{ "type": "URL", "indicator": "https://trac.webkit.org/wiki/Styling", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://trac.webkit.org/wiki/Styling", "type": "url", "type_title": "URL", "validation": [ { "source": "whitelist", "message": "Whitelisted domain webkit.org", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain webkit.org", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4168842473, "indicator": "https://trac.webkit.org/wiki/Styling", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "694e9e0b06df97ba54bdff06", "name": "WebKit - Malicious Apple WebKit threat. Actively being exploited over Fully Updated MacOS & iOS Devices | MITM Attack", "description": "Unsafe, malicious software threat, malicious network threat, malicious phishing threat, [This is a phishing website that impersonates a trusted website to trick you into revealing personal or financial information]\nadversary in the middle threat , browser malware threat. | Victim appears to be connected to internet, but isn\u2019t.May receive error message\u2019\u201dIt appears you are connected to the Internet, but you might want to try to reconnect to the Internet.\"\nFully Updated iPhone 17 Pro / 1\nMonth old - Positive for Adversary in the Middle attack. Fully tested. Spoke to adversaries related to sinkhole and BotNet. New target being heavily attacked, includes strange physical attack resulting in medical treatments as result of physical trauma. Rohypnol suspected. Victim dumped on a doorstep (-phone) hours after suspected Rohypnol in a 1 inch glass of Champagne in trustee housewarming environment w/coworkers and their friends. | New iPhone purchased after attack\n#denver #testthekits #plant #mfr", "modified": "2026-01-25T14:02:14.953000", "created": "2025-12-26T14:39:07.815000", "tags": [ "bugzilla", "webkit bugzilla", "urls", "content type", "meta", "united", "msie", "chrome", "moved", "apple center", "gmt content", "win32mydoom dec", "trojan", "servers", "worm", "domain", "record value", "expiration date", "et trojan", "hello ssl", "destination", "port", "whitelisted", "unknown", "ciphersuite", "sessionid", "asnone", "write", "virustotal", "drweb", "vipre", "mcafee", "panda", "malware", "pandex!gen1", "et", "present dec", "present nov", "a domains", "certificate", "ip address", "title", "atom", "present sep", "present oct", "present aug", "name servers", "aaaa", "date", "dynamicloader", "crlf line", "ff d5", "unicode text", "utf8", "ee fc", "yara rule", "f0 ff", "ascii text", "ff bb", "suspicious", "music", "push", "next", "autorun", "contacted", "domains", "less see", "all related", "pulses otx", "tags", "related", "found", "passive dns", "entries", "all ipv4", "files", "reverse dns", "location united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "csc corporate", "whois field", "value country", "us creation", "dnssec", "domain name", "name server", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "mitre att", "password crack", "cryptographic", "decrypt", "code overlap", "polymorphic", "status", "alfper", "search", "win32", "network", "dns error", "phishing" ], "references": [ "https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main", "googleadapis.com \u2022 googleapis.cn \u2022 108.177.98.84 \u2022 pki.google.com \u2022 source.android.google.cn \u2022 url.google.com \u2022 www.google.com", "Chrome Relationship: 173.194.112.8 \u2022 173.194.116.163 \u2022 chrome.google.com", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer)", "IDS Detections: Observed DNS Query to .biz TLD", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside ,", "Yara Detections: UPX20030XMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: antisandbox_sleep network_bind persistence_autorun persistence_autorun_tasks", "Alerts: binary_yara polymorphic procmem_yara suricata_alert antivm_generic_diskreg", "Alerts: dead_connect dynamic_function_loading network_http contains_pe_overlay", "Alerts: packer_unknown_pe_section_name contains_pe_overlay suspicious_tld stealth_timeout", "Alerts: queries_keyboard_layout accesses_public_folder antidebug_setunhandledexceptionfilter", "Interesting Strings: admin@bigtits.com support@cyberplat.com admin@easypay.com", "Interesting Strings: support@wmtransfer.com admin@paypal.com support@rbkmoney.ru", "Interesting Strings: admin@wmtransfer.com 1.9.1.4 192.168.1.2", "IDS Detections: ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Session_Id length greater than Client_Hello Length)", "IDS Detections: ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)", "Alerts: network_icmp injection_runpe persistence_autorun copies_self injection_rwx reads_self", "Alerts: antivirus_virustotal dropper packer_entropy", "ET | Cipher Suite IP\u2019s Contacted: 156 IP\u2019s Contacted 107.23.91.76 108.160.172.206 12.221.217.40", "ET | Cipher Suite IP\u2019s Contacted: 131.107.116.240 131.84.179.51 132.3.48.38 128.150.221.19 128.174.104.18", "ET | Cipher Suite IP\u2019s Contacted: 128.200.84.203 130.199.54.31", "Contacted: store.gearboxsoftware.com labs.ericsson.com www.bankofky.com acc.dau.mil", "Contacted: forums.weather.com www.hnfs.net eduforge.org forums.nordrus.info", "Contacted: www.medicalcountermeasures.gov forum.defcon.org", "Strange / Malicious Apple URL\u2019s URI\u2019S and IP\u2019s", "https://applepay.cdn-apple.com/jsapi/v1.3.2/apple \u2022 https://www.apple.com/wss/fonts \u2022 013.ts.apple.com", "https://updates.cdn-apple.com/2022FallFCS/patches/012-73541/F0A2BDFD-317B-4557-BD18-269079BDB196/com_apple_MobileAsset_MobileSoftwareUpdate_UpdateBrain/f9886a753f7d0b2fc3378a28ab6975769f6b1c26", "nserver4.apple.com \u2022 ocsp.apple.com \u2022 www.apple.com \u2022 17.33.193.247 \u2022 gb-api-uat.apple.com", "usw2.apple.com \u2022 usw2.apple.com/ \u2022 www.itunesradio.com \u2022 www.macboxset.com", "privaterelay.appleid.com \u2022 https://bugs.webkit.org/ \u2022 https://bugs.webkit.org/github.cgi \u2022 webkit.org", "Apple OSINT: build.webkit.org 17.33.193.45 TTL: 300 \u2022 CSC Corporate Domains, Inc. Organization: Apple Inc.", "Apple OSINT: Name Server: NSERVER4.APPLE.COM \u2022 Organization: Apple Inc. ReigstrarCSC Corporate Domains, Inc. State: CA", "https://hybrid-analysis.com/sample/17e2cf5950f3683477038dcc9c0d95d9f43690a60a477f0f4b3f9af8d53448b2/694e89e1a3f4ce06f703dace" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Canada" ], "malware_families": [ { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "Win.Trojan.Installcore-972", "display_name": "Win.Trojan.Installcore-972", "target": null }, { "id": "worm:Win32/Mofksys.RND!MTB", "display_name": "worm:Win32/Mofksys.RND!MTB", "target": "/malware/worm:Win32/Mofksys.RND!MTB" }, { "id": "AutoRun", "display_name": "AutoRun", "target": null }, { "id": "Mal_Harebot1", "display_name": "Mal_Harebot1", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 273, "hostname": 248, "FileHash-MD5": 219, "email": 13, "domain": 138, "FileHash-SHA256": 196, "FileHash-SHA1": 126 }, "indicator_count": 1213, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "84 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694d7d426afd8c1c816ddb9e", "name": "Apple \u2022 IRS | ELF:DDoS |\tUnix.Trojan.Gafgyt redirects and blocks US taxpayers from making payments to IRS", "description": "This truly requires further research. This is a serious issue. There is are US adversaries blocking fiscally financial taxpayers from paying genie income taxes, threatening a levy, and other financially damaging consequences. It\u2019s clear to me the website is fraudulent. One target is an Apple user and an accountant. \n\n\nThere have been millions on financial crimes against this victim who I am now labeling a \u2018target\u2019. There are 4 other females\u2019 going through same thing. Losing assets, unable to reconcile taxes despite", "modified": "2026-01-24T17:05:40.719000", "created": "2025-12-25T18:06:58.222000", "tags": [ "united", "et trojan", "hello ssl", "whitelisted", "unknown", "ciphersuite", "sessionid", "asnone", "united kingdom", "show", "write", "virustotal", "drweb", "vipre", "mcafee", "panda", "malware", "pandex!gen1", "et", "aaaa", "present sep", "gmt secure", "passive dns", "urls", "gmt cache", "service", "title", "brazil as16625", "akamai", "top source", "tcp include", "top destination", "source source", "destination", "port", "gtmkv978zl", "utc gzy6fm95cs5", "utc na", "utc google", "analytics na", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "access att", "bad traffic", "et info", "tls handshake", "failure", "windir", "openurl c", "prefetch2", "dns requests", "domain address", "poland unknown", "ip address", "search", "present oct", "a domains", "body head", "document moved", "unique", "maxage86400", "httponly", "google safe", "browsing", "whois", "virustotal api", "screenshots", "comments", "pragma", "data upload", "extraction", "type", "extr", "delete c", "writeconsolew", "windows", "t1045", "read c", "susp", "dock", "win64", "alerts", "icmp traffic", "pdb path", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "yara detections", "lumen", "lumen ip", "public bgp", "address range", "cidr", "network name", "allocation type", "whois server", "entity lpl141", "handle", "url add", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "status", "showing", "domain", "trojan", "trojandropper", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "ipv4 add", "files", "location united", "america flag", "america asn", "nethandle", "net4", "net40000", "lpl141", "llc orgid", "city", "la postalcode", "dynamicloader", "write c", "medium", "named pipe", "yara rule", "high", "ms windows", "encrypt", "pegasus", "markus", "smartassembly", "next", "msie", "t1063", "windows nt", "fastly", "foundry", "palantir", "bgp", "webkit bugzilla", "record value", "content type", "bugzilla", "meta", "present nov", "entries", "atom", "apple", "chrome", "moved", "apple center", "gmt content", "name servers", "servers", "expiration date", "pulse submit", "url analysis", "date", "apple server", "apple dns", "asp.bet", "data collection", "bgp ip", "lumen control", "lumen admin", "level 3", "ipv4", "reverse dns", "found", "hostname add", "present jul", "present jun", "belize", "unknown ns", "present aug", "domain add", "creation date", "failed", "enter sc", "extra data", "include", "review exclude", "america united", "dns resolutions", "linuxgafgyt feb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Canada" ], "malware_families": [ { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Lumen IP", "display_name": "Lumen IP", "target": null }, { "id": "Win.Malware.Msilperseus-6989564-0", "display_name": "Win.Malware.Msilperseus-6989564-0", "target": null }, { "id": "Unknown Malware \u2018Can't access file\u2019", "display_name": "Unknown Malware \u2018Can't access file\u2019", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Win.Trojan.Fenomengame-8", "display_name": "Win.Trojan.Fenomengame-8", "target": null }, { "id": "ALF:JASYP:Trojan:Win3", "display_name": "ALF:JASYP:Trojan:Win3", "target": null }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "ELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0", "display_name": "ELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Mirai Sim Swap", "display_name": "Mirai Sim Swap", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" } ], "industries": [ "Government", "Finance", "Telecommunications", "Technology", "Civil Society", "IRS" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4187, "hostname": 1574, "FileHash-SHA256": 2387, "FileHash-MD5": 189, "FileHash-SHA1": 161, "domain": 800, "CVE": 1, "email": 13, "CIDR": 1, "SSLCertFingerprint": 4 }, "indicator_count": 9317, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Interesting Strings: admin@bigtits.com support@cyberplat.com admin@easypay.com", "ET | Cipher Suite IP\u2019s Contacted: 131.107.116.240 131.84.179.51 132.3.48.38 128.150.221.19 128.174.104.18", "https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main", "https://applepay.cdn-apple.com/jsapi/v1.3.2/apple \u2022 https://www.apple.com/wss/fonts \u2022 013.ts.apple.com", "ET | Cipher Suite IP\u2019s Contacted: 128.200.84.203 130.199.54.31", "usw2.apple.com \u2022 usw2.apple.com/ \u2022 www.itunesradio.com \u2022 www.macboxset.com", "ET | Cipher Suite IP\u2019s Contacted: 156 IP\u2019s Contacted 107.23.91.76 108.160.172.206 12.221.217.40", "privaterelay.appleid.com \u2022 https://bugs.webkit.org/ \u2022 https://bugs.webkit.org/github.cgi \u2022 webkit.org", "Yara Detections: UPX20030XMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Contacted: store.gearboxsoftware.com labs.ericsson.com www.bankofky.com acc.dau.mil", "Alerts: antivirus_virustotal dropper packer_entropy", "Strange / Malicious Apple URL\u2019s URI\u2019S and IP\u2019s", "Alerts: binary_yara polymorphic procmem_yara suricata_alert antivm_generic_diskreg", "Contacted: www.medicalcountermeasures.gov forum.defcon.org", "Alerts: packer_unknown_pe_section_name contains_pe_overlay suspicious_tld stealth_timeout", "https://hybrid-analysis.com/sample/17e2cf5950f3683477038dcc9c0d95d9f43690a60a477f0f4b3f9af8d53448b2/694e89e1a3f4ce06f703dace", "Contacted: forums.weather.com www.hnfs.net eduforge.org forums.nordrus.info", "Alerts: dead_connect dynamic_function_loading network_http contains_pe_overlay", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside ,", "Interesting Strings: admin@wmtransfer.com 1.9.1.4 192.168.1.2", "Chrome Relationship: 173.194.112.8 \u2022 173.194.116.163 \u2022 chrome.google.com", "Interesting Strings: support@wmtransfer.com admin@paypal.com support@rbkmoney.ru", "Alerts: queries_keyboard_layout accesses_public_folder antidebug_setunhandledexceptionfilter", "https://updates.cdn-apple.com/2022FallFCS/patches/012-73541/F0A2BDFD-317B-4557-BD18-269079BDB196/com_apple_MobileAsset_MobileSoftwareUpdate_UpdateBrain/f9886a753f7d0b2fc3378a28ab6975769f6b1c26", "IDS Detections: ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Session_Id length greater than Client_Hello Length)", "IDS Detections: Observed DNS Query to .biz TLD", "Alerts: antisandbox_sleep network_bind persistence_autorun persistence_autorun_tasks", "IDS Detections: ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)", "nserver4.apple.com \u2022 ocsp.apple.com \u2022 www.apple.com \u2022 17.33.193.247 \u2022 gb-api-uat.apple.com", "Apple OSINT: build.webkit.org 17.33.193.45 TTL: 300 \u2022 CSC Corporate Domains, Inc. Organization: Apple Inc.", "googleadapis.com \u2022 googleapis.cn \u2022 108.177.98.84 \u2022 pki.google.com \u2022 source.android.google.cn \u2022 url.google.com \u2022 www.google.com", "Alerts: network_icmp injection_runpe persistence_autorun copies_self injection_rwx reads_self", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer)", "Apple OSINT: Name Server: NSERVER4.APPLE.COM \u2022 Organization: Apple Inc. ReigstrarCSC Corporate Domains, Inc. State: CA" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Mal_harebot1", "Win.trojan.installcore-972", "Win.trojan.fenomengame-8", "Elf:ddos-s\\ [trj]\t\tunix.trojan.gafgyt-6981154-0", "Appleservice", "Trojandropper:win32/muldrop", "Pandex!gen1", "Win.malware.msilperseus-6989564-0", "Mirai", "Alf:jasyp:trojan:win32/ircbot!atmn", "Mirai sim swap", "Et", "Alf:jasyp:trojan:win3", "Lumen ip", "Worm:win32/mofksys.rnd!mtb", "Autorun", "Trojan:win32/mydoom", "Unknown malware \u2018can't access file\u2019" ], "industries": [ "Finance", "Irs", "Civil society", "Technology", "Government", "Telecommunications" ], "unique_indicators": 10605 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/webkit.org", "whois": "http://whois.domaintools.com/webkit.org", "domain": "webkit.org", "hostname": "trac.webkit.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "694e9e0b06df97ba54bdff06", "name": "WebKit - Malicious Apple WebKit threat. Actively being exploited over Fully Updated MacOS & iOS Devices | MITM Attack", "description": "Unsafe, malicious software threat, malicious network threat, malicious phishing threat, [This is a phishing website that impersonates a trusted website to trick you into revealing personal or financial information]\nadversary in the middle threat , browser malware threat. | Victim appears to be connected to internet, but isn\u2019t.May receive error message\u2019\u201dIt appears you are connected to the Internet, but you might want to try to reconnect to the Internet.\"\nFully Updated iPhone 17 Pro / 1\nMonth old - Positive for Adversary in the Middle attack. Fully tested. Spoke to adversaries related to sinkhole and BotNet. New target being heavily attacked, includes strange physical attack resulting in medical treatments as result of physical trauma. Rohypnol suspected. Victim dumped on a doorstep (-phone) hours after suspected Rohypnol in a 1 inch glass of Champagne in trustee housewarming environment w/coworkers and their friends. | New iPhone purchased after attack\n#denver #testthekits #plant #mfr", "modified": "2026-01-25T14:02:14.953000", "created": "2025-12-26T14:39:07.815000", "tags": [ "bugzilla", "webkit bugzilla", "urls", "content type", "meta", "united", "msie", "chrome", "moved", "apple center", "gmt content", "win32mydoom dec", "trojan", "servers", "worm", "domain", "record value", "expiration date", "et trojan", "hello ssl", "destination", "port", "whitelisted", "unknown", "ciphersuite", "sessionid", "asnone", "write", "virustotal", "drweb", "vipre", "mcafee", "panda", "malware", "pandex!gen1", "et", "present dec", "present nov", "a domains", "certificate", "ip address", "title", "atom", "present sep", "present oct", "present aug", "name servers", "aaaa", "date", "dynamicloader", "crlf line", "ff d5", "unicode text", "utf8", "ee fc", "yara rule", "f0 ff", "ascii text", "ff bb", "suspicious", "music", "push", "next", "autorun", "contacted", "domains", "less see", "all related", "pulses otx", "tags", "related", "found", "passive dns", "entries", "all ipv4", "files", "reverse dns", "location united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "csc corporate", "whois field", "value country", "us creation", "dnssec", "domain name", "name server", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "mitre att", "password crack", "cryptographic", "decrypt", "code overlap", "polymorphic", "status", "alfper", "search", "win32", "network", "dns error", "phishing" ], "references": [ "https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main", "googleadapis.com \u2022 googleapis.cn \u2022 108.177.98.84 \u2022 pki.google.com \u2022 source.android.google.cn \u2022 url.google.com \u2022 www.google.com", "Chrome Relationship: 173.194.112.8 \u2022 173.194.116.163 \u2022 chrome.google.com", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer)", "IDS Detections: Observed DNS Query to .biz TLD", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside ,", "Yara Detections: UPX20030XMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: antisandbox_sleep network_bind persistence_autorun persistence_autorun_tasks", "Alerts: binary_yara polymorphic procmem_yara suricata_alert antivm_generic_diskreg", "Alerts: dead_connect dynamic_function_loading network_http contains_pe_overlay", "Alerts: packer_unknown_pe_section_name contains_pe_overlay suspicious_tld stealth_timeout", "Alerts: queries_keyboard_layout accesses_public_folder antidebug_setunhandledexceptionfilter", "Interesting Strings: admin@bigtits.com support@cyberplat.com admin@easypay.com", "Interesting Strings: support@wmtransfer.com admin@paypal.com support@rbkmoney.ru", "Interesting Strings: admin@wmtransfer.com 1.9.1.4 192.168.1.2", "IDS Detections: ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Session_Id length greater than Client_Hello Length)", "IDS Detections: ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)", "Alerts: network_icmp injection_runpe persistence_autorun copies_self injection_rwx reads_self", "Alerts: antivirus_virustotal dropper packer_entropy", "ET | Cipher Suite IP\u2019s Contacted: 156 IP\u2019s Contacted 107.23.91.76 108.160.172.206 12.221.217.40", "ET | Cipher Suite IP\u2019s Contacted: 131.107.116.240 131.84.179.51 132.3.48.38 128.150.221.19 128.174.104.18", "ET | Cipher Suite IP\u2019s Contacted: 128.200.84.203 130.199.54.31", "Contacted: store.gearboxsoftware.com labs.ericsson.com www.bankofky.com acc.dau.mil", "Contacted: forums.weather.com www.hnfs.net eduforge.org forums.nordrus.info", "Contacted: www.medicalcountermeasures.gov forum.defcon.org", "Strange / Malicious Apple URL\u2019s URI\u2019S and IP\u2019s", "https://applepay.cdn-apple.com/jsapi/v1.3.2/apple \u2022 https://www.apple.com/wss/fonts \u2022 013.ts.apple.com", "https://updates.cdn-apple.com/2022FallFCS/patches/012-73541/F0A2BDFD-317B-4557-BD18-269079BDB196/com_apple_MobileAsset_MobileSoftwareUpdate_UpdateBrain/f9886a753f7d0b2fc3378a28ab6975769f6b1c26", "nserver4.apple.com \u2022 ocsp.apple.com \u2022 www.apple.com \u2022 17.33.193.247 \u2022 gb-api-uat.apple.com", "usw2.apple.com \u2022 usw2.apple.com/ \u2022 www.itunesradio.com \u2022 www.macboxset.com", "privaterelay.appleid.com \u2022 https://bugs.webkit.org/ \u2022 https://bugs.webkit.org/github.cgi \u2022 webkit.org", "Apple OSINT: build.webkit.org 17.33.193.45 TTL: 300 \u2022 CSC Corporate Domains, Inc. Organization: Apple Inc.", "Apple OSINT: Name Server: NSERVER4.APPLE.COM \u2022 Organization: Apple Inc. ReigstrarCSC Corporate Domains, Inc. State: CA", "https://hybrid-analysis.com/sample/17e2cf5950f3683477038dcc9c0d95d9f43690a60a477f0f4b3f9af8d53448b2/694e89e1a3f4ce06f703dace" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Canada" ], "malware_families": [ { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "Win.Trojan.Installcore-972", "display_name": "Win.Trojan.Installcore-972", "target": null }, { "id": "worm:Win32/Mofksys.RND!MTB", "display_name": "worm:Win32/Mofksys.RND!MTB", "target": "/malware/worm:Win32/Mofksys.RND!MTB" }, { "id": "AutoRun", "display_name": "AutoRun", "target": null }, { "id": "Mal_Harebot1", "display_name": "Mal_Harebot1", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 273, "hostname": 248, "FileHash-MD5": 219, "email": 13, "domain": 138, "FileHash-SHA256": 196, "FileHash-SHA1": 126 }, "indicator_count": 1213, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "84 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694d7d426afd8c1c816ddb9e", "name": "Apple \u2022 IRS | ELF:DDoS |\tUnix.Trojan.Gafgyt redirects and blocks US taxpayers from making payments to IRS", "description": "This truly requires further research. This is a serious issue. There is are US adversaries blocking fiscally financial taxpayers from paying genie income taxes, threatening a levy, and other financially damaging consequences. It\u2019s clear to me the website is fraudulent. One target is an Apple user and an accountant. \n\n\nThere have been millions on financial crimes against this victim who I am now labeling a \u2018target\u2019. There are 4 other females\u2019 going through same thing. Losing assets, unable to reconcile taxes despite", "modified": "2026-01-24T17:05:40.719000", "created": "2025-12-25T18:06:58.222000", "tags": [ "united", "et trojan", "hello ssl", "whitelisted", "unknown", "ciphersuite", "sessionid", "asnone", "united kingdom", "show", "write", "virustotal", "drweb", "vipre", "mcafee", "panda", "malware", "pandex!gen1", "et", "aaaa", "present sep", "gmt secure", "passive dns", "urls", "gmt cache", "service", "title", "brazil as16625", "akamai", "top source", "tcp include", "top destination", "source source", "destination", "port", "gtmkv978zl", "utc gzy6fm95cs5", "utc na", "utc google", "analytics na", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "access att", "bad traffic", "et info", "tls handshake", "failure", "windir", "openurl c", "prefetch2", "dns requests", "domain address", "poland unknown", "ip address", "search", "present oct", "a domains", "body head", "document moved", "unique", "maxage86400", "httponly", "google safe", "browsing", "whois", "virustotal api", "screenshots", "comments", "pragma", "data upload", "extraction", "type", "extr", "delete c", "writeconsolew", "windows", "t1045", "read c", "susp", "dock", "win64", "alerts", "icmp traffic", "pdb path", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "yara detections", "lumen", "lumen ip", "public bgp", "address range", "cidr", "network name", "allocation type", "whois server", "entity lpl141", "handle", "url add", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "status", "showing", "domain", "trojan", "trojandropper", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "ipv4 add", "files", "location united", "america flag", "america asn", "nethandle", "net4", "net40000", "lpl141", "llc orgid", "city", "la postalcode", "dynamicloader", "write c", "medium", "named pipe", "yara rule", "high", "ms windows", "encrypt", "pegasus", "markus", "smartassembly", "next", "msie", "t1063", "windows nt", "fastly", "foundry", "palantir", "bgp", "webkit bugzilla", "record value", "content type", "bugzilla", "meta", "present nov", "entries", "atom", "apple", "chrome", "moved", "apple center", "gmt content", "name servers", "servers", "expiration date", "pulse submit", "url analysis", "date", "apple server", "apple dns", "asp.bet", "data collection", "bgp ip", "lumen control", "lumen admin", "level 3", "ipv4", "reverse dns", "found", "hostname add", "present jul", "present jun", "belize", "unknown ns", "present aug", "domain add", "creation date", "failed", "enter sc", "extra data", "include", "review exclude", "america united", "dns resolutions", "linuxgafgyt feb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Canada" ], "malware_families": [ { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Lumen IP", "display_name": "Lumen IP", "target": null }, { "id": "Win.Malware.Msilperseus-6989564-0", "display_name": "Win.Malware.Msilperseus-6989564-0", "target": null }, { "id": "Unknown Malware \u2018Can't access file\u2019", "display_name": "Unknown Malware \u2018Can't access file\u2019", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Win.Trojan.Fenomengame-8", "display_name": "Win.Trojan.Fenomengame-8", "target": null }, { "id": "ALF:JASYP:Trojan:Win3", "display_name": "ALF:JASYP:Trojan:Win3", "target": null }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "ELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0", "display_name": "ELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Mirai Sim Swap", "display_name": "Mirai Sim Swap", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" } ], "industries": [ "Government", "Finance", "Telecommunications", "Technology", "Civil Society", "IRS" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4187, "hostname": 1574, "FileHash-SHA256": 2387, "FileHash-MD5": 189, "FileHash-SHA1": 161, "domain": 800, "CVE": 1, "email": 13, "CIDR": 1, "SSLCertFingerprint": 4 }, "indicator_count": 9317, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://trac.webkit.org/wiki/Styling", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://trac.webkit.org/wiki/Styling", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776643143.4998884 }