{ "type": "URL", "indicator": "https://trustlist.adobe.com/eutl12.acrobatsecuritysettings", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://trustlist.adobe.com/eutl12.acrobatsecuritysettings", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #40", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #305", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain adobe.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain adobe.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3876659905, "indicator": "https://trustlist.adobe.com/eutl12.acrobatsecuritysettings", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 22, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "4 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a135614ee83fa05ff58af66", "name": "Validated: Cybercrime - #Alberta Compromise", "description": "Validated: Cybercrime - UofA BEC/ATO -> UAlberta Alfresco & Edmonton Police Compromise (HR Files) & TX - 05.24.26 - edit", "modified": "2026-05-24T19:48:36.416000", "created": "2026-05-24T19:48:36.416000", "tags": [], "references": [ "https://www.virustotal.com/graph/embed/g3238715200b747f1a237e03037a4d5ff15d85564ee0740439750d8ff75347031?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 200, "FileHash-MD5": 60, "FileHash-SHA1": 59, "FileHash-SHA256": 1097, "IPv4": 397, "domain": 341, "hostname": 407 }, "indicator_count": 2561, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10a079d3a0831710f3a0ab", "name": "Catastrophic DataBreach confirmed - UAlberta & Edmonton Police Services - 05.22.26", "description": "BEC/ATO (reported) and unauthorized use & abuse of Stolen Identity/Access/Credentials from the University of Alberta has been demonstrated as the cause of catastrophic Data-Breaches across the ualberta[.]ca domain and Edmonton Police Services (EPS).\nData is comprehensive, includes HR Records, PII/PHI, employment data, addresses, contact information.", "modified": "2026-05-22T18:29:13.092000", "created": "2026-05-22T18:29:13.092000", "tags": [], "references": [ "https://www.virustotal.com/graph/embed/g3238715200b747f1a237e03037a4d5ff15d85564ee0740439750d8ff75347031?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Government", "Healthcare", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 200, "FileHash-MD5": 61, "FileHash-SHA1": 60, "FileHash-SHA256": 1032, "IPv4": 393, "domain": 340, "hostname": 387 }, "indicator_count": 2473, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01f5402b91332b1cd63cd7", "name": "* No Flags, Drops, MITRE + More. * CAPE Sandbox", "description": "ID\tOB0012\nCreated\t1 August 2019\nLast Modified\t27 September 2023\nPersistence\n\nToday I discovered this {https://github.com/MBCProject/mbc-markdown/blob/3559ac6c87a7e8ea9a1fa01bf1155032d7fcdcac/persistence/shutdown-event.md] EPS Crimestoppers Alberta RCMP HR Files", "description": "University of Alberta DataBreach(es) -> Alfresco HR Files (included in this Pulse) - Reported. \nCompromise of Edmonton Police Services (EPS), Alberta RCMP (AB RCMP), CrimeStoppers Alberta - All organizations notified, and provided with identified problems (e.g. criminals), offered solutions (e.g. to address compromised infrastructure). Data 'on hand' and publicly available (e.g. in this pulse). Criminal activity ramping up for 2026. Reported by multiple parties no luck, no response.", "modified": "2026-01-03T01:55:41.491000", "created": "2025-10-19T02:42:43.079000", "tags": [ "entity", "EPS", "Alfresco", "UAlberta", "EdmontonPolice" ], "references": [ "https://www.virustotal.com/graph/embed/g8b17f086c8ca45188352d1d054fa3f8948f81bddd2114ea7b99864e585604e72?theme=dark", "https://en.fofa.info/result?qbase64=ZWRtb250b25wb2xpY2UuY2E%3D", "", "https://www.virustotal.com/gui/collection/7774b0b7593e64e019df4e783911800bb322ec28a0f9eb3792fe6f75755f3b88", "https://www.virustotal.com/gui/collection/7774b0b7593e64e019df4e783911800bb322ec28a0f9eb3792fe6f75755f3b88/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 743, "FileHash-MD5": 75, "FileHash-SHA1": 60, "FileHash-SHA256": 1364, "domain": 688, "hostname": 763 }, "indicator_count": 3693, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6709aab28cf1d2be652ad223", "name": "Edmonton Police Services - edmontonpolice[.]ca - 10.16.25", "description": "https://www.virustotal.com/graph/embed/ga070fb8bbaee47c7a44b6fb7f2ee3f5c61939f5faeba4e19acde6413bdba6b14?theme=dark\n\nDomain Analysis", "modified": "2025-11-18T02:01:35.087000", "created": "2024-10-11T22:46:10.581000", "tags": [ "entity", "Edmonton", "Edmonton Police", "#YEG", "EPS", "Phishing", "SmokeLoader", "Exploit Source", "DGA", "UAlberta" ], "references": [ "https://www.virustotal.com/graph/embed/ga070fb8bbaee47c7a44b6fb7f2ee3f5c61939f5faeba4e19acde6413bdba6b14?theme=dark", "https://www.virustotal.com/gui/collection/649e51cc1ed2151973a50c0d90f5d032dc30ab66616e31e2f81586aa8a6536cc/iocs", "https://www.filescan.io/uploads/680935bc218c4a98adde2eb8/reports/7284eb6f-a9de-48e2-9c34-77e4192e32bf/overview", "https://www.hybrid-analysis.com/sample/d662eb398df37fa65b74da50473e646c88cd28a33a95f0fd98143659653d90c2/68093c46ad9c95b8e707afd6", "https://www.virustotal.com/gui/collection/649e51cc1ed2151973a50c0d90f5d032dc30ab66616e31e2f81586aa8a6536cc", "https://www.hybrid-analysis.com/sample/d662eb398df37fa65b74da50473e646c88cd28a33a95f0fd98143659653d90c2", "https://www.hybrid-analysis.com/sample/ee6070bdbddb747669c43acfe123d63f2e3ca75d3f3271fe8b73c921cefeb518/68222b11c71dd3f1e703fe55", "https://www.hybrid-analysis.com/sample/ee6070bdbddb747669c43acfe123d63f2e3ca75d3f3271fe8b73c921cefeb518 - Malicious 78/100", "https://www.filescan.io/uploads/68222b420b64e174c4236a93/reports/e2eaa5ad-b2cd-462f-a7cf-612b7a0b5cd0/ioc", "https://hybrid-analysis.com/sample/17fe4736a69ea84803fddbc6fbd4c2b49e41fb5273464a5abfbd1d44c2abb765", "Threat Zone", "https://urlquery.net/report/9b3044f8-be25-4414-b0b9-5072c0348b8d", "https://polyswarm.network/scan/results/url/fcf8bdbdd15e78186084d67e70fac06bbe3e8a98d0ee5c3351e32912fd921ac0", "https://intelx.io/?s=edmontonpolice.ca" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 604, "hostname": 1620, "FileHash-MD5": 256, "FileHash-SHA1": 250, "FileHash-SHA256": 2972, "URL": 1178, "email": 17, "SSLCertFingerprint": 19 }, "indicator_count": 6916, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67aac6e4b628acffaed3f068", "name": "New Batch - Malcerts - 02.10.25 - unenriched", "description": "Here is the full text of the text that was found on the website of Mozilla, following an investigation by the security firm Virustotal and the UK's Office of National Statistics (ONS).. [autofilled].\n\nMore Malcerts from Sample Device deployed at several sites in YEG - Canada. Related to pulse - Thor Scan Lite Linux\nNot enriched on import, but did include links to VT entries as IOCs (those will be false positives - but easy access). \nFolder name: Mozilla Located @ /usr/share/ca-certificates", "modified": "2025-03-16T17:01:06.968000", "created": "2025-02-11T03:41:24.585000", "tags": [ "UAlberta", "Malcerts", "Certificates", "Eduroam", "Alberta" ], "references": [ "https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/iocs", "https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/summary", "https://hybrid-analysis.com/file-collection/67aa8951a3fc5708a905306a", "https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/community", "https://tria.ge/250210-3c3c3askfz", "https://tria.ge/250210-3nh4kasmes", "https://tria.ge/250210-3y8f7sspdy", "https://tria.ge/250211-dhpxgswlax", "https://tria.ge/250211-dt1hcswme1", "https://tria.ge/250211-dx9v7swnbw", "Zipped IOC: c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a", "https://www.virustotal.com/graph/embed/g4d7797bcffdd450281d4012ac3a0a5ee3fafe8b4f5964c18b4e0332306cb367b?theme=dark", "https://tip.neiki.dev/file/c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a", "c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a", "Cert[.]pl MLDB: 1da23fc67a5f101321e39d04e76dcaa7" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Finance", "Agriculture", "Hospitality", "Media", "Retail" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 831, "FileHash-SHA1": 801, "FileHash-SHA256": 3227, "URL": 395, "domain": 189, "hostname": 798 }, "indicator_count": 6241, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "440 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "TLP: AMBER", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "https://en.fofa.info/result?qbase64=ZWRtb250b25wb2xpY2UuY2E%3D", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "https://hybrid-analysis.com/file-collection/67aa8951a3fc5708a905306a", "https://www.hybrid-analysis.com/sample/d662eb398df37fa65b74da50473e646c88cd28a33a95f0fd98143659653d90c2/68093c46ad9c95b8e707afd6", "https://www.virustotal.com/graph/embed/g4d7797bcffdd450281d4012ac3a0a5ee3fafe8b4f5964c18b4e0332306cb367b?theme=dark", "Cert[.]pl MLDB: 1da23fc67a5f101321e39d04e76dcaa7", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "https://www.virustotal.com/gui/collection/3f5e2fc684dd1957828c6f9c0d1b7d13524218c8402a4a0a91e9135fb662f127/iocs", "cddfaa769d227e9b8c7d78be3169895d SHA-1 b719eff788239f59cec3f0ea4efab4aa5c8cfd28 SHA-256 64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b Vhash 94005c460c2f34db9d47d4d59c392e7ff SSDEEP 6144:/mkxHzOMbL9Ygyd7fJoHQX3ZSSZACkGSim+trsgGg:PHKM/y1dTWHOZnVk13g TLSH T1524412A4CE47D183DD63D43909A0B192DBD2B1479AC424A93AAC5BE35F01B53EE23DC7 File type PDF document pdf Magic PDF document, version 1.7 (zip deflate encoded) TrID Adobe Portable Document Format (100%) Magika PDF File size 256.84 KB (263001 byt", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Verification failure observed in automated verification handlers during sandbox replay.", "https://tip.neiki.dev/file/c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a", "Threat Zone", "https://tria.ge/250210-3nh4kasmes", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "https://polyswarm.network/scan/results/url/fcf8bdbdd15e78186084d67e70fac06bbe3e8a98d0ee5c3351e32912fd921ac0", "https://www.virustotal.com/gui/collection/3f5e2fc684dd1957828c6f9c0d1b7d13524218c8402a4a0a91e9135fb662f127", "https://www.virustotal.com/gui/collection/649e51cc1ed2151973a50c0d90f5d032dc30ab66616e31e2f81586aa8a6536cc", "https://tria.ge/250211-dhpxgswlax", "https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/community", "https://www.virustotal.com/graph/embed/g8b17f086c8ca45188352d1d054fa3f8948f81bddd2114ea7b99864e585604e72?theme=dark", "c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "https://www.virustotal.com/gui/collection/649e51cc1ed2151973a50c0d90f5d032dc30ab66616e31e2f81586aa8a6536cc/iocs", "https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/iocs", "https://www.virustotal.com/gui/collection/7774b0b7593e64e019df4e783911800bb322ec28a0f9eb3792fe6f75755f3b88", "https://www.hybrid-analysis.com/sample/ee6070bdbddb747669c43acfe123d63f2e3ca75d3f3271fe8b73c921cefeb518/68222b11c71dd3f1e703fe55", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Zipped IOC: c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a", "https://www.hybrid-analysis.com/sample/d662eb398df37fa65b74da50473e646c88cd28a33a95f0fd98143659653d90c2", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "https://www.filescan.io/uploads/68222b420b64e174c4236a93/reports/e2eaa5ad-b2cd-462f-a7cf-612b7a0b5cd0/ioc", "https://www.virustotal.com/graph/embed/g3238715200b747f1a237e03037a4d5ff15d85564ee0740439750d8ff75347031?theme=dark", "https://tria.ge/250211-dx9v7swnbw", "https://learn.microsoft.com/en-us/dotnet/api/system.string?view=net-10.0", "https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/summary", "https://intelx.io/?s=edmontonpolice.ca", "https://www.virustotal.com/gui/collection/7774b0b7593e64e019df4e783911800bb322ec28a0f9eb3792fe6f75755f3b88/iocs", "https://tria.ge/250210-3y8f7sspdy", "https://www.filescan.io/uploads/680935bc218c4a98adde2eb8/reports/7284eb6f-a9de-48e2-9c34-77e4192e32bf/overview", "https://tria.ge/250210-3c3c3askfz", "https://vtbehaviour.commondatastorage.googleapis.com/c0df36ccf88d5c8434b13b58f7a55a9715643a126148b9d078a93075d09cad26_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778512494&Signature=IyGjHZi7N286Zz2nRVR3HMmGSVCpdy6tyAKCyI4hGwox9174JLlTx73eEIXC5CkxOw85f%2BvcX%2BiV90DJ2IENlMD5h3mvRRG8Pr63SeXvNFNEDZXEr06GYORqKum94zNlDJsyCtOO1WBS%2B6zVEo2EI%2Bwf7WDs6fF12dXKWZPlqohK7buL36UkZI0%2FKKr0se40JjqaZj%2B2GT%2F7568PBNfUT%2FXydO3FPBN0zTRQRTG72Wyxth7o%2Flc7", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "https://www.virustotal.com/graph/embed/ga070fb8bbaee47c7a44b6fb7f2ee3f5c61939f5faeba4e19acde6413bdba6b14?theme=dark", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "https://hybrid-analysis.com/sample/17fe4736a69ea84803fddbc6fbd4c2b49e41fb5273464a5abfbd1d44c2abb765", "as15169", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "https://vtbehaviour.commondatastorage.googleapis.com/64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778512413&Signature=e%2FOQUFCdl6mG%2FVw1jWUt7JVEvUMDGdL0qTkVuMhleZvju90tDDGBWkN70V6AEMn81ckpNectbzu%2B35Ofrit1gTXkEdOLHigu6qE%2BrT3vIC81BH65xFoYz4vAmE2UdFt21KE9Zas%2BRpTOTqbTAPwoprdoH9KmCcVRpcj2fVn7jij4cQmlFbayz%2FH4AkRMh1EAr9IyxYEcUXUj4bkLvn7%2BMHZIYqsFP65EbtVAws7CxvbFmiF9", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "b257cc536324cd2566432555666307b43d27ee9cbda5e45707e3e97b61b3dff6", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "https://tria.ge/250211-dt1hcswme1", "https://urlquery.net/report/9b3044f8-be25-4414-b0b9-5072c0348b8d", "https://www.hybrid-analysis.com/sample/ee6070bdbddb747669c43acfe123d63f2e3ca75d3f3271fe8b73c921cefeb518 - Malicious 78/100", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act", "TrojanSpy" ], "malware_families": [ "#lowfi:hstr:pyinstaller_packaged_script", "Alf:heraklezeval:trojan:win32/c2lop", "Tel:exploit:html/pswebkit", "#exploit:win32/blofeldscat" ], "industries": [ "", "Finance", "Government", "Technology", "Retail", "Healthcare", "Hospitality", "Agriculture", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in", "Media", "Education", "Telecommunications" ], "unique_indicators": 172959 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/adobe.com", "whois": "http://whois.domaintools.com/adobe.com", "domain": "adobe.com", "hostname": "trustlist.adobe.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 22, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "4 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a135614ee83fa05ff58af66", "name": "Validated: Cybercrime - #Alberta Compromise", "description": "Validated: Cybercrime - UofA BEC/ATO -> UAlberta Alfresco & Edmonton Police Compromise (HR Files) & TX - 05.24.26 - edit", "modified": "2026-05-24T19:48:36.416000", "created": "2026-05-24T19:48:36.416000", "tags": [], "references": [ "https://www.virustotal.com/graph/embed/g3238715200b747f1a237e03037a4d5ff15d85564ee0740439750d8ff75347031?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 200, "FileHash-MD5": 60, "FileHash-SHA1": 59, "FileHash-SHA256": 1097, "IPv4": 397, "domain": 341, "hostname": 407 }, "indicator_count": 2561, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10a079d3a0831710f3a0ab", "name": "Catastrophic DataBreach confirmed - UAlberta & Edmonton Police Services - 05.22.26", "description": "BEC/ATO (reported) and unauthorized use & abuse of Stolen Identity/Access/Credentials from the University of Alberta has been demonstrated as the cause of catastrophic Data-Breaches across the ualberta[.]ca domain and Edmonton Police Services (EPS).\nData is comprehensive, includes HR Records, PII/PHI, employment data, addresses, contact information.", "modified": "2026-05-22T18:29:13.092000", "created": "2026-05-22T18:29:13.092000", "tags": [], "references": [ "https://www.virustotal.com/graph/embed/g3238715200b747f1a237e03037a4d5ff15d85564ee0740439750d8ff75347031?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Government", "Healthcare", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 200, "FileHash-MD5": 61, "FileHash-SHA1": 60, "FileHash-SHA256": 1032, "IPv4": 393, "domain": 340, "hostname": 387 }, "indicator_count": 2473, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01f5402b91332b1cd63cd7", "name": "* No Flags, Drops, MITRE + More. * CAPE Sandbox", "description": "ID\tOB0012\nCreated\t1 August 2019\nLast Modified\t27 September 2023\nPersistence\n\nToday I discovered this {https://github.com/MBCProject/mbc-markdown/blob/3559ac6c87a7e8ea9a1fa01bf1155032d7fcdcac/persistence/shutdown-event.md]