-us/apps/aspnet",
"ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .",
"ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.",
"ASP.net Open source. A framework for building web apps and services with .NET and C#",
"Registrant Org: Japan Computer Emergency Response Team Coordination Center",
"Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com",
"Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/",
"Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx",
"Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com",
"http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Packed.Generic-9967832-0",
"display_name": "Win.Packed.Generic-9967832-0",
"target": null
},
{
"id": "Custom Malware",
"display_name": "Custom Malware",
"target": null
},
{
"id": "Trojan:Win32/Daws",
"display_name": "Trojan:Win32/Daws",
"target": "/malware/Trojan:Win32/Daws"
},
{
"id": "ELF:Mirai-ATI",
"display_name": "ELF:Mirai-ATI",
"target": null
},
{
"id": "Trojan:Win32/IRCbot",
"display_name": "Trojan:Win32/IRCbot",
"target": "/malware/Trojan:Win32/IRCbot"
},
{
"id": "alf:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "alf:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Trojandropper:Win32/Muldrop.V!MTB",
"display_name": "Trojandropper:Win32/Muldrop.V!MTB",
"target": "/malware/Trojandropper:Win32/Muldrop.V!MTB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1092",
"name": "Communication Through Removable Media",
"display_name": "T1092 - Communication Through Removable Media"
},
{
"id": "T1433",
"name": "Access Call Log",
"display_name": "T1433 - Access Call Log"
}
],
"industries": [
"Technology",
"Telecommunications",
"Contracts",
"Government",
"Finance",
"Insurance",
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4880,
"domain": 575,
"hostname": 1419,
"FileHash-SHA256": 1745,
"FileHash-MD5": 284,
"FileHash-SHA1": 263,
"email": 5,
"CVE": 1
},
"indicator_count": 9172,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "216 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "689d5115ad786de4ff048e5b",
"name": "TEL:ECCert!SSLCO | Mirai Malware Hosting | Multi user Tracker",
"description": "https://api.mirai.com/MiraiWebService/passbook/180823-77257/4001645 [Malware hosting]\n*TEL:ECCert!SSLCO\nYARA Detections:\nDelphi\nThis program must be run under Win32\ncompilers.\nCode Overlap of Trojan Droppers Backdoors , TrojanSpy\n\n\n#injection_inter_process\n#creates_largekey\n#network_bind\n#ransomware_file_modifications\n#antivm_generic_bios\n#antivm_generic_disk\n#enumerates_physical_drives\n#physical_drive_access\n#deletes_executed_files\n#recon_fingerprint\n#suspicious_command_tools\n#anomalous_deletefile\n#antisandbox_sleep\n#dead_connect\n#dynamic_function_loading\n#http_request\n#ipc_namedpipe\n#network_anomaly\n#powershell_download\n#powershell_request #track #locate #remote_access",
"modified": "2025-09-13T02:00:42.729000",
"created": "2025-08-14T02:59:33.036000",
"tags": [
"url https",
"url http",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"showing",
"entries",
"present sep",
"united",
"present aug",
"present jul",
"present jun",
"moved",
"unknown ns",
"present may",
"present apr",
"passive dns",
"date",
"encrypt",
"body",
"cookie",
"gmt server",
"content type",
"dynamicloader",
"medium",
"x17x03x01",
"download studio",
"high",
"read c",
"show",
"windows",
"copy",
"powershell",
"write",
"anomaly",
"next",
"unknown",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"yara detections",
"delphi",
"codeoverlap",
"win32",
"rgba",
"memcommit",
"delete",
"png image",
"hash",
"dock",
"execution",
"malware",
"wine emulator",
"dynamic",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"capture",
"persistence",
"sha256",
"submitted",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"script",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"null",
"august",
"span",
"refresh",
"meta",
"mirai",
"february",
"april",
"june",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"caribe",
"rest",
"accept",
"friday",
"look",
"verify",
"restart"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6211,
"domain": 682,
"hostname": 1661,
"FileHash-MD5": 117,
"FileHash-SHA1": 100,
"FileHash-SHA256": 1386,
"SSLCertFingerprint": 5
},
"indicator_count": 10162,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "218 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6893eee9bf1b30e08d1a6d8e",
"name": "Ransom:Win32/CVE - Denver \u2022 Community Lifestyle Neighborhood",
"description": "*Ransom:Win32/CVE - * Win.Dropper.Stone-9856966-0,\nDenver \u2022 Community Lifestyle Neighborhood. \nCorporate & Leasing Office corrupted with spyware. There is a single verified monitored target. All technology devices corrupted, at least 2 phones monitored, YouTube is courtesy of hackers. Several in person and phone investigations, staff change and they know nothing about leasing apartments, townhomes , etiquette, poor communication. Target also investigated. It appears to be harassment, intimidation and monitoring for unspecified reasons. The parking lot is stacked with obvious people sitting in their vehicles for hours. It\u2019s unclear if the staffing change is legitimate or part of an investigation.",
"modified": "2025-09-05T23:02:52.811000",
"created": "2025-08-07T00:10:17.696000",
"tags": [
"address google",
"safe browsing",
"united",
"typeof",
"passive dns",
"body doctype",
"nreum",
"date",
"gmt server",
"apache x",
"cnection",
"content type",
"span",
"ok transfer",
"encoding",
"x powered",
"unknown soa",
"unknown ns",
"showing",
"entries",
"next associated",
"urls show",
"body",
"encrypt",
"search",
"ip address",
"creation date",
"record value",
"present jul",
"present may",
"present apr",
"certificate",
"present aug",
"present feb",
"present dec",
"present nov",
"error",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"development att",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"mitre att",
"show technique",
"ck matrix",
"pattern match",
"ascii text",
"august",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"itre att",
"accept",
"sha256",
"size",
"type data",
"utf8 text",
"document file",
"flag",
"server",
"european union",
"name server",
"tor analysis",
"dns requests",
"domain address",
"ii llc",
"windir",
"openurl c",
"prefetch2",
"show process",
"ogoogle trust",
"network traffic",
"organization",
"elton avundano",
"object",
"title object",
"header http2",
"returnurl",
"texas",
"rsa ov",
"ssl ca",
"status",
"australia",
"netherlands",
"urls",
"gmt path",
"hostname add",
"pulse submit",
"present oct",
"e safe",
"results jul",
"response ip",
"present jan",
"name servers",
"verdict",
"domain",
"files ip",
"address domain",
"xhr start",
"xhr load",
"aaaa",
"read c",
"show",
"port",
"destination",
"high",
"delete",
"outbound m3",
"copy",
"write",
"persistence",
"execution",
"malware",
"generic",
"unknown",
"present mar",
"dynamicloader",
"wine emulator",
"dynamic",
"medium",
"read",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"dnssec",
"domain name",
"solutions",
"llc status",
"next passive",
"dns status",
"hostname query",
"files show",
"date hash",
"avast avg",
"overview ip",
"address",
"related nids",
"files location",
"flag united",
"hostname",
"files domain",
"win32",
"mtb feb",
"trojan",
"susp",
"trojandropper",
"msr feb",
"trojanspy",
"virtool",
"win64",
"defense evasion",
"t1480 execution",
"file defense",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"file discovery",
"utf8",
"crlf line",
"a domains",
"script urls",
"link",
"unknown aaaa",
"meta",
"atom",
"results jan",
"present",
"present sep",
"akamai",
"asn as16625",
"less whois",
"registrar",
"http",
"france flag",
"france hostname",
"files related",
"url analysis",
"files",
"location france",
"detailed error",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"moved",
"name",
"perfect privacy",
"error jul",
"next related",
"domains show",
"domain related",
"url add",
"pulse pulses",
"hosting",
"reverse dns",
"france asn",
"as16276",
"dns resolutions",
"datacenter",
"regopenkeyexa",
"regsetvalueexa",
"windows nt",
"regdword",
"hostile",
"service",
"delphi",
"next",
"pulses none",
"related tags",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"review",
"data upload",
"extraction",
"khtml",
"gecko",
"olet",
"cnlet",
"tlsv1",
"hacktool",
"push",
"ms windows",
"intel",
"pe32",
"users",
"precreate read",
"ransom",
"code",
"installer",
"june",
"media",
"autorun",
"next yara",
"detections name",
"aspackv2xxx",
"eu alexey",
"alerts",
"pe file",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"yara detections",
"analysis date",
"april",
"packing t1045",
"t1045",
"t1060",
"registry run",
"keys",
"user execution",
"icmp traffic"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1132,
"URL": 6245,
"hostname": 2264,
"FileHash-SHA256": 1857,
"FileHash-SHA1": 491,
"email": 9,
"FileHash-MD5": 573,
"SSLCertFingerprint": 16
},
"indicator_count": 12587,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "225 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6891bf5f58c1ae303f6d313e",
"name": "Jeeng | Powerbox | Tracking | Mirai \u2022 Palantir plugin",
"description": "#ELF:Mirai-ALC\\ [Trj]\n* [https://d1-myadmin.dpdlocal.co.uk/login]\n\u2022 [cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap]\nAlfper:BrowserModifier:Win32/DeepSync.C\n#prometheus #trojan #malware #elf #mirai dpd #palantir # plugin #tracking #monitoring #call #tracker #spyware #worm #virus #election_ news",
"modified": "2025-09-04T08:05:56.240000",
"created": "2025-08-05T08:22:55.113000",
"tags": [
"url https",
"indicator role",
"title added",
"active related",
"pulses url",
"entries",
"url http",
"type indicator",
"role title",
"added active",
"related pulses",
"showing",
"iocs",
"learn more",
"filehashsha256",
"types",
"indicators show",
"search",
"present jul",
"present jun",
"present may",
"present aug",
"present apr",
"present mar",
"present feb",
"united",
"unknown aaaa",
"all ipv4",
"pulse pulses",
"passive dns",
"urls",
"files",
"reverse dns",
"location united",
"america flag",
"america asn",
"open",
"registrar",
"limited ta",
"com laude",
"nomiq",
"creation date",
"ip address",
"date",
"domain",
"hostname",
"files ip",
"address",
"asn as21342",
"scan",
"ipv4",
"pulses",
"servers",
"hostname add",
"pulse submit",
"url analysis",
"verdict",
"france unknown",
"name servers",
"present",
"whois show",
"record value",
"domain name",
"expiration date",
"status",
"domain add",
"filehashmd5",
"idhttp",
"tidcustomhttp",
"classes",
"medium",
"crlf line",
"show",
"registry",
"service",
"copy",
"patch",
"write",
"next",
"markus",
"delphi",
"win32",
"persistence",
"execution",
"http",
"files domain",
"files related",
"pulses none",
"related tags",
"none google",
"refresh57959",
"windows xp",
"pack",
"shows",
"cc08",
"f06a6b",
"pulses hostname",
"germany unknown",
"aaaa",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"spawns",
"development att",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"sha256",
"ascii text",
"pattern match",
"mitre att",
"show technique",
"format",
"august",
"hybrid",
"local",
"path",
"click",
"strings",
"filehashsha1",
"palantir feb",
"difference feb"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3809,
"hostname": 1197,
"domain": 456,
"FileHash-MD5": 170,
"FileHash-SHA256": 579,
"FileHash-SHA1": 161,
"CVE": 1,
"email": 1,
"SSLCertFingerprint": 6
},
"indicator_count": 6380,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "227 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"Requires further research.",
"http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==",
"The Blender Foundation",
"accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"Matches rule POLICY-OTHER TOR Project domain request",
"Contacted ipp.getcash2018.com conf.f.360.cn",
"Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true",
"www.onyx-ware.com \u2022 https://www.endgamesystems.com/",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/EternalRocks_svchost_FR",
"hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann",
"Malware Hosting: 13.107.226.70",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"pegasuspartners.followupboss.com",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com",
"https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
"Malicious Antivirus Detections #VirTool:Win32/Obfuscator.ADB",
"verify.gov.tl",
"https://www.fidelity.com/ https://www.fidelity.com/",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks",
"Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.",
"Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True",
"Alerts: enumerates_running_processes reads_self packer_unknown_pe_section_name contains_pe_overlay dropper queries_keyboard_layout",
"http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
"Alerts: resumethread_remote_process network_connection_via_suspicious_process network_cnc_http",
"api.optimizer.insitemaxdev.gov2x.com",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"Typing a suicide note on social media is suspicious since it could come from your murderer.",
"Researched: https://hcpf.colorado.gov/",
"sprouts@em.sprouts.com?",
"EternalRocks MALWARE RANSOM TROJAN EVADER",
"Domains Contacted: pitfall.divx.com www.google.com",
"you.are.poor.i.got.trap.money?",
"https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/",
"https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"New? patch-aws-8y03-v202542-266-2.space.prod.a0core.net",
"Global Airline Threat - though targeting seems to be involved",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"supplierportal.gov2x.com",
"https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/",
"https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 778",
"It appears there are 5-7 known affected that I was able to find",
"http://blackrock.work.gd/",
"https://www.fireeye.com/",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"https://www.teslarati.com/spacex",
"ConventionEngine_Term_Dropbox \u2022 Dropbox",
"Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"w32.virut.cf \u2022 win32.virut.am \u2022 virut.cf \u2022 http://w32.virut.cf \u2022http://w32.virut.cf/ \u2022 https://w32.virut.cf",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"Matches rule INDICATOR_EXE_Packed_ConfuserEx from ruleset indicator_packed",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"According to accounts she was afraid for her life , found to be safe then took her own life?",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252",
"supply.qld.gov.au",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"and our limited information, is Daisy a victim or a crisis actor?",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com \u2022\u2019survey-smiles.com",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://www.anyxxxtube.net/search-porn/",
"Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
"162.159.134.42 \u2022 https://cellebrite.com/",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"Same legal , and quasi governmental pattern identified",
"fidelity-account.com e http://fidelity-account.com/fidelity/code.html",
"https://otx.alienvault.com/indicator/domain/Tamlegal.com",
"android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]",
"Xpirat = doomscroller.io",
"Terse HTTP 1.0 Request Possible Nivdort Trojan-Banker.Win32.Agent.ree Checkin Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 4 AlphaCrypt CnC Beacon 3 WS/JS Downloader Mar 07 2017 M1 Koobface HTTP Request (2) Alphacrypt/TeslaCrypt Ransomware CnC Beacon",
"Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226",
"https://otx.alienvault.com/user/gameprofits.io",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.",
"Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit",
"CVE FileHash-SHA256 36e49940232d00b021793c3cd7df19200c875ce3beb1992ecc59f6f8f6389be8",
"Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"EternalRomance, and EternalSynergy. Stealth",
"https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57",
"ConventionEngine_Anomaly_MultiPDB_Double",
"20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"http://wonporn.com/top/Pakistani_Sucking",
"Antivirus Detections: Win.Ransomware.Wanna-9769986-0 , Ransom:Win32/WannaCrypt.H",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Alerts: cape_detected_threat https_ urls",
"Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com",
"Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me",
"http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
"Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Shelton, Nasreddine Bencherchali (Nextron stems",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"fastwebnet.it | Cellebrite White Label Spyware Service",
"Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider",
"Domains Contacted: drive.usercontent.google.com",
"https://www.teslarati.com/",
"Yara Detections: SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost ,",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com",
"https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5",
"Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/",
"Matches rule Suspicious History File Operat Mikhail Larin, oscd.community",
"https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/",
"Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,TrojanDownloader:Win32/Eterock.A",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.",
"Matches rule SUSP_NET_NAME_ConfuserEx from ruleset gen_github_net_redteam_tools_names by Arnim Rupp",
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.",
"https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"Observed DNS Query to .biz TLD Namecheap URL Forward GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 403 Forbidden",
"Domains Contacted api.nuget.org",
"https://tulach.cc/ | Brian Sabey",
"Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .",
"Denver, US 80211 http://library.verizon.onereach.ai",
"Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/",
"http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022",
"http://appleid.app",
"https://cellebrite.com/en/federal-government/",
"IDS Detections: DNS Query to Expiro Related Domain (knjghuig .biz) Known Sinkhole Response Header Win32/Expiro CnC Activity (POST) Win32/Expiro.NDO CnC Activity Observed DNS Query to .biz TLD Namecheap URL Forward 403 Forbidden",
"CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"pandacookie2018.xyz",
"DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) Possible ETERNALBLUE Probe MS17-010 (Generic Flags) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic , MS17_010_WanaCry_worm , stack_string More Alerts 25 Alerts suspicious_iocontrol_codes persistence_autorun persistence_autorun_tasks stealth_file suricata_alert antivm_generic_disk anomalous_deletefil",
"Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"ET TROJAN W32/Kegotip CnC Beacon",
"https://passwords.google/?utm_medium=hpp&utm",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"putrhnwl.exe",
"http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/",
"https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Matches rule SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware)",
"http://p2d.josht.ca/assets/content-delivery/depots/download",
"Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers",
"https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"ConventionEngine_Term_Users",
"test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"Matches rule ET POLICY TLS possible TOR SSL traffic",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e",
"Potentially disturbing , personal , invasive, aggressive, intimate behavior of party.",
"https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"Provided documented evidence of appealed state issued plan and disclosed financials.",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced IDS rules",
"Matches rule SURICATA STREAM Packet with invalid timestamp",
"Yara Detections: EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"Win32/Agent.BH PUP/PUA Downloader CnC Checkin",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333",
"remotewd.com device local",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161",
"Alerts: antivm_generic_disk anomalous_deletefile antisandbox_sleep dynamic_function_loading",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f",
"Fireye - FEDNS1.FIREEYE.COM",
"endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander",
"I apologize for the lack of reference.",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934",
"ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,",
"All IP\u2019s Contacted 27.102.115.143 199.232.210.172 Domains",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"Matches rule EternalRocks_svchost from ruleset crime_eternalrocks by Florian Roth (Nextron Systems)",
"https://www.vgt.pl/favicon.ico",
"Sprouts Farmers Market",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113",
"Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)",
"https://jviwczq.zc-apple.com/",
"Matches rule ET JA3 Hash - [Abuse.ch] Possible Ransomware",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw",
"Matches rule Windows Processes Suspicious Parent Directory by vburov",
"dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/",
"cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf",
"Researched publicly available information provided by representative of a target\u2019s estate",
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png",
"Needs to be sorted. Actively being exploited on US",
"graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system",
"Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?",
"http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/",
"Daisy was allegedly brutally assaulted by Matthew Barnett,",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"Alerts: virus polymorphic procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"bricked.wtf",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/",
"CVE FileHash-SHA256 7ca48970b1b9c076f6bd59c1b10e26c47e7acd954869510c1dcdf97dac9b8c2e",
"Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com",
"https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram",
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.teslarati.com/wp-content/themes/teslarati-mag/map/",
"https://bhive.nectar.social/rKvoMY",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238",
"NSA Exploits Used: The malware uses seven Shadow Brokers-leaked tools, including EternalBlue, EternalChampion,",
"dev.myhpnmedicaid.com",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d",
"Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
"Alerts: suspicious_iocontrol_codes polymorphic static_pe_anomaly suricata_alert",
"Alerts: suspicious_iocontrol_codes network_bind ransomware_file_modifications stealth_file",
"https://p2d.josht.ca/api/depots/info/?depot=",
"IDS Detections ET POLICY Suspicious User-Agent Containing .exe",
"DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz",
"https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/",
"Target also owned an online brokerage & lead company, was agent & insurance marketer for years.",
"Alerts: network_http packer_unknown_pe_section_name dropper",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI",
"I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"Alerts: physical_drive_access deletes_executed_files anomalous_deletefile",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"careersandenterprise.appleid.com \u2022 http://apple.appleid.com/",
"p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"Matches rule ET JA3 Hash - Possible Malwar RigEK/Cryptowall/Dridex",
"Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"The 2017 timeline accurately fits victim\u2019s major financial and other continuous First attacks began in 10/2013. Upgraded",
"Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
"http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com",
"https://www.sweetheartvideo.com/scenes?models=63710",
"Yara: Detections Tofsee",
"Trojan-Banker.Win32.Agent.ree Checkin Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 4 AlphaCrypt CnC Beacon 3 WS/JS Downloader Mar 07 2017 M1 Koobface HTTP Request (2) Alphacrypt/TeslaCrypt Ransomware CnC Beacon",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.",
"Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"FireEye was there in 2 year old pulse now removed? I\u2019ll find it.",
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"okta-dev.gov2x.com",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears",
"http://watchhers.net/index.php",
"TNULL: unknown empty EMPTY FILEHASH-MD5 d41d8cd98f00b204e9800998ecf8427e",
"http://www.visitbooker.com/Dropbox-07/index.htm",
"http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link",
"Alerts: network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_i",
"There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.",
"Matches rule MALWARE-CNC DNS Fast Flux attempt",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community",
"ET DNS DNS Query to a .tk domain - Likey",
"Registrant Org: Japan Computer Emergency Response Team Coordination Center",
"Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes",
"System has placed affected on multiple policies cancelling private policy without notice.",
"Is that where they\u2019re getting these names? Rexxfield.com. SMH",
"https://aws.hirecar.net/",
"REFERENCE: https://twitter.com/stamparm/status/864865144748298242 RULE_AUTHOR: Florian Roth",
"Pegasus | A targets devices are obviously infiltrated",
"External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |",
"Source : Binary File ATT&CK ID T1566.002",
"Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name",
"According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021",
"IP\u2019s Contacted : 54.230.129.165",
"https://github.com/stamparm/EternalRocks",
"ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.",
"With so many \u2018officials\u2019 involved, it\u2019s hard to believe \u2018 The Shadow Brokers\u2019 isnt a government entity.",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Sigma Matches",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"millet-usgc-1.palantirfedstart.com",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious",
"IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)",
"Alerts: resumethread_remote_process antivm_generic_disk antisandbox_sleep dynamic_function_loading",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.",
"ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.",
"https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"September began with false information, defaulted claims , denials from authorized services rendered years prior.",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"Sabey , Ahmann, Quasi Government, Government",
"cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html",
"ASP.net Open source. A framework for building web apps and services with .NET and C#",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.",
"Scanning Host: 13.107.246.70",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Yara Matches",
"So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?",
"Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)",
"search.roi.ros.gov.uk",
"ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .",
"ET TROJAN Suspicious double Server Header",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/",
"Appears to be closely associated with close relative and initial victim of attack.",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 815",
"IDS Detections: DNS Query to Expiro Related Domain (przvgke .biz)",
"Matches rule DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt",
"https://dotnet.microsoft.com/en-us/apps/aspnet",
"https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356",
"102 Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key",
"https://forwardemail.net/es/blog/open-source/apple-email-clients",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html",
"Detected Non-Google domain serving Google homepage details",
"IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/",
"https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"website \u2022 http://oldapps.com/blender.php?old_blender=7584",
"iot.insitemaxdev.gov2x.com",
"Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"Matches rule Uncommon Schost Parent Process by Florian Roth (Nextron Systems)",
"Handled by Lumen Technologies | What kind of darkness is this?",
"Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx",
"http://api.jmtstudios.org/",
"https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms",
"http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"DESCRIPTION: Detects EternalRocks Malware - file taskhost.exe",
"IDS Detections: Possible ETERNALROCKS .Net Module Download TLS Handshake Failure",
"EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"div>
",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"Strangely NSO Group The Lazarus Group The Shadow Brokers and others attack an individual",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"Yara Detections: Nullsoft_NSIS",
"https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851",
"business-support.intel.com \u2022 dns0.org \u2022 http://g-ns-1047.awsdns-20.org/",
"pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl",
"(The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION,",
"https://l.us-1.a.mimecastprotect.com/l",
"More PE Packer Microsoft Visual C++ Compilation | File Type PEXE - PE32 executable (GUI) Intel 80386, for MS Windows",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"Dynamic sandbox CZAE flags this file as: STEALER",
"http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit",
"Alerts: injection_rwx antivm_checks_available_memory queries_computer_name",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"https://cdn.teslarati.com \u2022 https://forums.teslarati.com/",
"oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download",
"freedns.afraid.org",
"Matches rule Uncommon Svchost Command Line Parameter by Liran Ravich",
"http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /",
"https://www.jmtstudios.org/farewell/",
"http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Alf:trojan:win32/anorocuriv.a",
"Trojandropper:win32/dinwod",
"Win32:trojan-gen",
"Trojan:win32/qshell",
"#lowfienabledtcontinueafterunpacking",
"Trojanspy:win32/nivdort",
"Win32:trojan",
"Virut",
"Danabot",
"Crypt3.blxp",
"Trojan:win32/ircbot",
"Crypt3.ckto",
"Trojan:win32/smkldr.h!mtb",
"Cve-2017-0148",
"#lowfi:lua:mampa:99!ml",
"Trojanspy:win32/nivdort.cb",
"Alf:program:win32/webcompanion",
"Alf:jasyp:trojan:win32/ircbot!atmn",
"Backdoor:win32/prorat.l",
"Win.trojan.dialog-9873788-0",
"Lizar",
"Et",
"Crypt3.bxmj",
"Win32/blacked",
"Packed- multiple malware",
"Dnstrojan",
"Exploit:powershell/cve-2017-0143",
"Trendmicro",
"Crypt3.boqd",
"Trojan:win32/miner.ka!mtb",
"Crypt3.boiu",
"Cobalt strike",
"Elf:mirai-ati",
"Win.malware.snojan-6775202-0",
"Trojandropper:win32/zegost.b",
"Win32:malware-gen",
"Generic36.aiaa.dropper",
"Mydoom",
"Sova",
"Ransomware/win.stop.r4529",
"Upadter",
"Alf:heraklezeval:trojan:win32/eqtonex.f",
"Win.trojan.barys-10005825-0",
"Win.trojan.cobaltstrike-9044898-1",
"Win32/backdoorx",
"Trojan:win32/glupteba.ov!mtb",
"Tofsee",
"Trojan:pdf/phish.rr!mtb",
"Trojan:win32/aptdrop.ru",
"Hider.biy",
"#lowfi:hookwowlow",
"Trojanspy:win32/nivdort.bg",
"Alf:jasyp:trojan:win32/genmaldown!atmn",
"Win32.injector",
"Win.trojan.vbgeneric-6735875-0",
"Downloader.generic13.cmtw",
"Backdoor:linux/demonbot",
"Trojan:win32/ausiv!rfn",
"Worm:win32/autorun",
"Trojandownloader:win32/upatre.aa",
"Win.trojan.agent-245901",
"Win32/ramnit.a",
"Bouncycastle",
"Crypt3.cmtm",
"Eternalrocks",
"Win32:evo-gen\\ [susp]",
"!#hstr:siggen0136cb6c",
"Tsunami-6981155-0",
"Ploprolo",
"Jaik",
"Virtool:win32/ceeinject.gen!ah",
"Trojan.eternalrocks/shadowbrokers",
"Ms defender\ttrojan:win32/qbot.kvd!mtb",
"Ransom:win32/wannacrypt.h",
"Trojandropper:win32/muldrop.v!mtb",
"W32/kegotip cnc",
"Trojandropper:win32/qhost",
"#lowfi:hstr:virtool:win32/obfuscator!diplugem.f",
"Prorat",
"Inject2.bhbw",
"Trojandownloader:win32/cutwail.bs",
"Win32:trojano-chf\\ [trj]",
"Win.malware",
"Sodinoki",
"Domino",
"Crypt3.bxvc",
"Unix.trojan.tsunami-6981155-0",
"W32.virut.ci",
"Trojan:win32/emotet.pc!mtb",
"Icedid",
"Win.downloader.3867-1",
"Trojan:win32/conbea!rfn",
"Atros3.ahfb",
"Win.ransomware.wanna-9769986-0",
"Worm:win32/mofksys.rnd!mtb",
"Other malware",
"Project nemesis",
"Backdoor:win32/tofsee.t",
"Win.trojan.fareit-82",
"Win64:trojan-gen",
"Generic36.ajsm",
"Slf:win64/cobpipe.a",
"Win.malware.jaik-9940406-0",
"Sf:shellcode-au",
"Cutwail",
"Crypt3.bxgr",
"Malware",
"Trojandownloader:win32/cutwail",
"Crypt5.bbyh",
"Trojan:win32/danabot",
"Zbot",
"Mirai",
"Sf:shellcode-au\\ [trj]",
"Crypt3.coiz",
"Alf:heraklezeval:trojan:msil/gravityrat",
"Alf:trojan:win32/cryptwrapper.rt!mtb",
"Win32/virut",
"Win32:malwarex-gen",
"Trojan:win32/mydoom",
"Crypt3.boje",
"Ransom:win32/revil.a",
"Trojan:win32/zbot.sibb6!mtb",
"Win.trojan.injector-12138",
"Upatre",
"Trojan:win32/zombie.a",
"Inject2.bive",
"#virtool:win32/obfuscator.",
"Worm:win32/autorun.xxy!bit",
"Trojan:win32/fugrafa",
"Pegasus",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Worm:win32/autorun!atmn",
"Crypt4.ahsw",
"Bc.win.packer.troll-11",
"Backdoor:win32/small.ir",
"Custom malware",
"Etpro",
": alf:trojan:msil/azorult.ac!",
"Win.trojan.rootkit-4532",
"#lowfi:lua:dllsuspiciousexport.a",
"Zegost",
"Win.trojan.emotet-9850453-0",
"Bayrob",
"Win.trojan.agent-31853",
"Downloader.generic13.bobz",
"Win.trojan.pushdo-15",
"Win32:trojanx-gen\\ [trj]",
"Virtool:win32/injector.gen!bq",
"Win.packed.generic-9967832-0",
"Win.malware.convagent-9981433-0",
"Trojan:win32/daws",
"Trojan:msil/ursu.kp",
"Generic36.adty",
"Worm.autorun-6180",
"Trojan:bat/musecador",
"Win.malware.vmprotect-9880726-0",
"#lowfi:hstr:installer:multiplug",
"Carbanak"
],
"industries": [
"Hospitality",
"Contracts",
"Civil society",
"Health",
"Insurance",
"Legal",
"Retail",
"Civilians",
"Technology",
"Journalists",
"Telecom",
"Telecommunications",
"Healthcare",
"Financial",
"Finance",
"Government"
],
"unique_indicators": 246264
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/josht.ca",
"whois": "http://whois.domaintools.com/josht.ca",
"domain": "josht.ca",
"hostname": "test.josht.ca"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 42,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b49ad5dd40a24d83cd6a72",
"name": "Chris P. Ahmann \u2022 PRIVATE PROPERTY Colorado State Fixer!",
"description": "",
"modified": "2026-03-13T23:16:37.716000",
"created": "2026-03-13T23:16:37.716000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69631fbd16e306ee2b76c4da",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b496396ca4987e95ad37d1",
"name": "Chris Buzz by QVashni (wow)",
"description": "",
"modified": "2026-03-13T22:56:57.314000",
"created": "2026-03-13T22:56:57.314000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69482caa00d327da8f0a87bc",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b49587dd104e342dda1628",
"name": "C Ahman Attorney Clone by Top Tier, Q.Vashti",
"description": "",
"modified": "2026-03-13T22:53:59.112000",
"created": "2026-03-13T22:53:59.112000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2b7cb05b2098c1d2bf20f",
"name": "federal goverment clone cellbrite credit q vashti",
"description": "",
"modified": "2026-03-12T12:55:39.046000",
"created": "2026-03-12T12:55:39.046000",
"tags": [
"url https",
"url http",
"germany",
"united",
"ukraine",
"japan",
"extraction",
"data upload",
"urls",
"url analysis",
"enter sc",
"extr",
"iocs",
"active",
"france unknown",
"present jan",
"servers",
"homair sweet",
"grabber",
"encrypt",
"ipv4",
"role title",
"divx",
"pitfall",
"internet",
"ip role",
"america asn",
"extraction data",
"leveibielabs",
"all se",
"enter source",
"url or",
"texirag",
"drop",
"present nov",
"united states",
"america",
"levdibidelabs",
"failed",
"idron anv",
"include manualv",
"review data",
"iterng",
"name servers",
"passive dns",
"incapsula",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"script head",
"request",
"cookie",
"indicator",
"msie",
"chrome",
"backdoor",
"gmt content",
"ipv4 add",
"twitter",
"title",
"process32nextw",
"ms windows",
"intel",
"pe32",
"regopenkeyexa",
"read c",
"medium",
"class",
"write",
"template",
"present oct",
"present jul",
"aaaa",
"present sep",
"present aug",
"url add",
"http",
"hostname",
"related tags",
"kx81xdbx0f",
"x86xd3",
"xa7xe28x06",
"x82xd4",
"delete c",
"regsetvalueexa",
"regbinary",
"xa1xf1",
"xe8xc2x14",
"malware",
"stream",
"unknown",
"win32",
"persistence",
"execution",
"push",
"present dec",
"italy",
"present jun",
"embeddedwb",
"whitelisted",
"windows nt",
"dns traffic",
"russia",
"cname",
"accept",
"destination",
"port",
"et smtp",
"message",
"et trojan",
"components",
"suspicious",
"download",
"hostile",
"next",
"logic",
"gather victim",
"et info",
"etpro trojan",
"trojan",
"report spam",
"interesting",
"created",
"pegasus",
"manipulation",
"service",
"capture",
"et",
"etpro",
"host",
"attack",
"mtb description",
"windows",
"shellexecuteexw",
"writeconsolew",
"registry",
"t1031",
"modify existing",
"dock",
"type indicator",
"added active",
"related pulses",
"arcflex",
"filehashsha1",
"types of",
"learn more",
"filehashsha256",
"cellebrite",
"white label",
"search",
"sha1",
"france",
"cmanual jan",
"expiration date",
"domain add",
"pulse submit",
"files",
"ip address",
"gmt cache",
"sameorigin",
"reverse dns",
"unknown ns",
"admin org",
"zipcode",
"gmt server",
"pulse pulses",
"entries",
"hostname add",
"verdict",
"germany unknown",
"status",
"domain",
"xpirat",
"netherlands",
"netherlands asn",
"as35280 acorus",
"dns resolutions",
"error",
"files ip",
"copy",
"telnet login",
"suspicious path",
"busybox",
"login attempt",
"gpl telnet",
"high",
"tcp syn",
"telnet root",
"path",
"mirai",
"emails",
"domain name",
"jlu11q",
"tqbplo",
"hours ago",
"found",
"yahoo",
"gmail",
"yandex",
"https://cellebrite.com/en/federal-government/",
"monitoring",
"monitored target",
"dangerous",
"spyware",
"80211",
"colorado",
"x amz",
"government",
"mirai login attempt",
"emotet",
"c2",
".ru",
".com",
"denver",
"indicator role",
"title added",
"active related",
"pulses hostname",
"dead connect",
"hostile",
"adversarial",
"abuse",
"criminal intent",
"block messages",
"botnet"
],
"references": [
"fastwebnet.it | Cellebrite White Label Spyware Service",
"putrhnwl.exe",
"Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"IP\u2019s Contacted : 54.230.129.165",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"Domains Contacted: pitfall.divx.com www.google.com",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Yara: Detections Tofsee",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"ET TROJAN Suspicious double Server Header",
"ET DNS DNS Query to a .tk domain - Likey",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"Needs to be sorted. Actively being exploited on US",
"162.159.134.42 \u2022 https://cellebrite.com/",
"https://cellebrite.com/en/federal-government/",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Germany",
"Ireland",
"Switzerland",
"Poland",
"Belgium",
"Netherlands",
"Sweden"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
},
{
"id": "Trojan:Win32/Emotet.PC!MTB",
"display_name": "Trojan:Win32/Emotet.PC!MTB",
"target": "/malware/Trojan:Win32/Emotet.PC!MTB"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Trojan:Win32/Danabot",
"display_name": "Trojan:Win32/Danabot",
"target": "/malware/Trojan:Win32/Danabot"
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Trojan:Win32/Aptdrop.RU",
"display_name": "Trojan:Win32/Aptdrop.RU",
"target": "/malware/Trojan:Win32/Aptdrop.RU"
},
{
"id": "Ransomware/Win.Stop.R4529",
"display_name": "Ransomware/Win.Stop.R4529",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32/BackdoorX",
"display_name": "Win32/BackdoorX",
"target": null
},
{
"id": "Win.Trojan.Dialog-9873788-0",
"display_name": "Win.Trojan.Dialog-9873788-0",
"target": null
},
{
"id": "Tsunami-6981155-0",
"display_name": "Tsunami-6981155-0",
"target": null
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1196",
"name": "Control Panel Items",
"display_name": "T1196 - Control Panel Items"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1414",
"name": "Capture Clipboard Data",
"display_name": "T1414 - Capture Clipboard Data"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1556",
"name": "Modify Authentication Process",
"display_name": "T1556 - Modify Authentication Process"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1581",
"name": "Geofencing",
"display_name": "T1581 - Geofencing"
},
{
"id": "T1582",
"name": "SMS Control",
"display_name": "T1582 - SMS Control"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1587",
"name": "Develop Capabilities",
"display_name": "T1587 - Develop Capabilities"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Journalists",
"Government",
"Civil Society"
],
"TLP": "green",
"cloned_from": "696f7d467763ed4d4e74d133",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4994,
"domain": 2519,
"hostname": 3281,
"FileHash-SHA256": 4467,
"FileHash-MD5": 1118,
"FileHash-SHA1": 1056,
"email": 12,
"SSLCertFingerprint": 1
},
"indicator_count": 17448,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6afd744c55bd596ed6e",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:27.248000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6a601f06adcd1ed22fc",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:18.022000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d69ecbc0497f97e28618",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:10.502000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6975c5cd4db6104ea1a3d69b",
"name": "The Blender Foundation BouncyCastle-Virut | Malware /Stealer Empty FileHash | Eternal7 (Shadow Broker) Related",
"description": "Empty FileHash isn\u2019t benign. Interesting relationships to the Eternal 7. Malware, Stealer and Suspicious History File Operation. BouncyCastle-Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys / Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"modified": "2026-02-24T06:02:43.853000",
"created": "2026-01-25T07:27:09.640000",
"tags": [
"empty",
"blender",
"eurostile",
"augustin",
"butterfield",
"cook",
"drummer",
"erickson",
"fjsv",
"flynn",
"gorman",
"holmes",
"easy",
"rada",
"xanadu",
"config",
"reboot",
"screen",
"microsoft",
"commerce server",
"edition",
"draw",
"exchange server",
"tools",
"linux",
"ideal link",
"nsrl test",
"nist",
"file",
"cultureneutral",
"fix pack",
"free download",
"bouncycastle",
"read c",
"search",
"et trojan",
"w32kegotip cnc",
"whitelisted",
"ids detections",
"intel",
"write",
"trojan",
"malware",
"yara detections",
"productversion",
"fileversion",
"av detections",
"alerts",
"analysis date",
"file score",
"united",
"aaaa",
"passive dns",
"ip address",
"present dec",
"body html",
"head meta",
"title",
"urls",
"url https",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"beacon",
"et",
"ipv4",
"files",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"related pulses",
"show",
"win32virut",
"destination",
"port",
"ms windows",
"pe32",
"medium",
"suspicious",
"virustotal",
"startul",
"shadowbrokers",
"total",
"delete",
"artemis",
"win32.injector",
"trendmicro",
"data upload",
"extraction",
"included iocs"
],
"references": [
"The Blender Foundation",
"website \u2022 http://oldapps.com/blender.php?old_blender=7584",
"oldapps \u2022 http://oldapps.com/blender.php?old_blender=7584?download",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"android-cts-7.1_r6-linux_x86-arm.zip [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]",
"Empty FileHash - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"Empty FileHash -Matches rule Suspicious History File Operations by Mikhail Larin, oscd.community",
"Empty FileHash - Malware,Stealer, Related to ShadowBrokers EternalRocks",
"ET TROJAN W32/Kegotip CnC Beacon",
"IDS Detections ET POLICY Suspicious User-Agent Containing .exe",
"Extensions,.Trojan Age Win Version=4.2.0.168 Win32/1 Culture=neutral, amnit",
"Virut PublicKeyToken=cc7b13ffcd 2ddd51 1D11.tmp Ultimate-Chicken-Horse- T1O SteamRIP.com.rarys /",
"Startul ErrorPageTemplate[1] netcore, BouncyCastle.",
"Secure Protocols: Provides APIs for TLS 1.3, S/MIME, OpenPGP & CMS (Cryptographic Message Syntax)"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "BouncyCastle",
"display_name": "BouncyCastle",
"target": null
},
{
"id": "Sf:ShellCode-AU",
"display_name": "Sf:ShellCode-AU",
"target": null
},
{
"id": "Win.Trojan.Fareit-82",
"display_name": "Win.Trojan.Fareit-82",
"target": null
},
{
"id": "Win.Trojan.Agent-245901",
"display_name": "Win.Trojan.Agent-245901",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "W32/Kegotip CnC",
"display_name": "W32/Kegotip CnC",
"target": null
},
{
"id": "W32.Virut.ci",
"display_name": "W32.Virut.ci",
"target": null
},
{
"id": "Downloader.Generic13.CMTW",
"display_name": "Downloader.Generic13.CMTW",
"target": null
},
{
"id": "Downloader.Generic13.BOBZ",
"display_name": "Downloader.Generic13.BOBZ",
"target": null
},
{
"id": "Win.Trojan.Injector-12138",
"display_name": "Win.Trojan.Injector-12138",
"target": null
},
{
"id": "Generic36.ADTY",
"display_name": "Generic36.ADTY",
"target": null
},
{
"id": "Generic36.AIAA.Dropper",
"display_name": "Generic36.AIAA.Dropper",
"target": null
},
{
"id": "Generic36.AJSM",
"display_name": "Generic36.AJSM",
"target": null
},
{
"id": "Win32/Virut",
"display_name": "Win32/Virut",
"target": null
},
{
"id": "Win32/Ramnit.A",
"display_name": "Win32/Ramnit.A",
"target": null
},
{
"id": "Worm.Autorun-6180",
"display_name": "Worm.Autorun-6180",
"target": null
},
{
"id": "Hider.BIY",
"display_name": "Hider.BIY",
"target": null
},
{
"id": "Win.Trojan.Rootkit-4532",
"display_name": "Win.Trojan.Rootkit-4532",
"target": null
},
{
"id": "Win32/Blacked",
"display_name": "Win32/Blacked",
"target": null
},
{
"id": "Win32.Injector",
"display_name": "Win32.Injector",
"target": null
},
{
"id": "TrendMicro",
"display_name": "TrendMicro",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 71,
"FileHash-SHA256": 853,
"URL": 1639,
"domain": 288,
"FileHash-MD5": 78,
"hostname": 545
},
"indicator_count": 3474,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "54 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69754a5dd138f73f5cfdf78c",
"name": "EternalRocks (SHADOW BROKERS) MicroBotMassiveNet - NSA Exploits",
"description": "Exploited | Active | Continuous \n\u201cEternalRocks\u201d (also known as MicroBotMassiveNet) is a sophisticated computer worm discovered in May 2017 that targets Windows machines, utilizing seven different NSA-leaked exploits\u2014far more than the two used by the infamous WannaCry ransomware. Trend Micro and other security researchers highlighted the danger of this malware because, unlike WannaCry, it does not have a \"kill switch\" and is designed to create a backdoor for future, more severe, and adaptable attacks * While initially, it appeared to only act as a downloader for other tools, the danger lay in its potential to be weaponized for launching ransomware, Remote Access Trojans (RATs), or other malware at a later date. \nThank you Winston & Vogt",
"modified": "2026-02-23T19:02:00.548000",
"created": "2026-01-24T22:40:29.680000",
"tags": [
"regsetvalueexa",
"default",
"regdword",
"regbinary",
"module download",
"tls handshake",
"high",
"regsetvalueexw",
"malware",
"write",
"win32",
"ids detections",
"download tls",
"eternalrocks",
"nsa exploits",
"worm",
"cryptojackers",
"shadow brokers",
"ransom",
"ingress tool",
"channel",
"udp a83f8110",
"get http",
"get https",
"dns resolutions",
"root path",
"encrypted",
"native",
"required.exe",
"stolen toolset",
"cyber weapons",
"cyber warfare",
"autonomous",
"tor",
"dark web",
"black paper",
"nsa weapons",
"2017",
"tao?",
"targeting",
"breach",
"equation group tools",
"installer",
"stealer",
"apt",
"empty",
"not an exit node",
"empty file",
"tor relay router",
"traffic groups",
"traffic group 815",
"el tor",
"tor relay",
"traffic group 778",
"traffic group 238",
"traffic group 333",
"traffic group 333",
"node",
"traffic group 252",
"open_source_tool",
"confuserex",
"susp_net_name_confuserex",
"eternalrocks",
"svchost",
"eternalrocks_svchost_fr",
"obfuscated",
"susp_confuserex_obfuscated",
"encryption",
"module",
"msil",
"net",
"bing",
"android",
"libre",
"mcsf",
"microsoft",
"active attack",
"financial crimes",
"EternalBlue",
"EternalChampion",
"EternalRocks",
"Stealth",
"EternalSynergy",
"EternalRomance",
"checks-network-adapters",
"checks-user-input",
"crypto",
"detect-deb",
"environment",
"direct-cpu-clock-access",
"long-sleeps",
"runtime-modules"
],
"references": [
"EternalRocks MALWARE RANSOM TROJAN EVADER",
"The 2017 timeline accurately fits victim\u2019s major financial and other continuous First attacks began in 10/2013. Upgraded",
"With so many \u2018officials\u2019 involved, it\u2019s hard to believe \u2018 The Shadow Brokers\u2019 isnt a government entity.",
"Strangely NSO Group The Lazarus Group The Shadow Brokers and others attack an individual",
"Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,TrojanDownloader:Win32/Eterock.A",
"IDS Detections: Possible ETERNALROCKS .Net Module Download TLS Handshake Failure",
"Yara Detections: SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost ,",
"Yara Detections: EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Alerts: network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_i",
"NSA Exploits Used: The malware uses seven Shadow Brokers-leaked tools, including EternalBlue, EternalChampion,",
"EternalRomance, and EternalSynergy. Stealth",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Yara Matches",
"Matches rule EternalRocks_svchost from ruleset crime_eternalrocks by Florian Roth (Nextron Systems)",
"Matches rule SUSP_NET_NAME_ConfuserEx from ruleset gen_github_net_redteam_tools_names by Arnim Rupp",
"Matches rule INDICATOR_EXE_Packed_ConfuserEx from ruleset indicator_packed",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Sigma Matches",
"Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Uncommon Svchost Command Line Parameter by Liran Ravich",
"Matches rule Uncommon Schost Parent Process by Florian Roth (Nextron Systems)",
"Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Shelton, Nasreddine Bencherchali (Nextron stems",
"Matches rule Windows Processes Suspicious Parent Directory by vburov",
"required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced IDS rules",
"Matches rule DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt",
"Matches rule MALWARE-CNC DNS Fast Flux attempt",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 778",
"Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 815",
"Matches rule ET POLICY TLS possible TOR SSL traffic",
"Matches rule ET JA3 Hash - Possible Malwar RigEK/Cryptowall/Dridex",
"Matches rule ET JA3 Hash - [Abuse.ch] Possible Ransomware",
"Matches rule SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware)",
"Matches rule POLICY-OTHER TOR Project domain request",
"Dynamic sandbox CZAE flags this file as: STEALER",
"https://github.com/stamparm/EternalRocks",
"(The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION,",
"ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.",
"REFERENCE: https://twitter.com/stamparm/status/864865144748298242 RULE_AUTHOR: Florian Roth",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/EternalRocks_svchost_FR",
"DESCRIPTION: Detects EternalRocks Malware - file taskhost.exe",
"TNULL: unknown empty EMPTY FILEHASH-MD5 d41d8cd98f00b204e9800998ecf8427e",
"Google android-cts-7.1_r6-linux_x86-arm.zip",
"Matches rule Suspicious History File Operat Mikhail Larin, oscd.community",
"Matches rule SURICATA STREAM Packet with invalid timestamp"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "EternalRocks",
"display_name": "EternalRocks",
"target": null
},
{
"id": "CVE-2017-0148",
"display_name": "CVE-2017-0148",
"target": null
},
{
"id": "Exploit:PowerShell/CVE-2017-0143",
"display_name": "Exploit:PowerShell/CVE-2017-0143",
"target": "/malware/Exploit:PowerShell/CVE-2017-0143"
},
{
"id": "trojan.eternalrocks/shadowbrokers",
"display_name": "trojan.eternalrocks/shadowbrokers",
"target": null
}
],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
}
],
"industries": [
"Finance",
"Government",
"Insurance",
"Civilians",
"Health"
],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 82,
"FileHash-SHA1": 76,
"FileHash-SHA256": 700,
"URL": 280,
"domain": 46,
"hostname": 233,
"CVE": 2
},
"indicator_count": 1419,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "54 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://test.josht.ca/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://test.josht.ca/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776617049.357665
}