{ "type": "URL", "indicator": "https://tienda.exito.com/authentication", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://tienda.exito.com/authentication", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4116529466, "indicator": "https://tienda.exito.com/authentication", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68fbc84609098d17c316f23c", "name": "NSO - Multiple crimes", "description": "Multiple crimes including illegal gambling, loan sharking, cybercrimes , content reputation , instructions. Starfield seen again. Team 8 has seen Starfield in more than 300 pulses. Now it\u2019s gone. Check your devices for innocent looking searches you\u2019ve never searched. Browser extensions found on 3 targeted devices with an adversary with full CnC armed with a deletion and disk wipe service. Local - Denver. \n\nAlso, very concerning is specific Airline to be attacked revealed. It cant be researched without bringing down a flight or messing up air command & control. DJT has already made travel a risky feat by being influenced to fire the (NOAA) & (DOT). Its manipulation. PP Mafia bros. \n\nDoes anyone have any power? Contact someone. We did have a mystery plane incident in Denver after I first reported. Just space junk , ya know the usual. I am serious about preventing crime. I need some help!", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-24T18:41:10.936000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fc18514965ccd3b55c216d", "name": "Dorv \u2022 Obfuscator - Affecting DropBox", "description": "", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-25T00:22:41.686000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "68fbc84609098d17c316f23c", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68958d96a43dd0d3b5a65220", "name": "Mirai Communication Networks Inc", "description": "BGP Mirai Communication Networks Inc. May be used for Red Hat activities considered enterprise open source solutions. Used for adversarial motives. Abuse.\nResearched a device-local-**********.remotewd.com found in last residential community a monitored target lived.", "modified": "2025-09-07T05:03:49.633000", "created": "2025-08-08T05:39:34.315000", "tags": [ "united", "unknown ns", "moved", "passive dns", "ip address", "cloudfront x", "hio50 c1", "a domains", "domains", "meta", "mirai", "apache", "url hostname", "server response", "google safe", "learn", "ck id", "name tactics", "suspicious", "informative", "spawns", "command", "found", "mitre att", "ck techniques", "sha256", "sha1", "ascii text", "pattern match", "size", "null", "refresh", "body", "span", "august", "hybrid", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "defense evasion", "t1480 execution", "file defense", "show technique", "ck matrix", "adversaries", "general", "starfield", "iframe", "onload", "status", "urls", "domain", "name servers", "hostname", "files", "files ip", "certificate", "urls show", "results aug", "entries", "show process", "utf8", "crlf line", "network traffic", "title error", "next associated", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "equiv content", "win32", "trojan", "servers", "search", "whois show", "record value", "emails", "name legal", "department name", "address po", "city seattle", "present oct", "present jul", "present dec", "present aug", "files domain", "files related", "related tags", "none google", "safe browsing", "external", "data upload", "extraction", "include review", "exclude sugges", "uny inuuue", "find s", "extr", "typ dom", "failed", "extri data", "mirai meta", "japan unknown", "miraipcok meta", "overview ip", "address", "location united", "asn as15169", "nameservers", "less whois", "registrar", "overview domain", "address domain", "ip whois", "title", "create c", "read c", "delete", "write", "medium", "create", "showing", "rgba", "next", "dock", "execution", "malware", "sqlite rollback", "jfif", "journal", "regsetvalueexa", "ascii", "regdword", "baidu", "url add", "http", "related nids", "files location", "flag united", "redacted for", "unknown aaaa", "hostname add", "url analysis", "encrypt", "date", "germany unknown", "ascio", "creation date", "alfper", "ipv4 add", "reverse dns", "mozilla", "set spray", "pty ltd", "date checked", "present jun", "present nov", "present may", "present mar", "present sep", "present jan", "for privacy", "lngen", "ransom", "virtool", "exploit", "as133618", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "asn as133618", "whois registrar", "ietfdtd html", "gmt server", "debian", "dynamicloader", "unknown", "feat", "query", "installer", "results oct", "results jan", "aaaa", "tlsv1", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "lowfi", "urlshortner aug", "urlshortner jul", "urlshortner", "write c", "high", "et exploit", "probe ms17010", "f codeoverlap", "copy", "contacted", "w3wwhb", "svwjh5dd u", "uv5b usvwu", "f us3v9", "cu codeoverlap", "filehash", "sha256 add", "monitored target", "sloffeefoundry.com", "apple", "samsung", "galaxy", "msie", "windows nt", "wow64", "slcc2", "media center", "persistence", "edge", "bing", "racism", "amazon music", "ios", "twitter", "googleapis", "denver" ], "references": [ "Researched: 210.172.192.15 | p192015.mirai.ne.jp | sanso-mirai.jp", "Mirai Communication Network Inc. (AS7690) Seto, Japan ASN is a BGP Network", "*ccm-command-center.int.m1np.symetra.cloud", "Monitored Target/s", "https://hybrid-analysis.com/sample/ff37a006ed8677bafa412d653ce9adfe84744702f28f7dfe9f5f4ec51b599419/689505a3a647793a0300f73f", "https://hybrid-analysis.com/sample/d30cf86f09e3ab7bb7d0a4ac2608aafb31e07c94fe77f5a264ccdb35fe153c59/689505ded9be5613900509fd", "https://hybrid-analysis.com/sample/f6e628e57373bf795bae87c883dcaefdbb720960133edc1adacc6146d10fc88a", "https://otx.alienvault.com/indicator/ip/210.172.192.15", "https://otx.alienvault.com/indicator/domain/sanso-mirai.jp", "device-local-**********. remotewd.com", "https://sms-apple.com/login", "https://www.exito.com/galaxy-m12-64-gb-negro-samsung-sm-m127fzkkcoo-3016108/p", "https://4.img-dpreview.com/files/p/articles/2356747397/samsung_nv24hd_bk.jpeg", "https://shell-gift.website/sweeps/de/amazon-voucher/question1000-agg/index.html?uclick=qdlpqnvr&uclickhash=qdlpqnvr-qdlpqnvr-pmwj-0-xsi4-hovr-hoi4-9b6533", "api.omgpornpics.com", "http://www.mylifelawyer.com/services/denver-affordable-lawyer-child-custody/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Crypt-142", "display_name": "Win.Trojan.Crypt-142", "target": null }, { "id": "#Lowfi:SIGATTR:URLShortner", "display_name": "#Lowfi:SIGATTR:URLShortner", "target": null }, { "id": "Win.Trojan.14278494-1", "display_name": "Win.Trojan.14278494-1", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ransom:Win32/WannaCrypt.H", "display_name": "ransom:Win32/WannaCrypt.H", "target": "/malware/ransom:Win32/WannaCrypt.H" }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Mirai Communications", "display_name": "Mirai Communications", "target": null }, { "id": "Alfper", "display_name": "Alfper", "target": null }, { "id": "telper:HSTR:CLEAN:Ninite", "display_name": "telper:HSTR:CLEAN:Ninite", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8962, "domain": 1671, "hostname": 2125, "FileHash-SHA256": 2031, "FileHash-MD5": 718, "FileHash-SHA1": 523, "SSLCertFingerprint": 12, "email": 7, "CVE": 1 }, "indicator_count": 16050, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "qlw020.managed-sprint.dynalabs.io (Check)", "https://shell-gift.website/sweeps/de/amazon-voucher/question1000-agg/index.html?uclick=qdlpqnvr&uclickhash=qdlpqnvr-qdlpqnvr-pmwj-0-xsi4-hovr-hoi4-9b6533", "https://sms-apple.com/login", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Researched: 210.172.192.15 | p192015.mirai.ne.jp | sanso-mirai.jp", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "api.omgpornpics.com", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "device-local-**********. remotewd.com", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b", "Mirai Communication Network Inc. (AS7690) Seto, Japan ASN is a BGP Network", "https://hybrid-analysis.com/sample/d30cf86f09e3ab7bb7d0a4ac2608aafb31e07c94fe77f5a264ccdb35fe153c59/689505ded9be5613900509fd", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "http://129.2.4.2/32 Lencr", "https://hybrid-analysis.com/sample/f6e628e57373bf795bae87c883dcaefdbb720960133edc1adacc6146d10fc88a", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "https://4.img-dpreview.com/files/p/articles/2356747397/samsung_nv24hd_bk.jpeg", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://www.exito.com/galaxy-m12-64-gb-negro-samsung-sm-m127fzkkcoo-3016108/p", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "https://otx.alienvault.com/indicator/ip/210.172.192.15", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "ExternalHosts: US", "Monitored Target/s", "https://hybrid-analysis.com/sample/ff37a006ed8677bafa412d653ce9adfe84744702f28f7dfe9f5f4ec51b599419/689505a3a647793a0300f73f", "https://otx.alienvault.com/indicator/domain/sanso-mirai.jp", "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "The Scottish Government www.gov.scot The NHS Scotland support", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "http://www.mylifelawyer.com/services/denver-affordable-lawyer-child-custody/", "Starfield again - HoneyPot / Dod- DoW", "*ccm-command-center.int.m1np.symetra.cloud" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO" ], "malware_families": [ "Ransom:win32/wannacrypt.h", "#lowfi:sigattr:downloadandexecute", "Emotet", "#lowfi:sigattr:urlshortner", "Autoit", "Win.dropper.vbclone", "Win.trojan.crypt-142", "Win.trojan.14278494-1", "Backdoor:win32/tofsee.", "Telper:hstr:clean:ninite", "Upatre", "Alfper", "Win.packer", "Ransom:win32/crowti", "Mirai communications" ], "industries": [ "Technology", "Telecommunications" ], "unique_indicators": 30422 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/exito.com", "whois": "http://whois.domaintools.com/exito.com", "domain": "exito.com", "hostname": "tienda.exito.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68fbc84609098d17c316f23c", "name": "NSO - Multiple crimes", "description": "Multiple crimes including illegal gambling, loan sharking, cybercrimes , content reputation , instructions. Starfield seen again. Team 8 has seen Starfield in more than 300 pulses. Now it\u2019s gone. Check your devices for innocent looking searches you\u2019ve never searched. Browser extensions found on 3 targeted devices with an adversary with full CnC armed with a deletion and disk wipe service. Local - Denver. \n\nAlso, very concerning is specific Airline to be attacked revealed. It cant be researched without bringing down a flight or messing up air command & control. DJT has already made travel a risky feat by being influenced to fire the (NOAA) & (DOT). Its manipulation. PP Mafia bros. \n\nDoes anyone have any power? Contact someone. We did have a mystery plane incident in Denver after I first reported. Just space junk , ya know the usual. I am serious about preventing crime. I need some help!", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-24T18:41:10.936000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fc18514965ccd3b55c216d", "name": "Dorv \u2022 Obfuscator - Affecting DropBox", "description": "", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-25T00:22:41.686000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "68fbc84609098d17c316f23c", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68958d96a43dd0d3b5a65220", "name": "Mirai Communication Networks Inc", "description": "BGP Mirai Communication Networks Inc. May be used for Red Hat activities considered enterprise open source solutions. Used for adversarial motives. Abuse.\nResearched a device-local-**********.remotewd.com found in last residential community a monitored target lived.", "modified": "2025-09-07T05:03:49.633000", "created": "2025-08-08T05:39:34.315000", "tags": [ "united", "unknown ns", "moved", "passive dns", "ip address", "cloudfront x", "hio50 c1", "a domains", "domains", "meta", "mirai", "apache", "url hostname", "server response", "google safe", "learn", "ck id", "name tactics", "suspicious", "informative", "spawns", "command", "found", "mitre att", "ck techniques", "sha256", "sha1", "ascii text", "pattern match", "size", "null", "refresh", "body", "span", "august", "hybrid", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "defense evasion", "t1480 execution", "file defense", "show technique", "ck matrix", "adversaries", "general", "starfield", "iframe", "onload", "status", "urls", "domain", "name servers", "hostname", "files", "files ip", "certificate", "urls show", "results aug", "entries", "show process", "utf8", "crlf line", "network traffic", "title error", "next associated", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "equiv content", "win32", "trojan", "servers", "search", "whois show", "record value", "emails", "name legal", "department name", "address po", "city seattle", "present oct", "present jul", "present dec", "present aug", "files domain", "files related", "related tags", "none google", "safe browsing", "external", "data upload", "extraction", "include review", "exclude sugges", "uny inuuue", "find s", "extr", "typ dom", "failed", "extri data", "mirai meta", "japan unknown", "miraipcok meta", "overview ip", "address", "location united", "asn as15169", "nameservers", "less whois", "registrar", "overview domain", "address domain", "ip whois", "title", "create c", "read c", "delete", "write", "medium", "create", "showing", "rgba", "next", "dock", "execution", "malware", "sqlite rollback", "jfif", "journal", "regsetvalueexa", "ascii", "regdword", "baidu", "url add", "http", "related nids", "files location", "flag united", "redacted for", "unknown aaaa", "hostname add", "url analysis", "encrypt", "date", "germany unknown", "ascio", "creation date", "alfper", "ipv4 add", "reverse dns", "mozilla", "set spray", "pty ltd", "date checked", "present jun", "present nov", "present may", "present mar", "present sep", "present jan", "for privacy", "lngen", "ransom", "virtool", "exploit", "as133618", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "asn as133618", "whois registrar", "ietfdtd html", "gmt server", "debian", "dynamicloader", "unknown", "feat", "query", "installer", "results oct", "results jan", "aaaa", "tlsv1", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "lowfi", "urlshortner aug", "urlshortner jul", "urlshortner", "write c", "high", "et exploit", "probe ms17010", "f codeoverlap", "copy", "contacted", "w3wwhb", "svwjh5dd u", "uv5b usvwu", "f us3v9", "cu codeoverlap", "filehash", "sha256 add", "monitored target", "sloffeefoundry.com", "apple", "samsung", "galaxy", "msie", "windows nt", "wow64", "slcc2", "media center", "persistence", "edge", "bing", "racism", "amazon music", "ios", "twitter", "googleapis", "denver" ], "references": [ "Researched: 210.172.192.15 | p192015.mirai.ne.jp | sanso-mirai.jp", "Mirai Communication Network Inc. (AS7690) Seto, Japan ASN is a BGP Network", "*ccm-command-center.int.m1np.symetra.cloud", "Monitored Target/s", "https://hybrid-analysis.com/sample/ff37a006ed8677bafa412d653ce9adfe84744702f28f7dfe9f5f4ec51b599419/689505a3a647793a0300f73f", "https://hybrid-analysis.com/sample/d30cf86f09e3ab7bb7d0a4ac2608aafb31e07c94fe77f5a264ccdb35fe153c59/689505ded9be5613900509fd", "https://hybrid-analysis.com/sample/f6e628e57373bf795bae87c883dcaefdbb720960133edc1adacc6146d10fc88a", "https://otx.alienvault.com/indicator/ip/210.172.192.15", "https://otx.alienvault.com/indicator/domain/sanso-mirai.jp", "device-local-**********. remotewd.com", "https://sms-apple.com/login", "https://www.exito.com/galaxy-m12-64-gb-negro-samsung-sm-m127fzkkcoo-3016108/p", "https://4.img-dpreview.com/files/p/articles/2356747397/samsung_nv24hd_bk.jpeg", "https://shell-gift.website/sweeps/de/amazon-voucher/question1000-agg/index.html?uclick=qdlpqnvr&uclickhash=qdlpqnvr-qdlpqnvr-pmwj-0-xsi4-hovr-hoi4-9b6533", "api.omgpornpics.com", "http://www.mylifelawyer.com/services/denver-affordable-lawyer-child-custody/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Crypt-142", "display_name": "Win.Trojan.Crypt-142", "target": null }, { "id": "#Lowfi:SIGATTR:URLShortner", "display_name": "#Lowfi:SIGATTR:URLShortner", "target": null }, { "id": "Win.Trojan.14278494-1", "display_name": "Win.Trojan.14278494-1", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ransom:Win32/WannaCrypt.H", "display_name": "ransom:Win32/WannaCrypt.H", "target": "/malware/ransom:Win32/WannaCrypt.H" }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Mirai Communications", "display_name": "Mirai Communications", "target": null }, { "id": "Alfper", "display_name": "Alfper", "target": null }, { "id": "telper:HSTR:CLEAN:Ninite", "display_name": "telper:HSTR:CLEAN:Ninite", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8962, "domain": 1671, "hostname": 2125, "FileHash-SHA256": 2031, "FileHash-MD5": 718, "FileHash-SHA1": 523, "SSLCertFingerprint": 12, "email": 7, "CVE": 1 }, "indicator_count": 16050, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://tienda.exito.com/authentication", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://tienda.exito.com/authentication", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776607878.318645 }