{
"type": "URL",
"indicator": "https://urldefense.us/jerror/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://urldefense.us/jerror/",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4152434338,
"indicator": "https://urldefense.us/jerror/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 3,
"pulses": [
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6920c43c3772bb24f26f70cc",
"name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun",
"description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.",
"modified": "2025-12-21T18:01:07.268000",
"created": "2025-11-21T19:57:48.145000",
"tags": [
"dynamicloader",
"write c",
"write",
"high",
"yara rule",
"myapp",
"delphi",
"worm",
"win32",
"error",
"code",
"malware",
"defender",
"medium",
"binary file",
"heavensgate",
"bochs",
"dynamic",
"td td",
"td tr",
"united",
"a td",
"a domains",
"dynamic dns",
"static dns",
"dd wrt",
"twitter",
"trojan",
"trojandropper",
"null",
"enough",
"simple",
"click",
"easy",
"premium",
"associated urls",
"server response",
"google safe",
"results nov",
"avast avg",
"11.21.2025",
"11.20.2025",
"borland delphi",
"pe32",
"intel",
"ms windows",
"inno setup",
"win32 exe",
"pecompact",
"delphi generic",
"pe32 compiler",
"dark comet",
"dark gate",
"glassworm",
"md5 code",
"data",
"porkbun llc",
"windows match",
"getprocaddress",
"peb idrdata",
"match peb",
"t1547",
"t1059 t1112",
"shared modules",
"t1129",
"boot",
"logon autostart",
"execu",
"t1134 boot",
"encoding",
"capture e1113",
"file attributes",
"analysis ob0001",
"b0001 software",
"virtual machine",
"detection b0009",
"analysis ob0002",
"ob0003 screen",
"windows get",
"check",
"encode",
"check internet",
"wininet set",
"clear file",
"enumerate gui",
"get hostname",
"get keyboard",
"set registry",
"find",
"capture",
"url http",
"consolefoundry",
"console foundry",
"foundry",
"malware catalog tree",
"autorun keys",
"modification",
"alexander karp",
"peter theil",
"christoper ahmann",
"christopher pool",
"mercedes",
"apple",
"palantir",
"adversarial",
"adversaries",
"hostile",
"quasi",
"empty hash",
"denver",
"mal_xred_backdoor",
"backdoor",
"xred",
"brian sabey",
"first-send-petikvx",
"stop",
"glassworm",
"elex",
"darkgate",
"dark-comet",
"search",
"entries",
"show",
"yara detections",
"icmp traffic",
"rtf file",
"top source",
"top destination",
"format",
"host",
"copy",
"next",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"access att",
"font",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"ascii text",
"pattern match",
"sha256",
"mitre att",
"title",
"meta",
"hybrid",
"local",
"path",
"strings",
"body",
"contact",
"trace",
"form",
"bitcoin",
"core",
"jeffrey reimer",
"exe infection",
"cve",
"porn"
],
"references": [
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns",
"Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep",
"Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading",
"Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn",
"Alerts: packer_unknown",
"Malicious IP Contacted: 69.42.215.252",
"Abused Domains Contacted: xred.mooo.com freedns.afraid.org",
"IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org",
"IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com",
"IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com",
"Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry",
"Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below",
"by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"http://freedns.afraid.org/images/apple.gif",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://www.mumuplayer.com/redirect/customerservice/_wig",
"https://www.mumuplayer.com/redirect/customerservice/fB)y",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth",
"https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"http://consolefoundry.date/one/gate.php",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453",
"display_name": "Win.Trojan.Emotet-9850453",
"target": null
},
{
"id": "Win.Trojan.BlackNetRAT-7838854-0",
"display_name": "Win.Trojan.BlackNetRAT-7838854-0",
"target": null
},
{
"id": "Win.Dropper.Nanocore-10021490-0",
"display_name": "Win.Dropper.Nanocore-10021490-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win.Packed.Remcos-10024510-0",
"display_name": "Win.Packed.Remcos-10024510-0",
"target": null
},
{
"id": "Code Overlap",
"display_name": "Code Overlap",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "PSW:Win32/VB.CU",
"display_name": "PSW:Win32/VB.CU",
"target": "/malware/PSW:Win32/VB.CU"
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1541",
"name": "Foreground Persistence",
"display_name": "T1541 - Foreground Persistence"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 460,
"FileHash-SHA1": 437,
"FileHash-SHA256": 4483,
"SSLCertFingerprint": 2,
"URL": 6487,
"hostname": 1772,
"domain": 652,
"CVE": 3,
"email": 5
},
"indicator_count": 14301,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "160 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/",
"IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"https://l.us-1.a.mimecastprotect.com/l",
"by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"Requires further research.",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"mac.store",
"Redirect: schemas.microsoft.com",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"https://www.mumuplayer.com/redirect/customerservice/fB)y",
"monitoring.eurovision.net",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"https://icloud.ch/",
"Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"Same legal , and quasi governmental pattern identified",
"Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Malicious IP Contacted: 69.42.215.252",
"It appears there are 5-7 known affected that I was able to find",
"Alerts: packer_unknown",
"Abused Domains Contacted: xred.mooo.com freedns.afraid.org",
"https://icloud.ch/cn/ipod-touch/",
"monitor.kyos.ninja",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html",
"http://apple.support.com/ht***** redirect",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"http://consolefoundry.date/one/gate.php",
"http://freedns.afraid.org/images/apple.gif",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"https://aspmx.l.google.com/",
"http://www.icloud-sms-alert.com/",
"Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns",
"Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"smtp2.icl-privaterelay.appleid.com",
"IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org",
"div>
",
"I apologize for the lack of reference.",
"iphonegermany.com",
"oas-japac-domains-applecomputer.cn",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"robert-aebi.appleid.com",
"https://www.mumuplayer.com/redirect/customerservice/_wig",
"http://audaxgroup.appleid.com/",
"apple.com(-inc.cc)",
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Psw:win32/vb.cu",
"Trojan:win32/smkldr.h!mtb",
"Trojan:win32/icedid.di!mtb",
"Icedid",
"Worm:win32/bloored",
"Win.trojan.blacknetrat-7838854-0",
"Emotet",
"Win.trojan.emotet-9850453",
"#lowfi:lua:dllsuspiciousexport.a",
"Mydoom",
"Win.dropper.nanocore-10021490-0",
"Other malware",
"Win.packed.remcos-10024510-0",
"Win.malware.elenooka-6996044-0",
"Worm:win32/autorun!atmn",
"Code overlap"
],
"industries": [
"Telecom",
"Technology",
"Legal"
],
"unique_indicators": 35306
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/urldefense.us",
"whois": "http://whois.domaintools.com/urldefense.us",
"domain": "urldefense.us",
"hostname": "Unavailable"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 3,
"pulses": [
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6920c43c3772bb24f26f70cc",
"name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun",
"description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.",
"modified": "2025-12-21T18:01:07.268000",
"created": "2025-11-21T19:57:48.145000",
"tags": [
"dynamicloader",
"write c",
"write",
"high",
"yara rule",
"myapp",
"delphi",
"worm",
"win32",
"error",
"code",
"malware",
"defender",
"medium",
"binary file",
"heavensgate",
"bochs",
"dynamic",
"td td",
"td tr",
"united",
"a td",
"a domains",
"dynamic dns",
"static dns",
"dd wrt",
"twitter",
"trojan",
"trojandropper",
"null",
"enough",
"simple",
"click",
"easy",
"premium",
"associated urls",
"server response",
"google safe",
"results nov",
"avast avg",
"11.21.2025",
"11.20.2025",
"borland delphi",
"pe32",
"intel",
"ms windows",
"inno setup",
"win32 exe",
"pecompact",
"delphi generic",
"pe32 compiler",
"dark comet",
"dark gate",
"glassworm",
"md5 code",
"data",
"porkbun llc",
"windows match",
"getprocaddress",
"peb idrdata",
"match peb",
"t1547",
"t1059 t1112",
"shared modules",
"t1129",
"boot",
"logon autostart",
"execu",
"t1134 boot",
"encoding",
"capture e1113",
"file attributes",
"analysis ob0001",
"b0001 software",
"virtual machine",
"detection b0009",
"analysis ob0002",
"ob0003 screen",
"windows get",
"check",
"encode",
"check internet",
"wininet set",
"clear file",
"enumerate gui",
"get hostname",
"get keyboard",
"set registry",
"find",
"capture",
"url http",
"consolefoundry",
"console foundry",
"foundry",
"malware catalog tree",
"autorun keys",
"modification",
"alexander karp",
"peter theil",
"christoper ahmann",
"christopher pool",
"mercedes",
"apple",
"palantir",
"adversarial",
"adversaries",
"hostile",
"quasi",
"empty hash",
"denver",
"mal_xred_backdoor",
"backdoor",
"xred",
"brian sabey",
"first-send-petikvx",
"stop",
"glassworm",
"elex",
"darkgate",
"dark-comet",
"search",
"entries",
"show",
"yara detections",
"icmp traffic",
"rtf file",
"top source",
"top destination",
"format",
"host",
"copy",
"next",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"access att",
"font",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"ascii text",
"pattern match",
"sha256",
"mitre att",
"title",
"meta",
"hybrid",
"local",
"path",
"strings",
"body",
"contact",
"trace",
"form",
"bitcoin",
"core",
"jeffrey reimer",
"exe infection",
"cve",
"porn"
],
"references": [
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns",
"Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep",
"Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading",
"Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn",
"Alerts: packer_unknown",
"Malicious IP Contacted: 69.42.215.252",
"Abused Domains Contacted: xred.mooo.com freedns.afraid.org",
"IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org",
"IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com",
"IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com",
"Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry",
"Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below",
"by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"http://freedns.afraid.org/images/apple.gif",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://www.mumuplayer.com/redirect/customerservice/_wig",
"https://www.mumuplayer.com/redirect/customerservice/fB)y",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth",
"https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"http://consolefoundry.date/one/gate.php",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453",
"display_name": "Win.Trojan.Emotet-9850453",
"target": null
},
{
"id": "Win.Trojan.BlackNetRAT-7838854-0",
"display_name": "Win.Trojan.BlackNetRAT-7838854-0",
"target": null
},
{
"id": "Win.Dropper.Nanocore-10021490-0",
"display_name": "Win.Dropper.Nanocore-10021490-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win.Packed.Remcos-10024510-0",
"display_name": "Win.Packed.Remcos-10024510-0",
"target": null
},
{
"id": "Code Overlap",
"display_name": "Code Overlap",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "PSW:Win32/VB.CU",
"display_name": "PSW:Win32/VB.CU",
"target": "/malware/PSW:Win32/VB.CU"
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1541",
"name": "Foreground Persistence",
"display_name": "T1541 - Foreground Persistence"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 460,
"FileHash-SHA1": 437,
"FileHash-SHA256": 4483,
"SSLCertFingerprint": 2,
"URL": 6487,
"hostname": 1772,
"domain": 652,
"CVE": 3,
"email": 5
},
"indicator_count": 14301,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "160 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://urldefense.us/jerror/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://urldefense.us/jerror/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780236456.8771648
}