{
"type": "URL",
"indicator": "https://track.smtpsendemail.com/9086417",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://track.smtpsendemail.com/9086417",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4222397332,
"indicator": "https://track.smtpsendemail.com/9086417",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 2,
"pulses": [
{
"id": "69bf8e2663d5480917ddb699",
"name": "Pegasus - https://house.mo.gov/ | Brian Sabey HallRender [i cloned OctoSeek] T8",
"description": "",
"modified": "2026-04-21T08:02:43.173000",
"created": "2026-03-22T06:37:26.233000",
"tags": [
"united",
"as393601 state",
"a domains",
"passive dns",
"as397241",
"certificate",
"urls",
"search",
"showing",
"entries",
"algorithm",
"full name",
"data",
"v3 serial",
"number",
"cus cndigicert",
"global g2",
"tls rsa",
"sha256",
"ca1 odigicert",
"info",
"record type",
"ttl value",
"all txt",
"ssl certificate",
"whois record",
"contacted",
"referrer",
"resolutions",
"historical ssl",
"communicating",
"problems",
"parent domain",
"njrat",
"ransomware",
"startpage",
"historical",
"malware",
"execution",
"threat roundup",
"april",
"september",
"remcos rat",
"august",
"june",
"qakbot",
"push",
"service",
"privateloader",
"amadey",
"powershell",
"qbot",
"cobalt strike",
"core",
"hacktool",
"november",
"october",
"roundup",
"threat network",
"cellbrite",
"february",
"emotet",
"maze",
"metro",
"dark",
"malicious",
"team",
"critical",
"copy",
"awful",
"parallax rat",
"banker",
"keylogger",
"dns replication",
"date",
"csc corporate",
"domains",
"code",
"server",
"registrar abuse",
"registrar iana",
"registry domain",
"registrar url",
"registrar",
"contact phone",
"apple ios",
"quasar",
"remcos",
"ursnif",
"chaos",
"ransomexx",
"azorult",
"agent tesla",
"evilnum",
"asyncrat",
"win32 exe",
"wininit",
"beta version",
"cmstp",
"taskscheduler",
"ieudinit",
"nat32",
"certsentry",
"type name",
"wc3 rpg",
"pegasus",
"unknown",
"domain",
"servers",
"germany unknown",
"name servers",
"status",
"next",
"as29066 host",
"as133618",
"cname",
"as47846",
"scan endpoints",
"all octoseek",
"pulse pulses",
"encrypt",
"china unknown",
"as38365 beijing",
"as134175 unit",
"707713",
"hong kong",
"virgin islands",
"as6461 zayo",
"ransom",
"exploit",
"ipv4",
"pulse submit",
"url analysis",
"trojan",
"body",
"click",
"creation date",
"emails",
"expiration date",
"domain privacy",
"hostname",
"dynamicloader",
"state",
"medium",
"msie",
"windows nt",
"wow64",
"show",
"slcc2",
"media center",
"error",
"delphi",
"guard",
"write",
"win32",
"target",
"redir",
"facebook",
"dcom",
"local",
"delete",
"utf8",
"unicode text",
"crlf line",
"rgba",
"yara detections",
"default",
"asnone",
"get na",
"dns lookup",
"probe ms17010",
"eternalblue",
"playgame",
"high",
"related pulses",
"yara rule",
"anomalous file",
"dynamic",
"malware infection",
"cnc",
"procmem_yara",
"antivm_generic_disk",
"modify_proxy infostealer_cookies",
"network_http",
"anomalous_deletefile",
"antidebug_guardpages",
"powershell_request",
"powershell_download",
"as63949 linode",
"mtb feb",
"open ports",
"backdoor",
"gmt content",
"trojandropper",
"simda",
"lockbit",
"win.trojan",
"midia-4",
"floxif",
"cryptowall",
"brontok",
"check in",
"record value",
"files",
"location united",
"america asn",
"as16509",
"download",
"threat",
"paste",
"iocs",
"analyze",
"hostnames",
"urls http",
"samples",
"tsara brashears",
"2nd corintnthians 4:8-9",
"injection_inter_process",
"injection_create_remote_thread",
"persistence_autorun",
"bypass_firewall",
"disables_windowsupdate",
"dynamic_function_loading",
"http_request",
"query",
"delete c",
"activity dns",
"components",
"file execution",
"observed dns",
"as4837 china",
"nxdomain",
"a nxdomain",
"wannacry",
"missouri",
"safebae",
"hallrender",
"house.mo.gov",
"typosquatting",
"tactics",
"google",
"win64",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"dalles",
"cookie",
"urls https",
"xpcegvo2adsnq",
"mhkz",
"mvi2",
"keepaliveyes",
"fexp24007246",
"nsyt",
"eva reimer",
"daisy coleman",
"brian sabey",
"https://lawlink.com/documents/10935/blackbag-technologies-announ"
],
"references": [
"https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov",
"dns.msftncsi.com",
"NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184",
"Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"23.216.147.64",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]",
"http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]",
"alohatube.xyz [BotNetwork]",
"facebooksunglassshop.com",
"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4",
"oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev",
"http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/",
"government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org",
"https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html",
"remote.utorrent.com [remote router logins]",
"Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com",
"http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online",
"http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com",
"http://tvm77.fashiongup.in/tracking/track-open",
"https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov",
"https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg",
"http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png",
"https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&",
"https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/",
"hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com",
"http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208",
"https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com",
"safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/",
"https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com",
"https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4",
"Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js",
"Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]",
"Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store",
"https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]",
"http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt",
"sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php",
"https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software"
],
"public": 1,
"adversary": "NSO Group",
"targeted_countries": [
"United States of America",
"China",
"Australia",
"Hong Kong"
],
"malware_families": [
{
"id": "Agent Tesla",
"display_name": "Agent Tesla",
"target": null
},
{
"id": "Amadey",
"display_name": "Amadey",
"target": null
},
{
"id": "AsyncRAT",
"display_name": "AsyncRAT",
"target": null
},
{
"id": "AZORult",
"display_name": "AZORult",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "EVILNUM",
"display_name": "EVILNUM",
"target": null
},
{
"id": "Dark",
"display_name": "Dark",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Keylogger",
"display_name": "Keylogger",
"target": null
},
{
"id": "Maze",
"display_name": "Maze",
"target": null
},
{
"id": "NjRAT",
"display_name": "NjRAT",
"target": null
},
{
"id": "Parallax RAT",
"display_name": "Parallax RAT",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "QBot",
"display_name": "QBot",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Remcos RAT",
"display_name": "Remcos RAT",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Win.Trojan.Agent-336074",
"display_name": "Win.Trojan.Agent-336074",
"target": null
},
{
"id": "Arid.Viper_CnC",
"display_name": "Arid.Viper_CnC",
"target": null
},
{
"id": "WininiCrypt",
"display_name": "WininiCrypt",
"target": null
},
{
"id": "PWS:Win32/QQpass.CI",
"display_name": "PWS:Win32/QQpass.CI",
"target": "/malware/PWS:Win32/QQpass.CI"
},
{
"id": "Win.Trojan.Midia-4",
"display_name": "Win.Trojan.Midia-4",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "Win32/SocStealer!rfn",
"display_name": "Win32/SocStealer!rfn",
"target": null
},
{
"id": "Backdoor.Win32.Shiz.ufj",
"display_name": "Backdoor.Win32.Shiz.ufj",
"target": null
},
{
"id": "Email-Worm.Win32.Brontok.n",
"display_name": "Email-Worm.Win32.Brontok.n",
"target": null
},
{
"id": "ETERNALBLUE",
"display_name": "ETERNALBLUE",
"target": null
},
{
"id": "WannaCry",
"display_name": "WannaCry",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65c91f2b7c03b480379ae4d1",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2668,
"FileHash-SHA1": 2469,
"FileHash-SHA256": 8054,
"URL": 6185,
"domain": 2421,
"hostname": 3042,
"CVE": 5,
"email": 15,
"CIDR": 1
},
"indicator_count": 24860,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "40 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/",
"https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/",
"Requires further research.",
"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4",
"hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com",
"https://l.us-1.a.mimecastprotect.com/l",
"Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/",
"https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184",
"Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js",
"http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"alohatube.xyz [BotNetwork]",
"http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt",
"Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com",
"div>
",
"government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org",
"https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4",
"http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/",
"http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]",
"oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev",
"It appears there are 5-7 known affected that I was able to find",
"Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]",
"remote.utorrent.com [remote router logins]",
"http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com",
"https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov",
"Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online",
"http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png",
"https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&",
"I apologize for the lack of reference.",
"safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/",
"https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html",
"https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov",
"Same legal , and quasi governmental pattern identified",
"https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]",
"http://tvm77.fashiongup.in/tracking/track-open",
"23.216.147.64",
"dns.msftncsi.com",
"https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&",
"https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software",
"facebooksunglassshop.com",
"https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com",
"sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"NSO Group"
],
"malware_families": [
"Ransomexx",
"Lockbit",
"Ursnif",
"Qakbot",
"Quasar rat",
"Dark",
"Pegasus",
"Azorult",
"Maze",
"Remcos rat",
"Alf:heraklezeval:trojan:win32/ymacco.aa47",
"Keylogger",
"Trojan:win32/smkldr.h!mtb",
"Evilnum",
"Amadey",
"Parallax rat",
"Asyncrat",
"Email-worm.win32.brontok.n",
"Pws:win32/qqpass.ci",
"Mydoom",
"Win.trojan.agent-336074",
"Win32/socstealer!rfn",
"Backdoor.win32.shiz.ufj",
"Arid.viper_cnc",
"Icedid",
"Njrat",
"Qbot",
"Agent tesla",
"#lowfi:lua:dllsuspiciousexport.a",
"Chaos",
"Wininicrypt",
"Eternalblue",
"Cobalt strike",
"Win.trojan.midia-4",
"Emotet",
"Hacktool",
"Wannacry",
"Ransomware"
],
"industries": [
"Legal",
"Telecom",
"Technology"
],
"unique_indicators": 33063
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/smtpsendemail.com",
"whois": "http://whois.domaintools.com/smtpsendemail.com",
"domain": "smtpsendemail.com",
"hostname": "track.smtpsendemail.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 2,
"pulses": [
{
"id": "69bf8e2663d5480917ddb699",
"name": "Pegasus - https://house.mo.gov/ | Brian Sabey HallRender [i cloned OctoSeek] T8",
"description": "",
"modified": "2026-04-21T08:02:43.173000",
"created": "2026-03-22T06:37:26.233000",
"tags": [
"united",
"as393601 state",
"a domains",
"passive dns",
"as397241",
"certificate",
"urls",
"search",
"showing",
"entries",
"algorithm",
"full name",
"data",
"v3 serial",
"number",
"cus cndigicert",
"global g2",
"tls rsa",
"sha256",
"ca1 odigicert",
"info",
"record type",
"ttl value",
"all txt",
"ssl certificate",
"whois record",
"contacted",
"referrer",
"resolutions",
"historical ssl",
"communicating",
"problems",
"parent domain",
"njrat",
"ransomware",
"startpage",
"historical",
"malware",
"execution",
"threat roundup",
"april",
"september",
"remcos rat",
"august",
"june",
"qakbot",
"push",
"service",
"privateloader",
"amadey",
"powershell",
"qbot",
"cobalt strike",
"core",
"hacktool",
"november",
"october",
"roundup",
"threat network",
"cellbrite",
"february",
"emotet",
"maze",
"metro",
"dark",
"malicious",
"team",
"critical",
"copy",
"awful",
"parallax rat",
"banker",
"keylogger",
"dns replication",
"date",
"csc corporate",
"domains",
"code",
"server",
"registrar abuse",
"registrar iana",
"registry domain",
"registrar url",
"registrar",
"contact phone",
"apple ios",
"quasar",
"remcos",
"ursnif",
"chaos",
"ransomexx",
"azorult",
"agent tesla",
"evilnum",
"asyncrat",
"win32 exe",
"wininit",
"beta version",
"cmstp",
"taskscheduler",
"ieudinit",
"nat32",
"certsentry",
"type name",
"wc3 rpg",
"pegasus",
"unknown",
"domain",
"servers",
"germany unknown",
"name servers",
"status",
"next",
"as29066 host",
"as133618",
"cname",
"as47846",
"scan endpoints",
"all octoseek",
"pulse pulses",
"encrypt",
"china unknown",
"as38365 beijing",
"as134175 unit",
"707713",
"hong kong",
"virgin islands",
"as6461 zayo",
"ransom",
"exploit",
"ipv4",
"pulse submit",
"url analysis",
"trojan",
"body",
"click",
"creation date",
"emails",
"expiration date",
"domain privacy",
"hostname",
"dynamicloader",
"state",
"medium",
"msie",
"windows nt",
"wow64",
"show",
"slcc2",
"media center",
"error",
"delphi",
"guard",
"write",
"win32",
"target",
"redir",
"facebook",
"dcom",
"local",
"delete",
"utf8",
"unicode text",
"crlf line",
"rgba",
"yara detections",
"default",
"asnone",
"get na",
"dns lookup",
"probe ms17010",
"eternalblue",
"playgame",
"high",
"related pulses",
"yara rule",
"anomalous file",
"dynamic",
"malware infection",
"cnc",
"procmem_yara",
"antivm_generic_disk",
"modify_proxy infostealer_cookies",
"network_http",
"anomalous_deletefile",
"antidebug_guardpages",
"powershell_request",
"powershell_download",
"as63949 linode",
"mtb feb",
"open ports",
"backdoor",
"gmt content",
"trojandropper",
"simda",
"lockbit",
"win.trojan",
"midia-4",
"floxif",
"cryptowall",
"brontok",
"check in",
"record value",
"files",
"location united",
"america asn",
"as16509",
"download",
"threat",
"paste",
"iocs",
"analyze",
"hostnames",
"urls http",
"samples",
"tsara brashears",
"2nd corintnthians 4:8-9",
"injection_inter_process",
"injection_create_remote_thread",
"persistence_autorun",
"bypass_firewall",
"disables_windowsupdate",
"dynamic_function_loading",
"http_request",
"query",
"delete c",
"activity dns",
"components",
"file execution",
"observed dns",
"as4837 china",
"nxdomain",
"a nxdomain",
"wannacry",
"missouri",
"safebae",
"hallrender",
"house.mo.gov",
"typosquatting",
"tactics",
"google",
"win64",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"dalles",
"cookie",
"urls https",
"xpcegvo2adsnq",
"mhkz",
"mvi2",
"keepaliveyes",
"fexp24007246",
"nsyt",
"eva reimer",
"daisy coleman",
"brian sabey",
"https://lawlink.com/documents/10935/blackbag-technologies-announ"
],
"references": [
"https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov",
"dns.msftncsi.com",
"NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184",
"Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"23.216.147.64",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]",
"http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]",
"alohatube.xyz [BotNetwork]",
"facebooksunglassshop.com",
"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4",
"oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev",
"http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/",
"government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org",
"https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html",
"remote.utorrent.com [remote router logins]",
"Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com",
"http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online",
"http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com",
"http://tvm77.fashiongup.in/tracking/track-open",
"https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov",
"https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg",
"http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png",
"https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&",
"https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/",
"hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com",
"http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208",
"https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com",
"safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/",
"https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com",
"https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4",
"Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js",
"Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]",
"Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store",
"https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]",
"http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt",
"sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php",
"https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software"
],
"public": 1,
"adversary": "NSO Group",
"targeted_countries": [
"United States of America",
"China",
"Australia",
"Hong Kong"
],
"malware_families": [
{
"id": "Agent Tesla",
"display_name": "Agent Tesla",
"target": null
},
{
"id": "Amadey",
"display_name": "Amadey",
"target": null
},
{
"id": "AsyncRAT",
"display_name": "AsyncRAT",
"target": null
},
{
"id": "AZORult",
"display_name": "AZORult",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "EVILNUM",
"display_name": "EVILNUM",
"target": null
},
{
"id": "Dark",
"display_name": "Dark",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Keylogger",
"display_name": "Keylogger",
"target": null
},
{
"id": "Maze",
"display_name": "Maze",
"target": null
},
{
"id": "NjRAT",
"display_name": "NjRAT",
"target": null
},
{
"id": "Parallax RAT",
"display_name": "Parallax RAT",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "QBot",
"display_name": "QBot",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Remcos RAT",
"display_name": "Remcos RAT",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Win.Trojan.Agent-336074",
"display_name": "Win.Trojan.Agent-336074",
"target": null
},
{
"id": "Arid.Viper_CnC",
"display_name": "Arid.Viper_CnC",
"target": null
},
{
"id": "WininiCrypt",
"display_name": "WininiCrypt",
"target": null
},
{
"id": "PWS:Win32/QQpass.CI",
"display_name": "PWS:Win32/QQpass.CI",
"target": "/malware/PWS:Win32/QQpass.CI"
},
{
"id": "Win.Trojan.Midia-4",
"display_name": "Win.Trojan.Midia-4",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "Win32/SocStealer!rfn",
"display_name": "Win32/SocStealer!rfn",
"target": null
},
{
"id": "Backdoor.Win32.Shiz.ufj",
"display_name": "Backdoor.Win32.Shiz.ufj",
"target": null
},
{
"id": "Email-Worm.Win32.Brontok.n",
"display_name": "Email-Worm.Win32.Brontok.n",
"target": null
},
{
"id": "ETERNALBLUE",
"display_name": "ETERNALBLUE",
"target": null
},
{
"id": "WannaCry",
"display_name": "WannaCry",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65c91f2b7c03b480379ae4d1",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2668,
"FileHash-SHA1": 2469,
"FileHash-SHA256": 8054,
"URL": 6185,
"domain": 2421,
"hostname": 3042,
"CVE": 5,
"email": 15,
"CIDR": 1
},
"indicator_count": 24860,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "40 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://track.smtpsendemail.com/9086417",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://track.smtpsendemail.com/9086417",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780241964.6062195
}