{ "type": "URL", "indicator": "https://trustex09.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://trustex09.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4347160143, "indicator": "https://trustex09.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69fc4463f3401c7dcb6cec20", "name": "MIT/m attack + Cloudflare/CDN Masking", "description": "Actor is utilizing uncertified \"shadow\" domains to execute Adversary-in-the-Middle (AiTM) attacks. By avoiding SSL/TLS certificates entirely, the infrastructure stays invisible to automated certificate monitoring tools.TECHNICAL ANALYSISZero-Cert Stealth: The absence of certificate data on email.mime.audio is a deliberate evasion tactic. It prevents the domain from appearing in public certificate databases, allowing the \"fb hacker\" proxy to operate in total darkness.Session Interception: Traffic is routed through the 104 IP space via HTTP. This allows the attacker to strip encryption and harvest session cookies and MFA tokens in plaintext before they ever reach the legitimate service provider.Library Mimicry: The mime.audio naming convention is designed to trick system admins into thinking the traffic is legitimate Python or email-handling library activity rather than an external exfiltration attempt.", "modified": "2026-05-12T06:43:45.967000", "created": "2026-05-07T07:50:59.816000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 514, "domain": 164, "hostname": 167, "IPv4": 17, "URL": 214, "URI": 1, "Mutex": 2 }, "indicator_count": 1091, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc35be85a193d62e33e048", "name": "CAPE Sandbox- LOTA- Living off the Admin", "description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP 656 DNS 702 IP 1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]", "modified": "2026-05-08T06:37:13.389000", "created": "2026-05-07T06:48:30.051000", "tags": [ "cloudflare", "city", "san francisco", "rnocname", "orgid", "rtechhandle", "net104", "net1040000", "rtechemail", "rabusehandle" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 102, "FileHash-MD5": 28, "FileHash-SHA1": 47, "FileHash-SHA256": 831, "URL": 1460, "domain": 315, "hostname": 266, "CIDR": 1, "email": 3 }, "indicator_count": 3053, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc44626e54f5973606f81e", "name": "MIT/m attack + Cloudflare/CDN Masking", "description": "Actor is utilizing uncertified \"shadow\" domains to execute Adversary-in-the-Middle (AiTM) attacks. By avoiding SSL/TLS certificates entirely, the infrastructure stays invisible to automated certificate monitoring tools.TECHNICAL ANALYSISZero-Cert Stealth: The absence of certificate data on email.mime.audio is a deliberate evasion tactic. It prevents the domain from appearing in public certificate databases, allowing the \"fb hacker\" proxy to operate in total darkness.Session Interception: Traffic is routed through the 104 IP space via HTTP. This allows the attacker to strip encryption and harvest session cookies and MFA tokens in plaintext before they ever reach the legitimate service provider.Library Mimicry: The mime.audio naming convention is designed to trick system admins into thinking the traffic is legitimate Python or email-handling library activity rather than an external exfiltration attempt.", "modified": "2026-05-08T06:36:54.282000", "created": "2026-05-07T07:50:58.758000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 6, "FileHash-SHA256": 694, "domain": 89, "hostname": 78, "IPv4": 16, "URL": 78 }, "indicator_count": 975, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc35bc6924906c52c89f27", "name": "CAPE Sandbox- LOTA- Living off the Admin", "description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP 656 DNS 702 IP 1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]", "modified": "2026-05-08T06:30:44.363000", "created": "2026-05-07T06:48:28.947000", "tags": [ "cloudflare", "city", "san francisco", "rnocname", "orgid", "rtechhandle", "net104", "net1040000", "rtechemail", "rabusehandle" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 93, "FileHash-MD5": 24, "FileHash-SHA1": 43, "FileHash-SHA256": 167, "URL": 1447, "domain": 274, "hostname": 243, "CIDR": 1, "email": 3 }, "indicator_count": 2295, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc35bbf5093f9bf3cd0a32", "name": "CAPE Sandbox- LOTA- Living off the Admin", "description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP 656 DNS 702 IP 1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]", "modified": "2026-05-08T05:17:02.092000", "created": "2026-05-07T06:48:27.828000", "tags": [ "cloudflare", "city", "san francisco", "rnocname", "orgid", "rtechhandle", "net104", "net1040000", "rtechemail", "rabusehandle" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 110, "FileHash-MD5": 47, "FileHash-SHA1": 85, "FileHash-SHA256": 186, "URL": 1467, "domain": 274, "hostname": 247, "CIDR": 4, "email": 14 }, "indicator_count": 2434, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 3379 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/trustex09.com", "whois": "http://whois.domaintools.com/trustex09.com", "domain": "trustex09.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69fc4463f3401c7dcb6cec20", "name": "MIT/m attack + Cloudflare/CDN Masking", "description": "Actor is utilizing uncertified \"shadow\" domains to execute Adversary-in-the-Middle (AiTM) attacks. By avoiding SSL/TLS certificates entirely, the infrastructure stays invisible to automated certificate monitoring tools.TECHNICAL ANALYSISZero-Cert Stealth: The absence of certificate data on email.mime.audio is a deliberate evasion tactic. It prevents the domain from appearing in public certificate databases, allowing the \"fb hacker\" proxy to operate in total darkness.Session Interception: Traffic is routed through the 104 IP space via HTTP. This allows the attacker to strip encryption and harvest session cookies and MFA tokens in plaintext before they ever reach the legitimate service provider.Library Mimicry: The mime.audio naming convention is designed to trick system admins into thinking the traffic is legitimate Python or email-handling library activity rather than an external exfiltration attempt.", "modified": "2026-05-12T06:43:45.967000", "created": "2026-05-07T07:50:59.816000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 514, "domain": 164, "hostname": 167, "IPv4": 17, "URL": 214, "URI": 1, "Mutex": 2 }, "indicator_count": 1091, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc35be85a193d62e33e048", "name": "CAPE Sandbox- LOTA- Living off the Admin", "description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP 656 DNS 702 IP 1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]", "modified": "2026-05-08T06:37:13.389000", "created": "2026-05-07T06:48:30.051000", "tags": [ "cloudflare", "city", "san francisco", "rnocname", "orgid", "rtechhandle", "net104", "net1040000", "rtechemail", "rabusehandle" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 102, "FileHash-MD5": 28, "FileHash-SHA1": 47, "FileHash-SHA256": 831, "URL": 1460, "domain": 315, "hostname": 266, "CIDR": 1, "email": 3 }, "indicator_count": 3053, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc44626e54f5973606f81e", "name": "MIT/m attack + Cloudflare/CDN Masking", "description": "Actor is utilizing uncertified \"shadow\" domains to execute Adversary-in-the-Middle (AiTM) attacks. By avoiding SSL/TLS certificates entirely, the infrastructure stays invisible to automated certificate monitoring tools.TECHNICAL ANALYSISZero-Cert Stealth: The absence of certificate data on email.mime.audio is a deliberate evasion tactic. It prevents the domain from appearing in public certificate databases, allowing the \"fb hacker\" proxy to operate in total darkness.Session Interception: Traffic is routed through the 104 IP space via HTTP. This allows the attacker to strip encryption and harvest session cookies and MFA tokens in plaintext before they ever reach the legitimate service provider.Library Mimicry: The mime.audio naming convention is designed to trick system admins into thinking the traffic is legitimate Python or email-handling library activity rather than an external exfiltration attempt.", "modified": "2026-05-08T06:36:54.282000", "created": "2026-05-07T07:50:58.758000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 6, "FileHash-SHA256": 694, "domain": 89, "hostname": 78, "IPv4": 16, "URL": 78 }, "indicator_count": 975, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc35bc6924906c52c89f27", "name": "CAPE Sandbox- LOTA- Living off the Admin", "description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP 656 DNS 702 IP 1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]", "modified": "2026-05-08T06:30:44.363000", "created": "2026-05-07T06:48:28.947000", "tags": [ "cloudflare", "city", "san francisco", "rnocname", "orgid", "rtechhandle", "net104", "net1040000", "rtechemail", "rabusehandle" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 93, "FileHash-MD5": 24, "FileHash-SHA1": 43, "FileHash-SHA256": 167, "URL": 1447, "domain": 274, "hostname": 243, "CIDR": 1, "email": 3 }, "indicator_count": 2295, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc35bbf5093f9bf3cd0a32", "name": "CAPE Sandbox- LOTA- Living off the Admin", "description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP 656 DNS 702 IP 1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]", "modified": "2026-05-08T05:17:02.092000", "created": "2026-05-07T06:48:27.828000", "tags": [ "cloudflare", "city", "san francisco", "rnocname", "orgid", "rtechhandle", "net104", "net1040000", "rtechemail", "rabusehandle" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 110, "FileHash-MD5": 47, "FileHash-SHA1": 85, "FileHash-SHA256": 186, "URL": 1467, "domain": 274, "hostname": 247, "CIDR": 4, "email": 14 }, "indicator_count": 2434, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://trustex09.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://trustex09.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780257053.2145011 }