{ "type": "URL", "indicator": "https://vdradmin.planetven.us/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://vdradmin.planetven.us/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4096412935, "indicator": "https://vdradmin.planetven.us/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 29, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "7 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa41b0d714318bf8937184", "name": "W.Vashti .Net obfuscator clone", "description": "", "modified": "2026-04-04T00:06:41.423000", "created": "2026-03-06T02:53:36.216000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": "6952d4fc6910b0b866746d8a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1969, "URL": 5700, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10779, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a1a73eb0578b92962dae97", "name": "FBI Link (Ransomware)sent to a device. opened on its own. Why?", "description": "I wouldn\u2019t typically search an alleged authentic government site , except it opened on a device, no prompt. TrojanDownloader:Win32/Dalexis!rfn!rfn\nIDS Detections\nMaktub Locker TOR Status Check\nTOR Consensus Data Requested\nTOR 1.0 Server Key Retrieval\nTor Get Server Request\nTLS Handshake Failure\nYara Detections\nstack_string\nWho is : [URL\n[https://tor-dirauth.sebastianhahn.net/]\n[https://tor.sebastianhahn.net]\n[tor-dirauth.sebastianhahn.net]\n->gitbot.faui2k9.de\n[Status faui2k9.de -connect] connects to device \n100% Malicious | https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70 | [External resources discovered in HTML content:\ndap.digitalgov.gov | Pattern match: \"fbi.gov/contact-us/field-offices/denver/news/pr\"\nHeuristic match: \"x.com\" | will revisit", "modified": "2026-03-29T13:04:34.750000", "created": "2026-02-27T14:16:30.498000", "tags": [ "regopenkeyexw", "port", "destination", "cryptexportkey", "search", "show", "entries", "windows nt", "regsetvalueexa", "ip address", "malware", "copy", "write", "win32", "next", "format", "contacted", "less ip", "server", "organization", "city", "stateprovince", "postal code", "phone", "date", "registrar abuse", "privacy admin", "paris admin", "april", "february", "failed", "enter", "data upload", "passive dns", "urls", "aaaa", "certificate", "otx logo", "all hostname", "pulse submit", "url analysis", "files", "domain", "title", "body", "encrypt", "netherlands", "gmt content", "all ipv4", "amsterdam", "hetzner online", "gmbh", "summary", "url age", "de seen", "general info", "geo germany", "as as24940", "de note", "route", "direct", "pro platform", "logs", "suricata alert", "et info", "tls handshake", "bad traffic", "suricata alerts", "copy md5", "copy sha1", "copy sha256", "sha1", "size", "sha256", "pattern match", "ascii text", "mitre att", "ck id", "path", "unknown", "stop", "root", "hybrid", "general", "local", "form", "click", "strings", "9999", "learn", "adversaries", "name tactics", "suspicious", "informative", "command", "defense evasion", "spawns", "found", "show technique", "ck matrix", "href", "antivirus", "maktub locker", "tor status", "check" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1129, "domain": 148, "hostname": 753, "FileHash-SHA256": 548, "FileHash-MD5": 90, "FileHash-SHA1": 71, "SSLCertFingerprint": 8, "CIDR": 1, "email": 4 }, "indicator_count": 2752, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698e906da16336f8e87c3b90", "name": "CoinHive Clone ", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-02-13T02:46:05.544000", "tags": [ "united", "td tr", "a domains", "history group", "state", "b td", "present sep", "find", "alabama", "iowa", "apache", "content type", "passive dns", "meta http", "content", "gmt server", "pragma", "title", "linksys eseries", "device rce", "inbound", "et exploit", "attempt", "et webserver", "suspicious user", "user agent", "et worm", "policy python", "python", "agent", "generic", "malware", "nids", "dst_ip", "\"sid\": 2017515,", "2020/08/23", "dst_port\": 8080", "suricata", "network_icmp", "tcp_syn_scan", "unix", "mirai", "infection", "port 8080", "aitm", "mitm", "xfinity", "lumen backbone", "xfinity cf", "et info", "useragent", "webserver", "android", "linux", "statistically stripped", "local", "Jefferson County", "Colorado", "State", "is__elf", "is__war", "cyber warfare", "marking", "targeting", "stalking", "impersonating", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "mitre att", "ck matrix", "february", "hybrid", "general", "path", "encrypt", "click", "strings", "attack", "ssl certificate", "ascii text", "dynamicloader", "yara rule", "ff d5", "medium", "high", "eb d8", "f0 ff", "ff bb", "host", "unknown", "explorer", "virtool", "write", "next", "Douglas County", "Michael Roberts", "Brian Sabey", "Chris\u2019Buzz\u2019 Ahmann", "Mirai BotMaster", "file type", "pexe", "pe32", "intel", "ms windows", "date march", "am size", "imphash", "otx logo", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "moved", "urls", "expiration date", "all hostname", "files", "media", "present feb", "present jan", "present dec", "present nov", "ip address", "present", "codex", "sf.net", "next associated", "ipv4 add", "location united", "america flag", "spawns", "found", "t1480 execution", "pattern match", "present aug", "search", "name servers", "showing", "record value", "meta", "accept", "div div", "request blocked", "helvetica neue", "helvetica segoe", "ui arial", "denver", "yandex", "post", "entries", "post http", "show", "post liquor", "execution", "port", "destination", "icmp traffic", "dns query", "include", "top source" ], "references": [ "https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in", "genealogytrails.com", "It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT", "Has been present throughout a specific campaign", "Mirai", "IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt", "IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS", "IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests", "IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)", "IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden", "ET INFO User-Agent (python-requests) Inbound to Webserver", "Suspicious User Agent | ETPRO POLICY Python Requests", "src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105", "\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,", "TCP SYN packets were observed", "ET WORM TheMoon.linksys.router", "ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound", "\"ET WEB_SERVER WebShell Generic - wget http - POST", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX", "Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication", "Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc", "Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject", "File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:", "upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4", "192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net", "Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB", "IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz", "IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin", "Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process", "Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert", "Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options", "Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..", "IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193", "IPs Contacted: 149.56.240.31 172.66.136.209", "Domains Contacted: c.statcounter.com sstatic1.histats.com", "Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com", "Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com", "Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com", "Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com", "Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com", "Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com", "Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com", "Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Unix.Trojan.Mirai-7646352-0", "display_name": "Unix.Trojan.Mirai-7646352-0", "target": null }, { "id": "SpyFu", "display_name": "SpyFu", "target": null }, { "id": "Win.Trojan.VB-83922", "display_name": "Win.Trojan.VB-83922", "target": null }, { "id": "virtool:Win32/VBInject.gen!JB", "display_name": "virtool:Win32/VBInject.gen!JB", "target": "/malware/virtool:Win32/VBInject.gen!JB" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" } ], "industries": [], "TLP": "white", "cloned_from": "698966742c9fd9691396bb3a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5836, "domain": 857, "FileHash-MD5": 185, "FileHash-SHA1": 147, "hostname": 1842, "email": 7, "FileHash-SHA256": 947, "CVE": 43, "SSLCertFingerprint": 8 }, "indicator_count": 9872, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b7cb05b2098c1d2bf20f", "name": "federal goverment clone cellbrite credit q vashti", "description": "", "modified": "2026-03-12T12:55:39.046000", "created": "2026-03-12T12:55:39.046000", "tags": [ "url https", "url http", "germany", "united", "ukraine", "japan", "extraction", "data upload", "urls", "url analysis", "enter sc", "extr", "iocs", "active", "france unknown", "present jan", "servers", "homair sweet", "grabber", "encrypt", "ipv4", "role title", "divx", "pitfall", "internet", "ip role", "america asn", "extraction data", "leveibielabs", "all se", "enter source", "url or", "texirag", "drop", "present nov", "united states", "america", "levdibidelabs", "failed", "idron anv", "include manualv", "review data", "iterng", "name servers", "passive dns", "incapsula", "meta name", "robots content", "x ua", "ieedge chrome1", "script head", "request", "cookie", "indicator", "msie", "chrome", "backdoor", "gmt content", "ipv4 add", "twitter", "title", "process32nextw", "ms windows", "intel", "pe32", "regopenkeyexa", "read c", "medium", "class", "write", "template", "present oct", "present jul", "aaaa", "present sep", "present aug", "url add", "http", "hostname", "related tags", "kx81xdbx0f", "x86xd3", "xa7xe28x06", "x82xd4", "delete c", "regsetvalueexa", "regbinary", "xa1xf1", "xe8xc2x14", "malware", "stream", "unknown", "win32", "persistence", "execution", "push", "present dec", "italy", "present jun", "embeddedwb", "whitelisted", "windows nt", "dns traffic", "russia", "cname", "accept", "destination", "port", "et smtp", "message", "et trojan", "components", "suspicious", "download", "hostile", "next", "logic", "gather victim", "et info", "etpro trojan", "trojan", "report spam", "interesting", "created", "pegasus", "manipulation", "service", "capture", "et", "etpro", "host", "attack", "mtb description", "windows", "shellexecuteexw", "writeconsolew", "registry", "t1031", "modify existing", "dock", "type indicator", "added active", "related pulses", "arcflex", "filehashsha1", "types of", "learn more", "filehashsha256", "cellebrite", "white label", "search", "sha1", "france", "cmanual jan", "expiration date", "domain add", "pulse submit", "files", "ip address", "gmt cache", "sameorigin", "reverse dns", "unknown ns", "admin org", "zipcode", "gmt server", "pulse pulses", "entries", "hostname add", "verdict", "germany unknown", "status", "domain", "xpirat", "netherlands", "netherlands asn", "as35280 acorus", "dns resolutions", "error", "files ip", "copy", "telnet login", "suspicious path", "busybox", "login attempt", "gpl telnet", "high", "tcp syn", "telnet root", "path", "mirai", "emails", "domain name", "jlu11q", "tqbplo", "hours ago", "found", "yahoo", "gmail", "yandex", "https://cellebrite.com/en/federal-government/", "monitoring", "monitored target", "dangerous", "spyware", "80211", "colorado", "x amz", "government", "mirai login attempt", "emotet", "c2", ".ru", ".com", "denver", "indicator role", "title added", "active related", "pulses hostname", "dead connect", "hostile", "adversarial", "abuse", "criminal intent", "block messages", "botnet" ], "references": [ "fastwebnet.it | Cellebrite White Label Spyware Service", "putrhnwl.exe", "Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "IP\u2019s Contacted : 54.230.129.165", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "Domains Contacted: pitfall.divx.com www.google.com", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Yara: Detections Tofsee", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "ET TROJAN Suspicious double Server Header", "ET DNS DNS Query to a .tk domain - Likey", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "Needs to be sorted. Actively being exploited on US", "162.159.134.42 \u2022 https://cellebrite.com/", "https://cellebrite.com/en/federal-government/", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Germany", "Ireland", "Switzerland", "Poland", "Belgium", "Netherlands", "Sweden" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Aptdrop.RU", "display_name": "Trojan:Win32/Aptdrop.RU", "target": "/malware/Trojan:Win32/Aptdrop.RU" }, { "id": "Ransomware/Win.Stop.R4529", "display_name": "Ransomware/Win.Stop.R4529", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32/BackdoorX", "display_name": "Win32/BackdoorX", "target": null }, { "id": "Win.Trojan.Dialog-9873788-0", "display_name": "Win.Trojan.Dialog-9873788-0", "target": null }, { "id": "Tsunami-6981155-0", "display_name": "Tsunami-6981155-0", "target": null }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1196", "name": "Control Panel Items", "display_name": "T1196 - Control Panel Items" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1581", "name": "Geofencing", "display_name": "T1581 - Geofencing" }, { "id": "T1582", "name": "SMS Control", "display_name": "T1582 - SMS Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Journalists", "Government", "Civil Society" ], "TLP": "green", "cloned_from": "696f7d467763ed4d4e74d133", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4994, "domain": 2519, "hostname": 3281, "FileHash-SHA256": 4467, "FileHash-MD5": 1118, "FileHash-SHA1": 1056, "email": 12, "SSLCertFingerprint": 1 }, "indicator_count": 17448, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698966742c9fd9691396bb3a", "name": "CoinHive In-Browser Miner | ET EXPLOIT Linksys E-Series Device RCE Attempt via \u2018AI chat\u2019 Xfinity Commercial Fleet vehicle parked /AITM", "description": "Merits further research. Work no is consistent with a man advocate named Michael\nRoberts of Rexxfield and Miles2/ Mile2 / seen frequently in attacks against females | targeted individual apparently was using an AI browser search when a keyword triggered glitches.\nSearch of a URL\ntarget has never heard of or seen found in device search results. Targets device injected, Mirai botnet found, Other suspicious findings. TBConrinued..:.\n[OTX. Auto populated Significantly more details have been revealed about the GoDaddy.com domain, which has been listed as an unregistered domain by the Internet Service Authority (icann). and its users are not allowed to use it.] #man_jn_tve_midxle #drive_ by_compromise #injection.", "modified": "2026-03-11T04:02:50.189000", "created": "2026-02-09T04:45:40.250000", "tags": [ "united", "td tr", "a domains", "history group", "state", "b td", "present sep", "find", "alabama", "iowa", "apache", "content type", "passive dns", "meta http", "content", "gmt server", "pragma", "title", "linksys eseries", "device rce", "inbound", "et exploit", "attempt", "et webserver", "suspicious user", "user agent", "et worm", "policy python", "python", "agent", "generic", "malware", "nids", "dst_ip", "\"sid\": 2017515,", "2020/08/23", "dst_port\": 8080", "suricata", "network_icmp", "tcp_syn_scan", "unix", "mirai", "infection", "port 8080", "aitm", "mitm", "xfinity", "lumen backbone", "xfinity cf", "et info", "useragent", "webserver", "android", "linux", "statistically stripped", "local", "Jefferson County", "Colorado", "State", "is__elf", "is__war", "cyber warfare", "marking", "targeting", "stalking", "impersonating", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "mitre att", "ck matrix", "february", "hybrid", "general", "path", "encrypt", "click", "strings", "attack", "ssl certificate", "ascii text", "dynamicloader", "yara rule", "ff d5", "medium", "high", "eb d8", "f0 ff", "ff bb", "host", "unknown", "explorer", "virtool", "write", "next", "Douglas County", "Michael Roberts", "Brian Sabey", "Chris\u2019Buzz\u2019 Ahmann", "Mirai BotMaster", "file type", "pexe", "pe32", "intel", "ms windows", "date march", "am size", "imphash", "otx logo", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "moved", "urls", "expiration date", "all hostname", "files", "media", "present feb", "present jan", "present dec", "present nov", "ip address", "present", "codex", "sf.net", "next associated", "ipv4 add", "location united", "america flag", "spawns", "found", "t1480 execution", "pattern match", "present aug", "search", "name servers", "showing", "record value", "meta", "accept", "div div", "request blocked", "helvetica neue", "helvetica segoe", "ui arial", "denver", "yandex", "post", "entries", "post http", "show", "post liquor", "execution", "port", "destination", "icmp traffic", "dns query", "include", "top source" ], "references": [ "https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in", "genealogytrails.com", "It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT", "Has been present throughout a specific campaign", "Mirai", "IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt", "IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS", "IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests", "IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)", "IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden", "ET INFO User-Agent (python-requests) Inbound to Webserver", "Suspicious User Agent | ETPRO POLICY Python Requests", "src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105", "\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,", "TCP SYN packets were observed", "ET WORM TheMoon.linksys.router", "ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound", "\"ET WEB_SERVER WebShell Generic - wget http - POST", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX", "Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication", "Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc", "Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject", "File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:", "upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4", "192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net", "Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB", "IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz", "IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin", "Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process", "Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert", "Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options", "Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..", "IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193", "IPs Contacted: 149.56.240.31 172.66.136.209", "Domains Contacted: c.statcounter.com sstatic1.histats.com", "Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com", "Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com", "Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com", "Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com", "Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com", "Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com", "Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com", "Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Unix.Trojan.Mirai-7646352-0", "display_name": "Unix.Trojan.Mirai-7646352-0", "target": null }, { "id": "SpyFu", "display_name": "SpyFu", "target": null }, { "id": "Win.Trojan.VB-83922", "display_name": "Win.Trojan.VB-83922", "target": null }, { "id": "virtool:Win32/VBInject.gen!JB", "display_name": "virtool:Win32/VBInject.gen!JB", "target": "/malware/virtool:Win32/VBInject.gen!JB" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5779, "domain": 730, "FileHash-MD5": 185, "FileHash-SHA1": 147, "hostname": 1790, "email": 5, "FileHash-SHA256": 947, "CVE": 3, "SSLCertFingerprint": 8 }, "indicator_count": 9594, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696f7d467763ed4d4e74d133", "name": "Federal Government-Cellebrite Attack found actively targeting iOS and other devices | Mirai login attempts | TelNet Login", "description": "https://cellebrite.com/en/federal-government/ | Found on a crime victims devices. Targets abused by spyware in an unethical manner by andvesarial \u2018governmental\u2019 possibly \u2018contracted\u2019 entities. Waged against targets such as victims of crime , journalists , researchers , students. Target Users: Serves public safety, enterprise, and government sectors, aiding first responders, investigators, prosecutors, and analysts. How it's Used Law enforcement uses it to unlock devices and retrieve evidence like messages, location history, and app data for criminal investigations. It helps uncover critical information from digital devices, even recovering data that users thought was permanently deleted. Controversy & Privacy Concerns While marketed as a tool for lawful investigations, its powerful data extraction capabilities raise significant privacy concerns and ethical debates.", "modified": "2026-02-19T12:05:47.166000", "created": "2026-01-20T13:04:06.622000", "tags": [ "url https", "url http", "germany", "united", "ukraine", "japan", "extraction", "data upload", "urls", "url analysis", "enter sc", "extr", "iocs", "active", "france unknown", "present jan", "servers", "homair sweet", "grabber", "encrypt", "ipv4", "role title", "divx", "pitfall", "internet", "ip role", "america asn", "extraction data", "leveibielabs", "all se", "enter source", "url or", "texirag", "drop", "present nov", "united states", "america", "levdibidelabs", "failed", "idron anv", "include manualv", "review data", "iterng", "name servers", "passive dns", "incapsula", "meta name", "robots content", "x ua", "ieedge chrome1", "script head", "request", "cookie", "indicator", "msie", "chrome", "backdoor", "gmt content", "ipv4 add", "twitter", "title", "process32nextw", "ms windows", "intel", "pe32", "regopenkeyexa", "read c", "medium", "class", "write", "template", "present oct", "present jul", "aaaa", "present sep", "present aug", "url add", "http", "hostname", "related tags", "kx81xdbx0f", "x86xd3", "xa7xe28x06", "x82xd4", "delete c", "regsetvalueexa", "regbinary", "xa1xf1", "xe8xc2x14", "malware", "stream", "unknown", "win32", "persistence", "execution", "push", "present dec", "italy", "present jun", "embeddedwb", "whitelisted", "windows nt", "dns traffic", "russia", "cname", "accept", "destination", "port", "et smtp", "message", "et trojan", "components", "suspicious", "download", "hostile", "next", "logic", "gather victim", "et info", "etpro trojan", "trojan", "report spam", "interesting", "created", "pegasus", "manipulation", "service", "capture", "et", "etpro", "host", "attack", "mtb description", "windows", "shellexecuteexw", "writeconsolew", "registry", "t1031", "modify existing", "dock", "type indicator", "added active", "related pulses", "arcflex", "filehashsha1", "types of", "learn more", "filehashsha256", "cellebrite", "white label", "search", "sha1", "france", "cmanual jan", "expiration date", "domain add", "pulse submit", "files", "ip address", "gmt cache", "sameorigin", "reverse dns", "unknown ns", "admin org", "zipcode", "gmt server", "pulse pulses", "entries", "hostname add", "verdict", "germany unknown", "status", "domain", "xpirat", "netherlands", "netherlands asn", "as35280 acorus", "dns resolutions", "error", "files ip", "copy", "telnet login", "suspicious path", "busybox", "login attempt", "gpl telnet", "high", "tcp syn", "telnet root", "path", "mirai", "emails", "domain name", "jlu11q", "tqbplo", "hours ago", "found", "yahoo", "gmail", "yandex", "https://cellebrite.com/en/federal-government/", "monitoring", "monitored target", "dangerous", "spyware", "80211", "colorado", "x amz", "government", "mirai login attempt", "emotet", "c2", ".ru", ".com", "denver", "indicator role", "title added", "active related", "pulses hostname", "dead connect", "hostile", "adversarial", "abuse", "criminal intent", "block messages", "botnet" ], "references": [ "fastwebnet.it | Cellebrite White Label Spyware Service", "putrhnwl.exe", "Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "IP\u2019s Contacted : 54.230.129.165", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "Domains Contacted: pitfall.divx.com www.google.com", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Yara: Detections Tofsee", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "ET TROJAN Suspicious double Server Header", "ET DNS DNS Query to a .tk domain - Likey", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "Needs to be sorted. Actively being exploited on US", "162.159.134.42 \u2022 https://cellebrite.com/", "https://cellebrite.com/en/federal-government/", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Germany", "Ireland", "Switzerland", "Poland", "Belgium", "Netherlands", "Sweden" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Aptdrop.RU", "display_name": "Trojan:Win32/Aptdrop.RU", "target": "/malware/Trojan:Win32/Aptdrop.RU" }, { "id": "Ransomware/Win.Stop.R4529", "display_name": "Ransomware/Win.Stop.R4529", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32/BackdoorX", "display_name": "Win32/BackdoorX", "target": null }, { "id": "Win.Trojan.Dialog-9873788-0", "display_name": "Win.Trojan.Dialog-9873788-0", "target": null }, { "id": "Tsunami-6981155-0", "display_name": "Tsunami-6981155-0", "target": null }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1196", "name": "Control Panel Items", "display_name": "T1196 - Control Panel Items" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1581", "name": "Geofencing", "display_name": "T1581 - Geofencing" }, { "id": "T1582", "name": "SMS Control", "display_name": "T1582 - SMS Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Journalists", "Government", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4994, "domain": 2519, "hostname": 3281, "FileHash-SHA256": 4467, "FileHash-MD5": 1118, "FileHash-SHA1": 1056, "email": 12, "SSLCertFingerprint": 1 }, "indicator_count": 17448, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6963596c4cd594b77b4675ec", "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - PalantirFoundry | The State of Colorado | ", "description": "", "modified": "2026-02-10T06:05:39.764000", "created": "2026-01-11T08:03:56.534000", "tags": [ "colorado state", "freeman mathis", "history", "cyber risk", "aspen insureds", "gaig insureds", "landy insureds", "nip group", "purm insureds", "overview core", "united", "ip address", "present nov", "present may", "moved", "encrypt", "unknown", "backdoor", "passive dns", "ransom", "checkin", "trojandropper", "mtb nov", "twitter", "trojan", "data upload", "extraction", "failed", "united states", "server response", "google safe", "results may", "lowfi", "virtool", "mtb alf", "mh alf", "port", "windows nt", "destination", "msie", "khtml", "gecko", "unknown aaaa", "a domains", "meta", "for privacy", "cop supply", "urls", "as139646 hong", "hostname", "files", "hong kong", "domain add", "ip related", "hash avast", "avg clamav", "msdefender may", "ddos", "as13335", "ipv4", "certificate", "hostname add", "url analysis", "files ip", "name strings", "category", "united states", "pulse indicator", "address", "error", "null", "object", "string", "number", "google maps", "promise", "javascript api", "dataset", "bigint", "dark", "android", "infinity", "internal", "roboto", "trident", "void", "small", "lightrail", "false", "span", "close", "light", "hybrid", "embed", "iframe", "keygen", "this", "february", "bounce", "drop", "inside", "outside", "marker", "present dec", "pulses otx", "aaaa", "asnone country", "record value", "title", "pulse pulses", "pulses", "showing", "unknown cname", "unknown soa", "next associated", "ipv4 add", "cycbot", "extract indic", "sneaker bots", "proxies data", "script script", "adult content", "nextimage", "porn site", "div div", "platform make", "cloudfront x", "hio52 p3", "unknown ns", "pulse submit", "title error", "reverse dns", "status", "servers", "name servers", "vashti hostname", "scan endpoints", "url http", "http", "files domain", "files related", "pulses none", "dnssec", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "domain", "emails", "cookie", "url https", "show", "filehash", "urls show", "date checked", "url hostname", "results nov", "win32", "type", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "llc name", "server", "markmonitor", "name server", "windir", "openurl c", "prefetch2", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "sha1", "href", "show process", "file", "general", "local", "path", "germany unknown", "date", "registrar", "ip whois", "dynamicloader", "high", "medium", "search", "displayname", "tofsee", "win64", "write", "stream", "malware", "push", "entries", "tls handshake", "failure", "forbidden", "tlsv1", "april", "next", "write c", "intel", "ms windows", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "sha256 add", "present jun", "present mar", "medelln", "colombia asn", "dns resolutions", "address domain", "related tags", "none google", "safe browsing", "external", "present sep", "present aug", "as54113", "present jul", "as8068", "gmt content", "total", "read", "delete", "top source", "quasi", "murderers", "christopher ahmann", "buzz ahmann", "wow64", "slcc2", "media center", "labor", "employment", "cdle", "dowc", "colorado", "workers", "coloradoif", "independent", "state", "company", "entity type", "authorized line", "analysis", "tor analysis", "process details", "network traffic", "t1071", "potential ip", "click", "found", "t1480 execution", "bad traffic", "et info", "ck techniques", "evasion att", "t1057", "refresh", "body", "strings", "tools", "look", "verify", "restart", "cname", "form", "pulse", "script domains", "script urls", "administrator", "services llc", "dns admin", "domain admin", "global llc", "domain manager", "computer system", "ltd domain", "network", "alibaba", "facebook", "phishme", "sogou", "present jan", "present feb", "present oct" ], "references": [ "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "https://maps.googleapis.com/maps/api/js?sensor=false", "cell-0.af-south-1.prod.telemetry.console.api.aws", "howtoworkacrickoutofyourneck2.pages.dev", "firebase-auth-eich0v.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://khmerpornvideo.signup0.y.id/", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://clear.ml/infrastructure-control-plane", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Attacks are being carried out by The State of Colorado" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "France", "Ireland", "Spain", "Italy", "Aruba", "Australia", "Denmark", "United Kingdom of Great Britain and Northern Ireland", "Germany", "T\u00fcrkiye", "Indonesia" ], "malware_families": [ { "id": "Win.Trojan.GravityRAT-6511862-0", "display_name": "Win.Trojan.GravityRAT-6511862-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null }, { "id": "TrojanDropper:Win32/Systex.A", "display_name": "TrojanDropper:Win32/Systex.A", "target": "/malware/TrojanDropper:Win32/Systex.A" }, { "id": "Win.Trojan.Tepfer-61", "display_name": "Win.Trojan.Tepfer-61", "target": null }, { "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "#LOWFI:HSTR:Criakl.B1", "display_name": "#LOWFI:HSTR:Criakl.B1", "target": null }, { "id": "Backdoor:Win32/Arwobot.B", "display_name": "Backdoor:Win32/Arwobot.B", "target": "/malware/Backdoor:Win32/Arwobot.B" }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Win.Downloader.Small-4507", "display_name": "Win.Downloader.Small-4507", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Win.Malware.Mikey-9949492-0", "display_name": "Win.Malware.Mikey-9949492-0", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "DDOS:Linux/Gafgyt.YA!MTB", "display_name": "DDOS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-11882", "display_name": "CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" } ], "industries": [ "Insurance", "Construction" ], "TLP": "green", "cloned_from": "693cdc5b8ebc10664439c2fb", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54118, "domain": 11153, "hostname": 18578, "email": 21, "FileHash-SHA256": 4905, "FileHash-MD5": 548, "FileHash-SHA1": 534, "CVE": 7, "SSLCertFingerprint": 20, "CIDR": 1 }, "indicator_count": 89885, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693cdc5b8ebc10664439c2fb", "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - Freeman Mathis & Gary for The State of Colorado", "description": "State of Colorado attackers use DGA domains set up multiple Law Firms.. Christopher P. \u2019Buzz\u2019 Ahmann Is a legal consultant / attorney./ hacker \nWorks for the State of Colorado/ quasi. Is malicious and doesn\u2019t work alone. Continues to target \nState had relative contacted by a fake entity \u2018Goodness Health\u2019\nLeft vague VM for relative message \u201cWe work on the Medicare side of things.\u201d and? \nSocial engineering call , malicious domain. The State of Colorado has been on a relentless pursuit against target. Fully compromised targets relatives brand new phone. Hacked target since 10/2013.\nMultiple cyber and physical attacks carried out against target and family members.. There are attacks make to look like accidents or malfunctions. This harmful, silencing behavior is somehow illegal for anyone else.", "modified": "2026-02-10T06:05:39.764000", "created": "2025-12-13T03:24:11.414000", "tags": [ "colorado state", "freeman mathis", "history", "cyber risk", "aspen insureds", "gaig insureds", "landy insureds", "nip group", "purm insureds", "overview core", "united", "ip address", "present nov", "present may", "moved", "encrypt", "unknown", "backdoor", "passive dns", "ransom", "checkin", "trojandropper", "mtb nov", "twitter", "trojan", "data upload", "extraction", "failed", "united states", "server response", "google safe", "results may", "lowfi", "virtool", "mtb alf", "mh alf", "port", "windows nt", "destination", "msie", "khtml", "gecko", "unknown aaaa", "a domains", "meta", "for privacy", "cop supply", "urls", "as139646 hong", "hostname", "files", "hong kong", "domain add", "ip related", "hash avast", "avg clamav", "msdefender may", "ddos", "as13335", "ipv4", "certificate", "hostname add", "url analysis", "files ip", "name strings", "category", "united states", "pulse indicator", "address", "error", "null", "object", "string", "number", "google maps", "promise", "javascript api", "dataset", "bigint", "dark", "android", "infinity", "internal", "roboto", "trident", "void", "small", "lightrail", "false", "span", "close", "light", "hybrid", "embed", "iframe", "keygen", "this", "february", "bounce", "drop", "inside", "outside", "marker", "present dec", "pulses otx", "aaaa", "asnone country", "record value", "title", "pulse pulses", "pulses", "showing", "unknown cname", "unknown soa", "next associated", "ipv4 add", "cycbot", "extract indic", "sneaker bots", "proxies data", "script script", "adult content", "nextimage", "porn site", "div div", "platform make", "cloudfront x", "hio52 p3", "unknown ns", "pulse submit", "title error", "reverse dns", "status", "servers", "name servers", "vashti hostname", "scan endpoints", "url http", "http", "files domain", "files related", "pulses none", "dnssec", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "domain", "emails", "cookie", "url https", "show", "filehash", "urls show", "date checked", "url hostname", "results nov", "win32", "type", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "llc name", "server", "markmonitor", "name server", "windir", "openurl c", "prefetch2", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "sha1", "href", "show process", "file", "general", "local", "path", "germany unknown", "date", "registrar", "ip whois", "dynamicloader", "high", "medium", "search", "displayname", "tofsee", "win64", "write", "stream", "malware", "push", "entries", "tls handshake", "failure", "forbidden", "tlsv1", "april", "next", "write c", "intel", "ms windows", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "sha256 add", "present jun", "present mar", "medelln", "colombia asn", "dns resolutions", "address domain", "related tags", "none google", "safe browsing", "external", "present sep", "present aug", "as54113", "present jul", "as8068", "gmt content", "total", "read", "delete", "top source", "quasi", "murderers", "christopher ahmann", "buzz ahmann", "wow64", "slcc2", "media center", "labor", "employment", "cdle", "dowc", "colorado", "workers", "coloradoif", "independent", "state", "company", "entity type", "authorized line", "analysis", "tor analysis", "process details", "network traffic", "t1071", "potential ip", "click", "found", "t1480 execution", "bad traffic", "et info", "ck techniques", "evasion att", "t1057", "refresh", "body", "strings", "tools", "look", "verify", "restart", "cname", "form", "pulse", "script domains", "script urls", "administrator", "services llc", "dns admin", "domain admin", "global llc", "domain manager", "computer system", "ltd domain", "network", "alibaba", "facebook", "phishme", "sogou", "present jan", "present feb", "present oct" ], "references": [ "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "https://maps.googleapis.com/maps/api/js?sensor=false", "cell-0.af-south-1.prod.telemetry.console.api.aws", "howtoworkacrickoutofyourneck2.pages.dev", "firebase-auth-eich0v.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://khmerpornvideo.signup0.y.id/", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://clear.ml/infrastructure-control-plane", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Attacks are being carried out by The State of Colorado" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "France", "Ireland", "Spain", "Italy", "Aruba", "Australia", "Denmark", "United Kingdom of Great Britain and Northern Ireland", "Germany", "T\u00fcrkiye", "Indonesia" ], "malware_families": [ { "id": "Win.Trojan.GravityRAT-6511862-0", "display_name": "Win.Trojan.GravityRAT-6511862-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null }, { "id": "TrojanDropper:Win32/Systex.A", "display_name": "TrojanDropper:Win32/Systex.A", "target": "/malware/TrojanDropper:Win32/Systex.A" }, { "id": "Win.Trojan.Tepfer-61", "display_name": "Win.Trojan.Tepfer-61", "target": null }, { "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "#LOWFI:HSTR:Criakl.B1", "display_name": "#LOWFI:HSTR:Criakl.B1", "target": null }, { "id": "Backdoor:Win32/Arwobot.B", "display_name": "Backdoor:Win32/Arwobot.B", "target": "/malware/Backdoor:Win32/Arwobot.B" }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Win.Downloader.Small-4507", "display_name": "Win.Downloader.Small-4507", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Win.Malware.Mikey-9949492-0", "display_name": "Win.Malware.Mikey-9949492-0", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "DDOS:Linux/Gafgyt.YA!MTB", "display_name": "DDOS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-11882", "display_name": "CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" } ], "industries": [ "Insurance", "Construction" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54118, "domain": 11153, "hostname": 18578, "email": 21, "FileHash-SHA256": 4905, "FileHash-MD5": 548, "FileHash-SHA1": 534, "CVE": 7, "SSLCertFingerprint": 20, "CIDR": 1 }, "indicator_count": 89885, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952f958f5dee394ed5ee9f1", "name": "Agent-AQB -Secretary of State Colorado", "description": "There are several compromised certificate on Secretary of State Colorado. I focused on one.\nMalicious - Writes to STDOUT", "modified": "2026-01-28T21:05:58.898000", "created": "2025-12-29T21:57:44.075000", "tags": [ "subscribe", "unsubscribe", "s paris", "englewood", "united", "state", "skip", "espaol", "summary", "filing history", "present jul", "a domains", "present jun", "present oct", "present dec", "script urls", "present aug", "moved", "link", "meta", "msie", "chrome", "passive dns", "gmt content", "ipv4", "urls", "files", "title", "ipv4 add", "america flag", "america asn", "related pulses", "united states", "cloudflare a", "div div", "span span", "domain", "cloudflare", "content type", "click", "dynamicloader", "get opera", "host", "tlsv1", "install", "external ip", "lookup", "intel", "ms windows", "ogoogle trust", "write", "malware", "ip address", "search", "present nov", "backdoor", "bq dec", "win32small dec", "next associated", "virtool", "reverse dns", "australia asn", "twitter", "status", "name servers", "expiration date", "hostname add", "unknown soa", "domain add", "form", "entries", "url analysis", "error", "body", "date", "high", "ssh scan", "tcp syn", "resolverror", "show", "outbound", "yara detections", "potential ssh", "contacted", "copy", "icmp traffic", "dns query", "therahand certificat", "sos", "secretary of state", "writes_to_stdout" ], "references": [ "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "ELF:Agent-AQB\\ [Trj] IDS Detections: Potential SSH Scan Potential SSH Scan OUTBOUND", "Yara Detections: is__elf", "Alerts: dead_host known_hosts_conn network_icmp tcp_syn_scan osquery_detection", "Alerts: nolookup_communication writes_to_stdout", "IP\u2019s Contacted 2530 IP\u2019s Contacted 1.0.0.1 1.0.0.10 1.0.0.100 1.0.0.101 1.0.0.102 | Domains Contacted: 9654s.com", "https://otx.alienvault.com/indicator/file/aeb3d5ec1d144a7b2d51bdb603c052fd52700defb1b039491c4df3f32ece517a", "ELF:Agent-AQB\\ [Trj]", "https://otx.alienvault.com/indicator/file/aeb3d5ec1d144a7b2d51bdb603c052fd52700defb1b039491c4df3f32ece517a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Trojan.Agent-31853", "display_name": "Win.Trojan.Agent-31853", "target": null }, { "id": "Backdoor:Win32/Small.IR", "display_name": "Backdoor:Win32/Small.IR", "target": "/malware/Backdoor:Win32/Small.IR" }, { "id": "Win.Downloader.92-4", "display_name": "Win.Downloader.92-4", "target": null }, { "id": "Win.Trojan.Fugrafa-9733007-0", "display_name": "Win.Trojan.Fugrafa-9733007-0", "target": null }, { "id": "ELF:Agent-AQB\\ [Trj]", "display_name": "ELF:Agent-AQB\\ [Trj]", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1561, "domain": 158, "hostname": 637, "FileHash-MD5": 121, "FileHash-SHA1": 97, "email": 8, "FileHash-SHA256": 561, "SSLCertFingerprint": 1 }, "indicator_count": 3144, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "80 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952d4fc6910b0b866746d8a", "name": ".NET Obfuscator, Error Reporting, DLL Merging | SmartAssembly | Spycloud", "description": "*Mirai | Currently being used maliciously. Mirai botnet work in place. Obfuscation, call redirection, evasion , chatbots, spyware , cal retrieval , typosquating , and other tactics used against victim. Red hats being unethical is expected.. This team is attacking in this instance. Screen Capture 24/7. Malicious media +++ from Englewood, Co. \n\nWhen used ethically SmartAssembly protects your code and Intellectual Property with powerful obfuscation features, and provides error reports when your application crashes in the wild, as well as a range of other tools for database management and data management.\n#palantir #foundry #denver #englewood #colorado #spycloud #mirai #botnet", "modified": "2026-01-28T18:03:54.589000", "created": "2025-12-29T19:22:36.103000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1967, "URL": 5699, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10776, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "80 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693de4a8a72cf95b028365f0", "name": "Bot Block 162.159.128.0/19 | X Fake tweets | Tofsee", "description": "Tofsee.Trojan.T malware infection affects infected devices. \n\n\n#unlocked #injection #dead_host #compromised_devices #folk_in _browser #botnets", "modified": "2026-01-12T21:02:35.560000", "created": "2025-12-13T22:11:52.474000", "tags": [ "network", "ip address", "subnet", "dynamicloader", "port", "destination", "high", "windows", "united", "write", "tofsee", "stream", "win64", "push", "urls", "url analysis", "dnssec", "script domains", "encrypt", "url add", "http", "related nids", "flag united", "germany", "address google", "passive dns", "ipv4 add", "files", "asn as13335", "dns resolutions", "domains top", "level", "unique tlds", "location united", "asn asnone", "present dec", "backdoor", "lowfi", "win32autoit mar", "urls show", "date checked", "connection", "httponly", "secure", "path", "expiressat", "dynamic cfray", "medium", "delete c", "displayname", "show", "unknown", "next", "rndhex", "malware", "cname", "next associated", "url hostname", "server response", "google safe", "read c", "unicode", "png image", "rgba", "memcommit", "dock", "execution", "files location", "china flag", "china hostname", "hostname", "domain", "files ip", "address", "asn as45102", "gmt content", "certificate", "associated urls", "location china", "china asn", "as4808 china", "present aug", "object", "present apr", "present oct", "alman", "present sep", "error", "present jul", "rmndrp", "present feb", "expiration", "url https", "url http", "iocs", "review iocs", "expireswed", "samesitenone", "maxage86400", "maxage0", "server", "expires", "victina nulcac", "data upload", "extraction", "enter", "enter source", "url data", "type", "extract indic", "included iocs", "china unknown", "botnet", "folk in browser", "japan unknown", "asnone country", "as13335", "a domains", "script urls", "servers", "title", "moved", "record value", "entries", "whitelisted", "powershell", "xf9xb5xf9", "xxcexf6x8fr", "k2xe7xcbxxeaxa2", "x99x19", "x88yxf9xc858", "x83x12x8da", "zx9bx8ex84", "attempts", "yara detections", "contacted", "tags none", "file type", "pe packer", "dll compilation", "guard", "botnets" ], "references": [ "https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet", "x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )", "foundry.neconsside.com \u2022 http://foundry.neconsside.com", "http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside", "IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America", "Russian Federation", "T\u00fcrkiye", "Netherlands" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "HtBot", "display_name": "HtBot", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1481", "name": "Web Service", "display_name": "T1481 - Web Service" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8145, "domain": 1389, "FileHash-SHA256": 1545, "CIDR": 2, "hostname": 2533, "FileHash-MD5": 209, "FileHash-SHA1": 190, "email": 6, "SSLCertFingerprint": 4 }, "indicator_count": 14023, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693adba47b2cce69440c726a", "name": "TESLA HACKERS | Login Google", "description": "Attackers target victims Google account, Google browser, Google homepage.\n\nTesla Hackers in the job. Tesla hackers are very young , angry, kids who chased target around mercilessly in their vehicles, photographed target, drive threateningly. Nothing sophisticated about the stalker crewl. This is intentional. Finding troubled individuals who are desperate for power is pretty easy. \n\nThe hit men range from gang members, white , black , Hispanic to the highly educated, Hit man who attempted to take target out was a spoiled, angry , aggressive, sneering POC. He walked in Denver. The next morning , the area target was driven if roadway was closed off and filled with a rather large road crew, work continues to work on this area. (Charlie Kirk like). Alleged traffic officer claims cameras pointed in different directions that night. He was identified as a computer science major by a PI. This feels so dangerous.", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T14:56:36.874000", "tags": [ "tlsv1", "united", "oamazon", "cnamazon rsa", "jfif", "ogoogle trust", "cngts ca", "exif standard", "tiff image", "xresolution74", "execution", "dock", "write", "persistence", "malware", "encrypt", "ca https", "no expiration", "iocs", "url https", "enter source", "url or", "text drag", "drop or", "browse to", "select file", "ipv4", "url http", "type indicator", "sec ch", "ch ua", "unknown", "ua full", "ua platform", "as44273 host", "ua bitness", "msie", "chrome", "backdoor", "trojandropper", "passive dns", "forbidden", "body", "twitter", "trojan", "cookie", "title", "windows nt", "wow64", "slcc2", "media center", "read c", "port", "destination", "local", "moved", "integration all", "urls", "files", "reverse dns", "location united", "america flag", "name servers", "hostname", "unique", "expires wed", "gmt date", "server", "date wed", "connection", "use linux", "cybersecurity", "http", "ip address", "files location", "flag united", "win32", "urls show", "date checked", "url hostname", "server response", "virtool", "date hash", "avast avg", "heur", "lowfi", "k sep", "contacted", "related tags", "none file", "type", "present dec", "present nov", "mtb mar", "aaaa", "hacktool", "indicator role", "domain", "url add", "as20940", "as16625 akamai", "present mar", "present may", "as54113", "present apr", "ipv4 add", "url analysis", "servers", "emails", "hostname add", "present aug", "present sep", "present oct", "status", "present jul", "data upload", "extraction", "as208722 yandex", "russia unknown", "a domains", "expirestue", "path", "certificate", "medium", "alerts show", "ck technique", "technique id", "installs", "pe32", "intel", "ms windows", "high", "icmp traffic", "dns query", "packing t1045", "t1045", "screenshots", "file type", "date february", "pm size", "imphash pehash", "guard", "syst", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "spawns", "t1590 gather", "flag", "united kingdom", "command decode", "belgium belgium", "federation", "france france", "ireland ireland", "canada canada", "suricata ipv4", "click", "tesla hackers", "elon musk", "show", "richhash", "external", "virustotal api", "comments", "vendor finding", "notes clamav", "ms defender", "files matching", "copy", "found", "ssl certificate", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "yara rule", "reads", "number", "sample analysis", "hide samples", "entries", "samples show", "next yara", "detections name", "devcv5 ujrb", "ujrb", "uja1t", "show technique", "mitre att", "ck matrix", "ascii text", "pattern match", "sha1", "network traffic", "show process", "general" ], "references": [ "https://www.teslarati.com/spacex", "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57", "https://cdn.teslarati.com \u2022 https://forums.teslarati.com/", "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/", "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/", "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/", "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/", "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/", "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/", "https://www.teslarati.com/", "https://www.teslarati.com/spacex", "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/", "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/", "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/", "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/", "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx", "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\", "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears", "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm", "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious", "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189", "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |", "Source : Binary File ATT&CK ID T1566.002", "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .", "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes", "Detected Non-Google domain serving Google homepage details", "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers", "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.", "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.", "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True", "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true", "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Japan" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "display_name": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "target": "/malware/Ms Defender\tTrojan:Win32/Qbot.KVD!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Jaik-9940406-0", "display_name": "Win.Malware.Jaik-9940406-0", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "display_name": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5894, "FileHash-MD5": 458, "FileHash-SHA1": 305, "FileHash-SHA256": 2481, "SSLCertFingerprint": 26, "hostname": 2406, "domain": 966, "email": 16, "CVE": 1 }, "indicator_count": 12553, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e2d950ac7d1e2a3454a4f", "name": "Gooogle Accounts | Drive-by Compromise \u2022 Ransomware \u2022 Phishing Attack", "description": "Google accounts Drive-by Compromise. Affected Google accounts redirects to a suspicious non - Google homepage. |\nRansomware | Adware | Phishing | Injection | \nExploits seen affecting both OS and iOS devices. Threat actors able to remotely access iOS device, unlock, access iCloud. System root control, fully infected devices, Attackers continue to ravage devices w/ drive by compromise, unsafe adware, malware text, etc., Seeks to remove malicious IoC\u2019s on mock accounts , password stealers", "modified": "2025-12-31T23:04:59.378000", "created": "2025-12-02T00:06:45.807000", "tags": [ "iocs", "drop", "network traffic", "ck id", "mitre att", "ck matrix", "network related", "detected", "t1566", "t1204", "united", "click", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "learn", "suspicious", "informative", "name tactics", "adversaries", "command", "initial access", "spawns", "found", "binary file", "t1189", "regsetvalueexa", "regdword", "post http", "medium", "high", "regbinary", "loader", "dock", "write", "malware", "unknown", "romania unknown", "present may", "msie", "chrome", "body", "passive dns", "ip address", "present jun", "welcome", "accept", "encrypt", "gmt content", "ipv4 add", "url analysis", "urls", "files", "reverse dns", "unknown aaaa", "certificate", "hostname add", "error", "flag", "domain address", "contacted hosts", "type", "india unknown", "record value", "body html", "head title", "title", "entries", "read c", "high defense", "evasion", "yara detections", "virtool", "win32", "ahmann", "hacker group", "law firm", "order", "google", "smart assembly" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool:MSIL/Injector.BF", "display_name": "VirTool:MSIL/Injector.BF", "target": "/malware/VirTool:MSIL/Injector.BF" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 112, "FileHash-SHA256": 589, "URL": 1795, "SSLCertFingerprint": 3, "domain": 319, "hostname": 847, "email": 1 }, "indicator_count": 3781, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692dfcfbe3557856e3cd3bc4", "name": "Anonymous sent a Threat- Zero Day to an Apple product", "description": "State of Colorado? \nZero day sent to targets phone from a false Intermountain MyChart reminder. Of course target doesn\u2019t have a MyChart. Intermountain doesn\u2019t use \u2018Epic\u2019. \nFollow up call by \u2018Intermountain\u2019 \u201cIs this Tsara?\u201d\n\u201cYes it is\u201d I\u2019d say the same if they asked for \u201cDua Lipa\u201d Yes. Si. Oui. Ja.\n\nWrap her up in a package of lies. Send her off to a coconut island. I am not worried, I am not overly . \n\nThreat:\n\u201cWe do not forgive. We do not forget. Expect us. HACKED!\u201d \n\nI\u2019m taking this very seriously as a death threat. You are doing the crimes. Stop hacking people just to take your regret out on them. \nAs per victim\u2019s legal claim it was agreed by both parties she would hire an investigator to uncover true hacker. \n\nVictims of crimes aren\u2019t charged to research cybercrimes. I don\u2019t work alone. |\n\nMultiple death threats , attempts, injuries , death. You\u2019re mad? \n\nQuasi governments initial plan: Wrap her up in a package of lies. Send her off to a coconut island. I am not worried, I am not overly concerned", "modified": "2025-12-31T17:02:04.243000", "created": "2025-12-01T20:39:23.946000", "tags": [ "pm mst", "reply stop", "secure", "samesitenone", "httponly server", "cfray", "ip address", "google safe", "results nov", "united", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "search", "failure", "post http", "unknown", "trojan", "malware", "response", "gmt contenttype", "forbidden date", "gmt vary", "gmt etag", "deny", "vary", "network traffic", "hive", "target_tsara_brashears" ], "references": [ "https://mchrt.io/OaDiS--vvLULhoP9-ak", "172.64.147.230 \u2022 Error401.txt", "Error401.txt -> SHA256 d134ca025a6c63b2555200885d71cb6e61f8097cdfd7ecf13675b3df0c721797A", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://mchrt.io/zviBxOFCAQJS13Uu--w", "FILEHASH - SHA256 55d829336075705b1ac26f5300650b6030467123591ab265eeb04578a7c67a86", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/55d829336075705b1ac26f5300650b6030467123591ab265eeb04578a7c67a86", "We are a Legion We do not forgive. We do not forget.EXPECT US. HACKED! [Colorado State Government] 100%", "You are NOT Yaweh. He does forgive. He does forget. Expect HIM! SAVED \u2018He\u2019s coming again.\u2019", "\u2018God Does\u2019 Red Clay Strays \u2026 I know that God does but , I know that God does\u2026.", "CVE-2017-17215 | https://otx.alienvault.com/indicator/cve/CVE-2017-17215", "link.mail.beehiiv.com \u2022 beehiiv.com" ], "public": 1, "adversary": "Colorado Government", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Healthcare", "Technology", "Civil Society", "Legal" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1071, "domain": 176, "hostname": 285, "FileHash-SHA256": 284, "FileHash-MD5": 21, "FileHash-SHA1": 15, "SSLCertFingerprint": 7, "CVE": 1 }, "indicator_count": 1860, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69212b59117e7e2eb6f3adbf", "name": "X.com RAT \u2022 Tofsee | Attorney | Hacker | Affects visitors to his site.", "description": "Christopher Ahmann again. I\u2019m not sure if he is really an attorney or a hacker. He could be a Hacker and a legal consultant. Again incredibly malicious activity. #contacted #tofsee #trojan #rat #apple #telegram #cnc #google #botnets #bots \n\n[OTC populated: The following is the full list of names you can find on the website of an American law firm, which is based in New York and New Jersey, and which can be accessed via a Google search.]", "modified": "2025-12-22T02:05:33.541000", "created": "2025-11-22T03:17:45.877000", "tags": [ "twitter", "rat", "christopher p ahmann", "trojan", "lowfijavazkm", "x", "x.com", "dynamicloader", "yara rule", "ms windows", "windows", "medium", "united", "ascii text", "high", "write", "guard", "defender", "cybergate", "smartassembly", "malware", "win64", "unknown", "encrypt", "yara detections", "contacted", "av detections", "ids detections", "alerts", "port", "destination", "write c", "delete c", "tofsee", "stream", "telegram", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "ssl certificate", "pattern match", "mitre att", "path", "hybrid", "general", "click", "strings", "legal entities", "apple", "liar" ], "references": [ "x.com | https://x.com/search?q=Ahmann-Christopher-PC-Attorney-at-Law", "IDS Detection : Win32.Cybergate RAT SQLite DL", "IDS Detections : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections : HTTP GET Request for sqlite3.dll - Possible Infostealer Activity", "Yara Detections : Nullsoft_NSIS", "Alerts: antisandbox_sleep creates_largekey process_creation_suspicious_location", "Alerts: infostealer_cookies persistence_autorun procmem_yara static_pe_anomaly", "Alerts: suricata_alert antiav_detectfile antivm_bochs_keys cape_extracted_content", "Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages mouse_movement_detect dynamic_function_loading resumethread_remote_process reads_memory_remote_process network_connection_via_suspicious_process", "Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Alerts: reads_memory_remote_process network_connection_via_suspicious_process", "IDS Detections : Win32/Tofsee.AX google.com connectivity check", "IDS Detections : HTTP Request with Lowercase host Header Observed", "IDS Detections : Observed Telegram Domain (t .me in TLS SNI)", "Alerts: behavior_tofsee suspicious_iocontrol_codes creates_largekey network_bind", "Alerts : persistence_autorun persistence_autorun_tasks network_smtp procmem_yara", "Alerts : static_pe_anomaly suricata_alert antivm_bochs_keys antivm_generic_disk", "Alerts : antivm_generic_services deletes_executed_files injection_runpe dead_connect", "Alerts : persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep", "appleid.cdn-apple.com \u2022 apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/", "https://apple.k8s.joewa.com/ \u2022 http://www.gtaging.apple.pol.kozow.com", "https://v2.papadustream.tv/episode/the-walking-dead-1x1", "https://www.rubreyatson.ddnsgeek.com/", "https://parabellumnorth.com/product/py2a-g17-69-rail-set/", "remotewd.com \u2022 device-194a3e38-d1e7-421a-8a01-d136fef966f1.remotewd.com", "https://hyperbot.net/ \u2022http://rarebot.com/rarebot-installer.exe", "accounts.google.com" ], "public": 1, "adversary": "Christopher Paul Ahmann", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowfiJavaZKM", "display_name": "#LowfiJavaZKM", "target": null }, { "id": "Win.Dropper.Tofsee-10012410-0", "display_name": "Win.Dropper.Tofsee-10012410-0", "target": null }, { "id": "Win.Dropper.Tofsee-10012410-0", "display_name": "Win.Dropper.Tofsee-10012410-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 360, "URL": 1750, "FileHash-MD5": 120, "FileHash-SHA1": 80, "FileHash-SHA256": 1269, "SSLCertFingerprint": 9, "hostname": 644 }, "indicator_count": 4232, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6919473b9e0624394e9b68e9", "name": "Backdoor:Linux/DemonBot Affecting Unsecured servers", "description": "A closer look at a hacker group found in Mirai Bot Network. Catgirls is still active , has running web server , is only viewable to group according to remarks regarding \u2018catgirls\u2019 domains , sub domains , hosts.\n\n Multiple hosts , name servers and links. .Backdoor:Linux/DemonBot Malicious attacks affecting unsecured servers (personal , business) networks, DDOS attacks , Mitre. Worm, Ransomware. \n\nHacker group has seemingly caused a fair ammunition of damage to small businesses and / or individuals/civil society.. Seen in attacks against handful of targets are in this Mirai Botnet. Of course we know how very large the Mirai Botnet is.", "modified": "2025-12-16T03:02:09.743000", "created": "2025-11-16T03:38:35.430000", "tags": [ "server", "algorithm", "x509v3 subject", "registrar abuse", "v3 serial", "spaceship", "community", "related pulses", "cidr", "mirai botnet", "hacker", "mirai att", "ck id", "group", "active", "generic pong", "reporting arch", "msie", "windows nt", "resolverror", "backdoor", "malware", "strings", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "spawns", "evasion att", "t1480 execution", "ipv4", "iocs", "drop", "review iocs", "found", "ascii text", "pattern match", "mitre att", "beginstring", "null", "refresh", "span", "hybrid", "click", "error", "tools", "look", "verify", "restart", "united", "moved", "passive dns", "urls", "record value", "unknown aaaa", "gmt content", "title", "cookie", "signing defense", "t1553 technique", "subvert trust", "controls learn", "disable", "modify tools", "defense evasion", "t1562 technique", "rdap", "domain database", "dap domain", "datab", "database", "array", "content", "ascii", "form", "initial access", "execution", "present aug", "present jul", "present nov", "present oct", "ip address", "command decode", "suricata ipv4", "localappdata", "windir", "openurl c", "programfiles", "edge", "cloudflare", "ssl certificate", "size", "starfield", "accept", "path", "general", "local", "hostname add", "pulse pulses", "read c", "port", "destination", "rgba", "unicode text", "medium", "unknown", "code", "write", "pecompact", "packer", "delphi", "win32", "persistence", "crash", "next", "china unknown", "chrome", "internal server", "next associated", "ipv4 add", "trojandropper", "date", "domain", "search", "domain add", "certificate", "next http", "scans show", "found title", "head body", "hostname", "files", "files ip", "address", "location united", "asn asnone", "present feb", "present jun", "unknown ns", "internet", "emails", "present sep", "show", "memcommit", "gapd5d", "key0", "packing t1045", "filehash", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "mirai", "json", "total", "delete", "win64", "url http", "http", "related nids", "files location", "flag united", "gmt cache", "pulse submit", "url analysis", "verdict", "win32dh", "reverse dns", "america flag", "worm", "warehouse mgmt", "built", "retailexperts", "read", "top source", "top destination", "aaaa", "ransom", "trojan", "entries", "singapore", "singapore asn", "as16509", "present mar", "creation date", "contacted", "hostile", "targeting", "whitelisted", "high", "systemroot", "as15169", "copy", "global", "dynamicloader", "directui", "yara rule", "element", "classinfobase", "ccbase", "hwndhost", "windows" ], "references": [ "http://catgirls.foundation/main \u2022 https://spaceship.com/", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/68e72a3b96eaf61daf0eb13f", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/691924001d6dc4fa2d04d0b2", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/691924001d6dc4fa2d04d0b2" ], "public": 1, "adversary": "Mirai", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "PSW.Sinowal.X", "display_name": "PSW.Sinowal.X", "target": null }, { "id": "mirai", "display_name": "mirai", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Worm:Win32/Locksky.gen!A", "display_name": "Worm:Win32/Locksky.gen!A", "target": "/malware/Worm:Win32/Locksky.gen!A" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1991, "domain": 428, "hostname": 882, "FileHash-SHA256": 2213, "FileHash-MD5": 675, "FileHash-SHA1": 530, "email": 7, "CIDR": 1, "CVE": 1, "SSLCertFingerprint": 23 }, "indicator_count": 6751, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690af483e0e2ee05752043cd", "name": "Mirai \u2022 Cycbot - Who is Dennis Schroeder (303) 444-4444 | Social Engineering ~ Legal", "description": "Mirai \u2022\nCycBot. Hackers connected\nto targets phone intercepting calls. |\nHi Dennis, how the heck are you? Who are you? We connected targets former phone to a lawyer to become familiar with botnet experience. Time spent speaking to several fraudulent people who pretend to be people they are not. \n\nFrom our side: A factual account was given to a professional sounding female phone actor who answered call without giving name of law firm or her own name / title , listened for some time , few screening questions, no one in \u2018 law firm\u2019 didn\u2019t know statutes of limitations.\n\nSad there was never a way for target to contact find legitimate legal representation due to being in multiple botnets. \n Very disturbing. \n\n#colorado_government", "modified": "2025-12-05T06:05:48.164000", "created": "2025-11-05T06:53:55.844000", "tags": [ "url https", "url http", "related pulses", "united", "redacted for", "meta", "accept encoding", "moved", "ip address", "record value", "encrypt", "backdoor", "trojandropper", "passive dns", "mtb oct", "ipv4 add", "urls", "twitter", "trojan", "cycbot", "dynamicloader", "medium", "ms windows", "write", "yara rule", "named pipe", "pe32", "defender", "install", "smartassembly", "malware", "local", "dns query", "xxx adult", "site top", "level domain", "total", "whitelisted", "yara detections", "dyndns domain", "filehash", "av detections", "ids detections", "windows nt", "win64", "khtml", "gecko", "acceptencoding", "as46606", "xserver", "killer gecko", "host", "hello2malware", "cnlocalhost", "dclocal", "guard", "url analysis", "files", "reverse dns", "azerbaijan asn", "asnone related", "destination", "port", "unknown", "et smtp", "message", "united kingdom", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "found", "newremotehost", "newexternalport", "newprotocol", "newinternalport", "helloworld", "nids", "high", "ddos", "hstr", "mtb nov", "ransom", "msie", "chrome", "gmt content", "hostname add", "present jun", "germany unknown", "domain add", "asn as24940", "germany asn", "domain", "files ip", "address", "less", "script urls", "dennis schrder", "a domains", "prox", "aaaa", "present nov", "blog von", "apache", "dennis schroder", "servers", "emails", "dnssec", "as197540", "dns resolutions", "hostname", "verdict", "present", "directui", "element", "classinfobase", "write c", "getclassinfoptr", "sgpauiclassinfo", "file v2", "document", "explorer", "movie", "insert", "mitre att", "ck matrix", "path", "hybrid", "general", "iframe", "click", "strings", "forbidden", "default", "pdf library", "delete c", "https domain", "tls sni", "steals", "format", "for privacy", "name servers", "date", "japan unknown", "entries", "next associated", "gmt etag", "pragma", "body", "accept", "script domains", "gmt cache", "certificate", "alerts", "analysis date", "file score", "present sep", "iemobile", "ok accept", "mirai", "cdn.calltrk.com", "type indicator" ], "references": [ "Redirect from actual firm called - https://coloradoinjurylaw.com/denver-sexual-abuse-lawyer/", "leg.colorado.gov \u2022\tmaps.app.goo.gl", "https://leg.colorado.gov/bills/hb20 ?", "https://mirai-nameko.jp/assets/delighters-js.php", "Government porn: https://thehotporn.info/ \u2022 http://live-sex.space/ \u2022 charoenpornintergroup.com", "https://fr.bongacams10.com/erikasexy1 \u2022 https://www.bigcitycreations.com/s/stories/a-unisex-guide-to-pairing-colors", "colorado.gov" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Japan", "Italy", "Aruba", "Finland", "India", "United Kingdom of Great Britain and Northern Ireland", "Australia", "Hong Kong", "Hungary", "Switzerland", "China", "France", "T\u00fcrkiye", "Canada", "Poland" ], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "Trojan:Win32/Predator.PVD!MTB", "display_name": "Trojan:Win32/Predator.PVD!MTB", "target": "/malware/Trojan:Win32/Predator.PVD!MTB" }, { "id": "Trojandropper:Win32/Cutwail.gen!K", "display_name": "Trojandropper:Win32/Cutwail.gen!K", "target": "/malware/Trojandropper:Win32/Cutwail.gen!K" }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Legal", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7782, "domain": 5008, "hostname": 2287, "FileHash-SHA1": 318, "email": 7, "FileHash-SHA256": 1608, "FileHash-MD5": 356, "SSLCertFingerprint": 11, "CVE": 1 }, "indicator_count": 17378, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690af480b45560b4ae78a863", "name": "Mirai \u2022 Cycbot - Who is Dennis Schroeder (303) 444-4444 | Social Engineering ~ Legal", "description": "Mirai \u2022\nCycBot. Hackers connected\nto targets phone intercepting calls. |\nHi Dennis, how the heck are you? Who are you? We connected targets former phone to a lawyer to become familiar with botnet experience. Time spent speaking to several fraudulent people who pretend to be people they are not. \n\nFrom our side: A factual account was given to a professional sounding female phone actor who answered call without giving name of law firm or her own name / title , listened for some time , few screening questions, no one in \u2018 law firm\u2019 didn\u2019t know statutes of limitations.\n\nSad there was never a way for target to contact find legitimate legal representation due to being in multiple botnets. \n Very disturbing. \n\n#colorado_government", "modified": "2025-12-05T06:05:48.164000", "created": "2025-11-05T06:53:52.767000", "tags": [ "url https", "url http", "related pulses", "united", "redacted for", "meta", "accept encoding", "moved", "ip address", "record value", "encrypt", "backdoor", "trojandropper", "passive dns", "mtb oct", "ipv4 add", "urls", "twitter", "trojan", "cycbot", "dynamicloader", "medium", "ms windows", "write", "yara rule", "named pipe", "pe32", "defender", "install", "smartassembly", "malware", "local", "dns query", "xxx adult", "site top", "level domain", "total", "whitelisted", "yara detections", "dyndns domain", "filehash", "av detections", "ids detections", "windows nt", "win64", "khtml", "gecko", "acceptencoding", "as46606", "xserver", "killer gecko", "host", "hello2malware", "cnlocalhost", "dclocal", "guard", "url analysis", "files", "reverse dns", "azerbaijan asn", "asnone related", "destination", "port", "unknown", "et smtp", "message", "united kingdom", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "found", "newremotehost", "newexternalport", "newprotocol", "newinternalport", "helloworld", "nids", "high", "ddos", "hstr", "mtb nov", "ransom", "msie", "chrome", "gmt content", "hostname add", "present jun", "germany unknown", "domain add", "asn as24940", "germany asn", "domain", "files ip", "address", "less", "script urls", "dennis schrder", "a domains", "prox", "aaaa", "present nov", "blog von", "apache", "dennis schroder", "servers", "emails", "dnssec", "as197540", "dns resolutions", "hostname", "verdict", "present", "directui", "element", "classinfobase", "write c", "getclassinfoptr", "sgpauiclassinfo", "file v2", "document", "explorer", "movie", "insert", "mitre att", "ck matrix", "path", "hybrid", "general", "iframe", "click", "strings", "forbidden", "default", "pdf library", "delete c", "https domain", "tls sni", "steals", "format", "for privacy", "name servers", "date", "japan unknown", "entries", "next associated", "gmt etag", "pragma", "body", "accept", "script domains", "gmt cache", "certificate", "alerts", "analysis date", "file score", "present sep", "iemobile", "ok accept", "mirai", "cdn.calltrk.com", "type indicator" ], "references": [ "Redirect from actual firm called - https://coloradoinjurylaw.com/denver-sexual-abuse-lawyer/", "leg.colorado.gov \u2022\tmaps.app.goo.gl", "https://leg.colorado.gov/bills/hb20 ?", "https://mirai-nameko.jp/assets/delighters-js.php", "Government porn: https://thehotporn.info/ \u2022 http://live-sex.space/ \u2022 charoenpornintergroup.com", "https://fr.bongacams10.com/erikasexy1 \u2022 https://www.bigcitycreations.com/s/stories/a-unisex-guide-to-pairing-colors", "colorado.gov" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Japan", "Italy", "Aruba", "Finland", "India", "United Kingdom of Great Britain and Northern Ireland", "Australia", "Hong Kong", "Hungary", "Switzerland", "China", "France", "T\u00fcrkiye", "Canada", "Poland" ], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "Trojan:Win32/Predator.PVD!MTB", "display_name": "Trojan:Win32/Predator.PVD!MTB", "target": "/malware/Trojan:Win32/Predator.PVD!MTB" }, { "id": "Trojandropper:Win32/Cutwail.gen!K", "display_name": "Trojandropper:Win32/Cutwail.gen!K", "target": "/malware/Trojandropper:Win32/Cutwail.gen!K" }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Legal", "Government", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7782, "domain": 5008, "hostname": 2287, "FileHash-SHA1": 318, "email": 7, "FileHash-SHA256": 1608, "FileHash-MD5": 356, "SSLCertFingerprint": 11, "CVE": 1 }, "indicator_count": 17378, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fc18514965ccd3b55c216d", "name": "Dorv \u2022 Obfuscator - Affecting DropBox", "description": "", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-25T00:22:41.686000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "68fbc84609098d17c316f23c", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fbc84609098d17c316f23c", "name": "NSO - Multiple crimes", "description": "Multiple crimes including illegal gambling, loan sharking, cybercrimes , content reputation , instructions. Starfield seen again. Team 8 has seen Starfield in more than 300 pulses. Now it\u2019s gone. Check your devices for innocent looking searches you\u2019ve never searched. Browser extensions found on 3 targeted devices with an adversary with full CnC armed with a deletion and disk wipe service. Local - Denver. \n\nAlso, very concerning is specific Airline to be attacked revealed. It cant be researched without bringing down a flight or messing up air command & control. DJT has already made travel a risky feat by being influenced to fire the (NOAA) & (DOT). Its manipulation. PP Mafia bros. \n\nDoes anyone have any power? Contact someone. We did have a mystery plane incident in Denver after I first reported. Just space junk , ya know the usual. I am serious about preventing crime. I need some help!", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-24T18:41:10.936000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dd9423f9208dcc8701e12e", "name": "Maktub Locker TOR Status Check \u2022 Cab \\ Drive by( dbi.com) Malicious pic", "description": "After 911 told me I was bounced to the Denver, Co Station 5 , located 45 & Peoria in Denver , Colorado , not even close. \nThe phone number changed, only 911 access. Clue: I saw an Amber alert in n target phone when I powered it on. No all notices always turned off. Made a call\non contact list and screen changed to a plain faced interface. \n\nAfter finding a mother foundry link on targets phone I grew curious about a CEO\u2019s strange story of Palantir\u2019s Karp Theil roommate situation in Law School but I could only find one picture on of them on a campus in their late 40\u2019s. He\u2019s African American mixed. The picture of his mother in hacked phone is 215 yo. No information federal oversight as CEO right? Or limited information on crazy hacked device? \n\nClicked on link then OMGness\n\n#whatIfind #onhackeddevice #targeting", "modified": "2025-10-31T19:03:21.338000", "created": "2025-10-01T20:50:43.002000", "tags": [ "iocs", "logo", "passive dns", "related tags", "none google", "ipv4", "gogle", "twitter", "x.com", "ransomware", "fbi \u2019site\u2019", "python", "cloud", "regopenkeyexw", "read c", "port", "destination", "cryptexportkey", "count read", "tor get", "malware", "write", "format", "redacted for", "server", "privacy tech", "privacy admin", "country", "postal code", "organization", "date", "email", "code", "aaaa", "value a", "key identifier", "v3 serial", "number", "cus ogoogle", "trust", "cnwe1 validity", "subject public", "key info", "key algorithm", "ec oid", "maktub", "cnc", "python-projekt", "x post", "link", "android", "iphone", "google", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "ssl certificate", "spawns", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "mitre att", "show technique", "ck matrix", "title", "path", "hybrid", "general", "local", "form", "click", "strings", "body" ], "references": [ "FBI.GOV - VT I\u2019m looking @ says website is legitimate & not misused - hmm", "Entity CLOUD14", "CLOUDFLARENET - 104.16.148.244 , 104.19.148.244", "https://otx.alienvault.com/indicator/file/ba30376f915afa868763f84299fae5d2", "https://hybrid-analysis.com/sample/f2b943e81f1b284cf9dabb4ff156526a02ecca485ac117714867d92b262c8fdd/68dd867e3bc50d9068072c05", "Hashtags left on Hybrid Analysis (above) weren\u2019t posted by me", "Maktub Locker TOR Status Check \u2022 TOR Consensus Data Requested \u2022 TOR 1.0 Server Key Retrieval", "Tor Get Server Request \u2022 TLS Handshake Failure High Priority", "Yara Detections: stack_string Alerts: dead_host", "Alerts: network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters", "Alerts: packer_entropy queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name raises_exception" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Code Virus Ransomware", "display_name": "Code Virus Ransomware", "target": null }, { "id": "AVAST- Win32:Filecoder-AD\\ [Trj]", "display_name": "AVAST- Win32:Filecoder-AD\\ [Trj]", "target": null }, { "id": "CLAMAV - Win.Malware.Cabby-6803812", "display_name": "CLAMAV - Win.Malware.Cabby-6803812", "target": null }, { "id": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn", "display_name": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn", "target": "/malware/Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 574, "domain": 147, "FileHash-MD5": 156, "FileHash-SHA1": 130, "FileHash-SHA256": 539, "URL": 982, "SSLCertFingerprint": 4, "email": 2 }, "indicator_count": 2534, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689af6a1704fa2745bc8c2a3", "name": "Hijacked Twitter / X.com account. Phishing | Abnormal use", "description": "Hijacked phishing Twitter/ X.com.\nWin32/Unruy.C Activity\n#phishing #hijacked #intercoms #unruy #trojan #VTflood #malware #attack", "modified": "2025-09-11T08:02:36.759000", "created": "2025-08-12T08:09:05.642000", "tags": [ "log id", "gmtn", "secure", "tls web", "passive dns", "urls", "path", "self", "encrypt", "ca issuers", "false", "search", "read c", "united", "entries", "show", "showing", "msie", "windows nt", "wow64", "slcc2", "copy", "write", "suspicious", "malware", "unknown", "process32nextw", "shellexecuteexw", "medium process", "discovery t1057", "t1057", "discovery", "medium", "locally unique", "identifier", "veailmboprd", "next associated", "ipv4 add", "pulse pulses", "files", "asn as13335", "dns resolutions", "domains top", "smoke loader", "trojan", "body", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "show process", "programfiles", "command decode", "flag", "suricata ipv4", "mitre att", "show technique", "ck matrix", "date", "comspec", "model", "twitter", "august", "hybrid", "general", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1504, "FileHash-SHA256": 1232, "SSLCertFingerprint": 14, "domain": 245, "hostname": 526, "FileHash-MD5": 43, "FileHash-SHA1": 38 }, "indicator_count": 3602, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6893eee9bf1b30e08d1a6d8e", "name": "Ransom:Win32/CVE - Denver \u2022 Community Lifestyle Neighborhood", "description": "*Ransom:Win32/CVE - * Win.Dropper.Stone-9856966-0,\nDenver \u2022 Community Lifestyle Neighborhood. \nCorporate & Leasing Office corrupted with spyware. There is a single verified monitored target. All technology devices corrupted, at least 2 phones monitored, YouTube is courtesy of hackers. Several in person and phone investigations, staff change and they know nothing about leasing apartments, townhomes , etiquette, poor communication. Target also investigated. It appears to be harassment, intimidation and monitoring for unspecified reasons. The parking lot is stacked with obvious people sitting in their vehicles for hours. It\u2019s unclear if the staffing change is legitimate or part of an investigation.", "modified": "2025-09-05T23:02:52.811000", "created": "2025-08-07T00:10:17.696000", "tags": [ "address google", "safe browsing", "united", "typeof", "passive dns", "body doctype", "nreum", "date", "gmt server", "apache x", "cnection", "content type", "span", "ok transfer", "encoding", "x powered", "unknown soa", "unknown ns", "showing", "entries", "next associated", "urls show", "body", "encrypt", "search", "ip address", "creation date", "record value", "present jul", "present may", "present apr", "certificate", "present aug", "present feb", "present dec", "present nov", "error", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "development att", "sha1", "copy md5", "copy sha1", "copy sha256", "mitre att", "show technique", "ck matrix", "pattern match", "ascii text", "august", "hybrid", "general", "local", "path", "click", "strings", "itre att", "accept", "sha256", "size", "type data", "utf8 text", "document file", "flag", "server", "european union", "name server", "tor analysis", "dns requests", "domain address", "ii llc", "windir", "openurl c", "prefetch2", "show process", "ogoogle trust", "network traffic", "organization", "elton avundano", "object", "title object", "header http2", "returnurl", "texas", "rsa ov", "ssl ca", "status", "australia", "netherlands", "urls", "gmt path", "hostname add", "pulse submit", "present oct", "e safe", "results jul", "response ip", "present jan", "name servers", "verdict", "domain", "files ip", "address domain", "xhr start", "xhr load", "aaaa", "read c", "show", "port", "destination", "high", "delete", "outbound m3", "copy", "write", "persistence", "execution", "malware", "generic", "unknown", "present mar", "dynamicloader", "wine emulator", "dynamic", "medium", "read", "associated urls", "date checked", "url hostname", "server response", "google safe", "dnssec", "domain name", "solutions", "llc status", "next passive", "dns status", "hostname query", "files show", "date hash", "avast avg", "overview ip", "address", "related nids", "files location", "flag united", "hostname", "files domain", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "virtool", "win64", "defense evasion", "t1480 execution", "file defense", "null", "refresh", "tools", "look", "verify", "restart", "file discovery", "utf8", "crlf line", "a domains", "script urls", "link", "unknown aaaa", "meta", "atom", "results jan", "present", "present sep", "akamai", "asn as16625", "less whois", "registrar", "http", "france flag", "france hostname", "files related", "url analysis", "files", "location france", "detailed error", "sec ch", "ch ua", "ua full", "ua platform", "moved", "name", "perfect privacy", "error jul", "next related", "domains show", "domain related", "url add", "pulse pulses", "hosting", "reverse dns", "france asn", "as16276", "dns resolutions", "datacenter", "regopenkeyexa", "regsetvalueexa", "windows nt", "regdword", "hostile", "service", "delphi", "next", "pulses none", "related tags", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "review", "data upload", "extraction", "khtml", "gecko", "olet", "cnlet", "tlsv1", "hacktool", "push", "ms windows", "intel", "pe32", "users", "precreate read", "ransom", "code", "installer", "june", "media", "autorun", "next yara", "detections name", "aspackv2xxx", "eu alexey", "alerts", "pe file", "filehash", "sha256 add", "av detections", "ids detections", "yara detections", "analysis date", "april", "packing t1045", "t1045", "t1060", "registry run", "keys", "user execution", "icmp traffic" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1132, "URL": 6245, "hostname": 2264, "FileHash-SHA256": 1857, "FileHash-SHA1": 491, "email": 9, "FileHash-MD5": 573, "SSLCertFingerprint": 16 }, "indicator_count": 12587, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6882e2a53af80b1af320079d", "name": "VirusTotal - Palantir- KrunchyMalPacker | Vflooder", "description": "-> Hostname: \u2022 edenglobalpartners.palantirfoundry.com\n\u2022 c.twitterintegration.com\n*Trojan:Win32/Vflooder.E\nIDS Detections:\n- Win32/Flooder.Agent.NAS CnC Domain in DNS Lookup\n\u2022 Virus Total vtapi DOS\n\u2022 Generic HTTP EXE Upload Inbound\n\u2022 Observed Suspicious UA (Mozilla/5.0)\n\u2022 Generic HTTP EXE Upload Outbound || \n*ALF:HSTR:KrunchyMalPacker!MTB\t\n IDS Detections\n-Win32/Vflooder.B Checkin\n\u2022 TLS Handshake Failure\nYara Detections: \nkkrunchy023alpha2\nAlerts:\n\u2022 static_pe_anomaly\n\u2022 suricata_alert\n\u2022 dynamic_function_loading\n\u2022 network_cnc_https_generic\n\u2022 reads_self\n\u2022 network_cnc_http\n\u2022 network_http\n\u2022 packer_unknown_pe_section_name\n\u2022 packer_entropy\n\u2022 injection_rwx ||\n__________\nIP\u2019s Contacted:\n\u2022 34.54.88.138\n\u2022 162.159.140.229\nDomains Contacted\n\u2022 twitter.com (SBKA - Palantir?)\n\u2022 www.virustotal.com\n#botnetresulttesting #virustotal_unsafe #vtflooder #palantir #twitter #gotham foundry #brian_sabey_has_a_new_toy #targeting #tsara_brashears", "modified": "2025-08-24T01:04:01.801000", "created": "2025-07-25T01:49:25.325000", "tags": [ "windows nt", "dynamicloader", "contentlength", "tls handshake", "failure", "host", "show", "medium", "search", "entries", "copy", "write", "malware", "generic http", "exe upload", "inbound", "outbound", "domain", "trojan", "u0019", "trojandropper", "backdoor", "mtb jul", "united", "passive dns", "open ports", "win32berbew jul", "ipv4 add", "present jul", "present jun", "cname", "present aug", "present sep", "status", "certificate", "date", "twitter", "unknown ns", "name servers", "servers", "showing", "urls", "creation date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1903, "hostname": 806, "FileHash-SHA256": 1594, "FileHash-MD5": 264, "FileHash-SHA1": 297, "SSLCertFingerprint": 1, "domain": 515, "email": 5 }, "indicator_count": 5385, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687b5499d48de6e54f3bff11", "name": "213.174.130.70 - Spyware Install | Emotet via Malware sites", "description": "Malicious IP address for multiple malware domains. Very malicious spyware, will hijack network and devices. \n\u2022 Best Targeted sites \nSpyware Install\n\u2022 Garveep POST CnC\nBeacon\n\u2022 Worm.Mydoom\nCheckin\n\n#endgame #emotet #mydoom #malware_domains #install_spyware #monitered_targets", "modified": "2025-08-18T08:00:43.712000", "created": "2025-07-19T08:17:29.443000", "tags": [ "handle", "ripe ncc", "ripe network", "address range", "cidr", "allocation type", "assigned pa", "status", "whois server", "entity ah36ripe", "algorithm", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "date", "abuse contact", "orgid", "orgtechhandle", "address", "orgabuseref", "postalcode", "ripe", "seen", "update date", "tech email", "admin country", "expiration date", "dnssec", "admin id", "mi11255597wp", "msie", "chrome", "passive dns", "united", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "hosting", "open", "body", "extraction", "data upload", "failed", "include review", "anorexx", "video", "father sex", "ebony riding", "ebony", "roberta", "type win32", "exe size", "mb first", "file name", "sentinelone", "present jul", "present oct", "entries http", "memcommit", "t1055", "read c", "search", "entries", "show", "medium", "showing", "high process", "injection t1055", "copy", "write", "win32", "malware", "tsara brashears", "tsara", "pornhub", "porn videos", "watch tsara", "most relevant", "open threat", "exchange", "public", "https", "green", "daily", "brashears", "porn", "watch", "busty xxx", "filter tsara", "brashears porn", "url add", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "md5 sha256", "google safe", "browsing", "dynamicloader", "dynamic", "read", "delete", "mtb apr", "trojan", "lowfi", "virtool", "icloader apr", "otx telemetry", "australia", "exploit", "cobalt strike", "hostile", "trojanspy", "msil", "win64", "pulse", "alerts", "yara rule", "named pipe", "xe7xf3xf2x14x9d", "high", "delphi", "local", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "defense evasion", "adversaries", "spawns", "found", "process details", "flag", "contacted", "meta", "location united", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "size", "beginstring", "null", "type data", "error", "span", "hybrid", "general", "click", "strings", "refresh", "tools", "pattern match", "show technique", "mitre att", "ck matrix", "ascii text", "show process", "utf8", "crlf line", "network traffic", "path", "included", "review", "excludea", "sugges data", "typ url", "url url", "url hos", "hos hos", "extraction f", "enter so", "u extractio", "extra data", "included review", "ic excluded", "suggeste", "pulses", "md5 google", "safe browsing", "virustotal api", "comments", "ally s", "extraction data", "enter soudcfidi", "ad temdac", "cddad ad", "praw type", "extr", "include u", "creation date", "record value", "gmt content", "x adblock", "certificate", "domain", "encrypt", "sec ch", "ch ua", "unknown aaaa", "ua full", "ua platform", "present jun", "moved", "ip address", "doctype html", "lander script", "head", "method", "allowed date", "arizona", "scottsdale", "go daddy", "authority", "next associated", "extraction fail", "enter soupce", "udi ad", "trydda dada", "panca type", "ur extraction", "s data", "pr extract", "servers", "hostname", "files ip", "denmark unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 4, "URL": 7528, "domain": 1822, "hostname": 2015, "email": 5, "FileHash-MD5": 373, "FileHash-SHA1": 363, "FileHash-SHA256": 1939 }, "indicator_count": 14049, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "", "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |", "IP\u2019s Contacted : 54.230.129.165", "Alerts: reads_memory_remote_process network_connection_via_suspicious_process", "https://apple.k8s.joewa.com/ \u2022 http://www.gtaging.apple.pol.kozow.com", "https://hyperbot.net/ \u2022http://rarebot.com/rarebot-installer.exe", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "Alerts: nolookup_communication writes_to_stdout", "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/", "Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com", "IDS Detections : HTTP GET Request for sqlite3.dll - Possible Infostealer Activity", "howtoworkacrickoutofyourneck2.pages.dev", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS", "src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105", "Yara Detections: is__elf", "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears", "https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/", "https://www.teslarati.com/spacex", "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers", "Yara Detections : Nullsoft_NSIS", "Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages", "accounts.google.com", "https://mirai-nameko.jp/assets/delighters-js.php", "Alerts: network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http", "The Scottish Government www.gov.scot The NHS Scotland support", "https://mchrt.io/OaDiS--vvLULhoP9-ak", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "ET INFO User-Agent (python-requests) Inbound to Webserver", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options", "We are a Legion We do not forgive. We do not forget.EXPECT US. HACKED! [Colorado State Government] 100%", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "Redirect from actual firm called - https://coloradoinjurylaw.com/denver-sexual-abuse-lawyer/", "genealogytrails.com", "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True", "192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages mouse_movement_detect dynamic_function_loading resumethread_remote_process reads_memory_remote_process network_connection_via_suspicious_process", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://mchrt.io/zviBxOFCAQJS13Uu--w", "https://cdn.teslarati.com \u2022 https://forums.teslarati.com/", "Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com", "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.", "http://catgirls.foundation/main \u2022 https://spaceship.com/", "Alerts : persistence_autorun persistence_autorun_tasks network_smtp procmem_yara", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "Tor Get Server Request \u2022 TLS Handshake Failure High Priority", "Suspicious User Agent | ETPRO POLICY Python Requests", "CVE-2017-17215 | https://otx.alienvault.com/indicator/cve/CVE-2017-17215", "Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com", "https://www.teslarati.com/", "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/", "cell-0.af-south-1.prod.telemetry.console.api.aws", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "fastwebnet.it | Cellebrite White Label Spyware Service", "Needs to be sorted. Actively being exploited on US", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/55d829336075705b1ac26f5300650b6030467123591ab265eeb04578a7c67a86", "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/", "Alerts : static_pe_anomaly suricata_alert antivm_bochs_keys antivm_generic_disk", "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Yara: Detections Tofsee", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "https://clear.ml/infrastructure-control-plane", "\"ET WEB_SERVER WebShell Generic - wget http - POST", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz", "firebase-auth-eich0v.pages.dev", "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes", "Domains Contacted: c.statcounter.com sstatic1.histats.com", "x.com | https://x.com/search?q=Ahmann-Christopher-PC-Attorney-at-Law", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://otx.alienvault.com/indicator/file/ba30376f915afa868763f84299fae5d2", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "CLOUDFLARENET - 104.16.148.244 , 104.19.148.244", "colorado.gov", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com", "https://www.red-gate.com/products/smartassembly", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..", "ET TROJAN Suspicious double Server Header", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "IDS Detection : Win32.Cybergate RAT SQLite DL", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/68e72a3b96eaf61daf0eb13f", "upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4", "Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "IDS Detections : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Domains Contacted: pitfall.divx.com www.google.com", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://parabellumnorth.com/product/py2a-g17-69-rail-set/", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm", "IDS Detections : Observed Telegram Domain (t .me in TLS SNI)", "Maktub Locker TOR Status Check \u2022 TOR Consensus Data Requested \u2022 TOR 1.0 Server Key Retrieval", "You are NOT Yaweh. He does forgive. He does forget. Expect HIM! SAVED \u2018He\u2019s coming again.\u2019", "Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com", "IDS Detections : HTTP Request with Lowercase host Header Observed", "https://khmerpornvideo.signup0.y.id/", "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.", "foundry.neconsside.com \u2022 http://foundry.neconsside.com", "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/", "162.159.134.42 \u2022 https://cellebrite.com/", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "appleid.cdn-apple.com \u2022 apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "ExternalHosts: US", "Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com", "http://ianswertomom.com/develop-wise-woman-within-yourself", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "172.64.147.230 \u2022 Error401.txt", "Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "Source : Binary File ATT&CK ID T1566.002", "x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "https://fr.bongacams10.com/erikasexy1 \u2022 https://www.bigcitycreations.com/s/stories/a-unisex-guide-to-pairing-colors", "IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "ELF:Agent-AQB\\ [Trj] IDS Detections: Potential SSH Scan Potential SSH Scan OUTBOUND", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .", "ELF:Agent-AQB\\ [Trj]", "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/", "IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden", "Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB", "ET WORM TheMoon.linksys.router", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "Mirai", "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "Error401.txt -> SHA256 d134ca025a6c63b2555200885d71cb6e61f8097cdfd7ecf13675b3df0c721797A", "https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet", "qlw020.managed-sprint.dynalabs.io (Check)", "IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests", "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\", "Government porn: https://thehotporn.info/ \u2022 http://live-sex.space/ \u2022 charoenpornintergroup.com", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/", "FILEHASH - SHA256 55d829336075705b1ac26f5300650b6030467123591ab265eeb04578a7c67a86", "Yara Detections: stack_string Alerts: dead_host", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "Hashtags left on Hybrid Analysis (above) weren\u2019t posted by me", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193", "Entity CLOUD14", "IPs Contacted: 149.56.240.31 172.66.136.209", "IDS Detections : Win32/Tofsee.AX google.com connectivity check", "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/", "Alerts: dead_host known_hosts_conn network_icmp tcp_syn_scan osquery_detection", "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/", "Alerts: suricata_alert antiav_detectfile antivm_bochs_keys cape_extracted_content", "https://otx.alienvault.com/indicator/file/aeb3d5ec1d144a7b2d51bdb603c052fd52700defb1b039491c4df3f32ece517a", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "https://hybrid-analysis.com/sample/f2b943e81f1b284cf9dabb4ff156526a02ecca485ac117714867d92b262c8fdd/68dd867e3bc50d9068072c05", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx", "Alerts : persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep", "https://www.rubreyatson.ddnsgeek.com/", "ET DNS DNS Query to a .tk domain - Likey", "remotewd.com \u2022 device-194a3e38-d1e7-421a-8a01-d136fef966f1.remotewd.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside", "TCP SYN packets were observed", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,", "Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT", "fazendabetb.live \u2022 bowiesports.com Check first???", "IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt", "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "Alerts : antivm_generic_services deletes_executed_files injection_runpe dead_connect", "FBI.GOV - VT I\u2019m looking @ says website is legitimate & not misused - hmm", "Alerts: packer_entropy queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name raises_exception", "https://leg.colorado.gov/bills/hb20 ?", "Has been present throughout a specific campaign", "Starfield again - HoneyPot / Dod- DoW", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com", "https://v2.papadustream.tv/episode/the-walking-dead-1x1", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:", "link.mail.beehiiv.com \u2022 beehiiv.com", "putrhnwl.exe", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "Yara Detections: Nullsoft_NSIS", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/691924001d6dc4fa2d04d0b2", "IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "IP\u2019s Contacted 2530 IP\u2019s Contacted 1.0.0.1 1.0.0.10 1.0.0.100 1.0.0.101 1.0.0.102 | Domains Contacted: 9654s.com", "Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com", "Verification failure observed in automated verification handlers during sandbox replay.", "leg.colorado.gov \u2022\tmaps.app.goo.gl", "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/", "http://129.2.4.2/32 Lencr", "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com", "Alerts: antisandbox_sleep creates_largekey process_creation_suspicious_location", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Attacks are being carried out by The State of Colorado", "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared", "https://maps.googleapis.com/maps/api/js?sensor=false", "https://cellebrite.com/en/federal-government/", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "\u2018God Does\u2019 Red Clay Strays \u2026 I know that God does but , I know that God does\u2026.", "Detected Non-Google domain serving Google homepage details", "Alerts: infostealer_cookies persistence_autorun procmem_yara static_pe_anomaly", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "Alerts: behavior_tofsee suspicious_iocontrol_codes creates_largekey network_bind" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO", "Mirai", "Christopher Paul Ahmann", "Colorado Government" ], "malware_families": [ "Code virus ransomware", "Win.malware.snojan-6775202-0", "Trojandropper:win32/cutwail.gen!k", "Trojandownloader:win32/cutwailransom:win32/crowti.a", "Backdoor:linux/mirai", "Win.malware.mikey-9949492-0", "Worm:win32/locksky.gen!a", "Clamav - win.malware.cabby-6803812", "Trojandropper:win32/systex.a", "Trojan:win32/aptdrop.ru", "Alf:heraklezeval:trojan:msil/gravityrat!rfn", "Unix.trojan.mirai-7646352-0", "Virtool:win32/vbinject.gen!jb", "Trojan:win32/qbot.r!mtb", "Win32/backdoorx", "Win.trojan.vb-83922", "Mirai (elf)", "Et", "Ms defender - trojandownloader:win32/dalexis!rfn!rfn", "Alf:jasyp:trojan:win32/genmaldown!atmn", "Win.packed.bandook-9882274-1", "Backdoor:win32/tofsee", "Win.trojan.tepfer-61", "Win.trojan.gravityrat-6511862-0", "Backdoor:linux/demonbot", "Backdoor:linux/demonbot.aa!mtb", "Win.trojan.agent-31853", "Ransomware", "Upatre", "Alf:exploit:o97m/cve-2017-8977", "Etpro", "Tsunami-6981155-0", "#lowfijavazkm", "Backdoor:win32/arwobot.b", "Elf:agent-aqb\\ [trj]", "Win.dropper.vbclone", "Avast- win32:filecoder-ad\\ [trj]", "Ransom:win32/crowti", "Unix.dropper.mirai-7135870-0", "Virtool:msil/injector.bf", "Unix.trojan.tsunami-6981155-0", "Backdoor:win32/small.ir", "Psw.sinowal.x", "Win32:trojan-gen", "Crypt3.bxvc", "Worm", "Trojandownloader:win32/cutwail", "Worm:win32/mofksys.rnd!mtb", "Pegasus", "Mirai", "Ransomware/win.stop.r4529", "Win.dropper.tofsee-10012410-0", "#lowfi:sigattr:downloadandexecute", "Htbot", "Nids", "Win.virus.polyransom-5704625-0", "Spyfu", "Ransom:win32/crowti.a", "Win.trojan.dialog-9873788-0", "Trojan:win32/danabot", "Win32:botx-gen\\ [trj]", "#lowfi:hstr:criakl.b1", "Win.packer", "Ms defender\ttrojan:win32/qbot.kvd!mtb", "Virtool:win32/vbinject.gen!mh", "Backdoor:win32/tofsee.", "Win.malware.jaik-9940406-0", "Other malware", "Cve-2017-11882", "Cycbot", "Autoit", "Win.downloader.92-4", "Trojan:win32/predator.pvd!mtb", "Win.trojan.fugrafa-9733007-0", "Trojan:win32/zombie.a", "Elf:mirai-gh\\ [trj]", "Ddos:linux/gafgyt.ya!mtb", "Backdoor:win32/tofsee.t", "Trojan:win32/emotet.pc!mtb", "#lowfi:suspicioussectionname", "Unix.trojan.gafgyt-6981154-0", "Alf:nid:susp_nsis_stub.a", "Win.downloader.small-4507" ], "industries": [ "Construction", "Healthcare", "Technology", "Government", "Insurance", "Journalists", "Civil society", "Legal", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in" ], "unique_indicators": 350133 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/planetven.us", "whois": "http://whois.domaintools.com/planetven.us", "domain": "planetven.us", "hostname": "vdradmin.planetven.us" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 29, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "7 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa41b0d714318bf8937184", "name": "W.Vashti .Net obfuscator clone", "description": "", "modified": "2026-04-04T00:06:41.423000", "created": "2026-03-06T02:53:36.216000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": "6952d4fc6910b0b866746d8a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1969, "URL": 5700, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10779, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a1a73eb0578b92962dae97", "name": "FBI Link (Ransomware)sent to a device. opened on its own. Why?", "description": "I wouldn\u2019t typically search an alleged authentic government site , except it opened on a device, no prompt. TrojanDownloader:Win32/Dalexis!rfn!rfn\nIDS Detections\nMaktub Locker TOR Status Check\nTOR Consensus Data Requested\nTOR 1.0 Server Key Retrieval\nTor Get Server Request\nTLS Handshake Failure\nYara Detections\nstack_string\nWho is : [URL\n[https://tor-dirauth.sebastianhahn.net/]\n[https://tor.sebastianhahn.net]\n[tor-dirauth.sebastianhahn.net]\n->gitbot.faui2k9.de\n[Status faui2k9.de -connect] connects to device \n100% Malicious | https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70 | [External resources discovered in HTML content:\ndap.digitalgov.gov | Pattern match: \"fbi.gov/contact-us/field-offices/denver/news/pr\"\nHeuristic match: \"x.com\" | will revisit", "modified": "2026-03-29T13:04:34.750000", "created": "2026-02-27T14:16:30.498000", "tags": [ "regopenkeyexw", "port", "destination", "cryptexportkey", "search", "show", "entries", "windows nt", "regsetvalueexa", "ip address", "malware", "copy", "write", "win32", "next", "format", "contacted", "less ip", "server", "organization", "city", "stateprovince", "postal code", "phone", "date", "registrar abuse", "privacy admin", "paris admin", "april", "february", "failed", "enter", "data upload", "passive dns", "urls", "aaaa", "certificate", "otx logo", "all hostname", "pulse submit", "url analysis", "files", "domain", "title", "body", "encrypt", "netherlands", "gmt content", "all ipv4", "amsterdam", "hetzner online", "gmbh", "summary", "url age", "de seen", "general info", "geo germany", "as as24940", "de note", "route", "direct", "pro platform", "logs", "suricata alert", "et info", "tls handshake", "bad traffic", "suricata alerts", "copy md5", "copy sha1", "copy sha256", "sha1", "size", "sha256", "pattern match", "ascii text", "mitre att", "ck id", "path", "unknown", "stop", "root", "hybrid", "general", "local", "form", "click", "strings", "9999", "learn", "adversaries", "name tactics", "suspicious", "informative", "command", "defense evasion", "spawns", "found", "show technique", "ck matrix", "href", "antivirus", "maktub locker", "tor status", "check" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1129, "domain": 148, "hostname": 753, "FileHash-SHA256": 548, "FileHash-MD5": 90, "FileHash-SHA1": 71, "SSLCertFingerprint": 8, "CIDR": 1, "email": 4 }, "indicator_count": 2752, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698e906da16336f8e87c3b90", "name": "CoinHive Clone ", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-02-13T02:46:05.544000", "tags": [ "united", "td tr", "a domains", "history group", "state", "b td", "present sep", "find", "alabama", "iowa", "apache", "content type", "passive dns", "meta http", "content", "gmt server", "pragma", "title", "linksys eseries", "device rce", "inbound", "et exploit", "attempt", "et webserver", "suspicious user", "user agent", "et worm", "policy python", "python", "agent", "generic", "malware", "nids", "dst_ip", "\"sid\": 2017515,", "2020/08/23", "dst_port\": 8080", "suricata", "network_icmp", "tcp_syn_scan", "unix", "mirai", "infection", "port 8080", "aitm", "mitm", "xfinity", "lumen backbone", "xfinity cf", "et info", "useragent", "webserver", "android", "linux", "statistically stripped", "local", "Jefferson County", "Colorado", "State", "is__elf", "is__war", "cyber warfare", "marking", "targeting", "stalking", "impersonating", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "mitre att", "ck matrix", "february", "hybrid", "general", "path", "encrypt", "click", "strings", "attack", "ssl certificate", "ascii text", "dynamicloader", "yara rule", "ff d5", "medium", "high", "eb d8", "f0 ff", "ff bb", "host", "unknown", "explorer", "virtool", "write", "next", "Douglas County", "Michael Roberts", "Brian Sabey", "Chris\u2019Buzz\u2019 Ahmann", "Mirai BotMaster", "file type", "pexe", "pe32", "intel", "ms windows", "date march", "am size", "imphash", "otx logo", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "moved", "urls", "expiration date", "all hostname", "files", "media", "present feb", "present jan", "present dec", "present nov", "ip address", "present", "codex", "sf.net", "next associated", "ipv4 add", "location united", "america flag", "spawns", "found", "t1480 execution", "pattern match", "present aug", "search", "name servers", "showing", "record value", "meta", "accept", "div div", "request blocked", "helvetica neue", "helvetica segoe", "ui arial", "denver", "yandex", "post", "entries", "post http", "show", "post liquor", "execution", "port", "destination", "icmp traffic", "dns query", "include", "top source" ], "references": [ "https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in", "genealogytrails.com", "It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT", "Has been present throughout a specific campaign", "Mirai", "IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt", "IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS", "IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests", "IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)", "IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden", "ET INFO User-Agent (python-requests) Inbound to Webserver", "Suspicious User Agent | ETPRO POLICY Python Requests", "src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105", "\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,", "TCP SYN packets were observed", "ET WORM TheMoon.linksys.router", "ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound", "\"ET WEB_SERVER WebShell Generic - wget http - POST", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX", "Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication", "Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc", "Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject", "File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:", "upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4", "192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net", "Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB", "IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz", "IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin", "Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process", "Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert", "Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options", "Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..", "IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193", "IPs Contacted: 149.56.240.31 172.66.136.209", "Domains Contacted: c.statcounter.com sstatic1.histats.com", "Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com", "Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com", "Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com", "Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com", "Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com", "Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com", "Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com", "Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Unix.Trojan.Mirai-7646352-0", "display_name": "Unix.Trojan.Mirai-7646352-0", "target": null }, { "id": "SpyFu", "display_name": "SpyFu", "target": null }, { "id": "Win.Trojan.VB-83922", "display_name": "Win.Trojan.VB-83922", "target": null }, { "id": "virtool:Win32/VBInject.gen!JB", "display_name": "virtool:Win32/VBInject.gen!JB", "target": "/malware/virtool:Win32/VBInject.gen!JB" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" } ], "industries": [], "TLP": "white", "cloned_from": "698966742c9fd9691396bb3a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5836, "domain": 857, "FileHash-MD5": 185, "FileHash-SHA1": 147, "hostname": 1842, "email": 7, "FileHash-SHA256": 947, "CVE": 43, "SSLCertFingerprint": 8 }, "indicator_count": 9872, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b7cb05b2098c1d2bf20f", "name": "federal goverment clone cellbrite credit q vashti", "description": "", "modified": "2026-03-12T12:55:39.046000", "created": "2026-03-12T12:55:39.046000", "tags": [ "url https", "url http", "germany", "united", "ukraine", "japan", "extraction", "data upload", "urls", "url analysis", "enter sc", "extr", "iocs", "active", "france unknown", "present jan", "servers", "homair sweet", "grabber", "encrypt", "ipv4", "role title", "divx", "pitfall", "internet", "ip role", "america asn", "extraction data", "leveibielabs", "all se", "enter source", "url or", "texirag", "drop", "present nov", "united states", "america", "levdibidelabs", "failed", "idron anv", "include manualv", "review data", "iterng", "name servers", "passive dns", "incapsula", "meta name", "robots content", "x ua", "ieedge chrome1", "script head", "request", "cookie", "indicator", "msie", "chrome", "backdoor", "gmt content", "ipv4 add", "twitter", "title", "process32nextw", "ms windows", "intel", "pe32", "regopenkeyexa", "read c", "medium", "class", "write", "template", "present oct", "present jul", "aaaa", "present sep", "present aug", "url add", "http", "hostname", "related tags", "kx81xdbx0f", "x86xd3", "xa7xe28x06", "x82xd4", "delete c", "regsetvalueexa", "regbinary", "xa1xf1", "xe8xc2x14", "malware", "stream", "unknown", "win32", "persistence", "execution", "push", "present dec", "italy", "present jun", "embeddedwb", "whitelisted", "windows nt", "dns traffic", "russia", "cname", "accept", "destination", "port", "et smtp", "message", "et trojan", "components", "suspicious", "download", "hostile", "next", "logic", "gather victim", "et info", "etpro trojan", "trojan", "report spam", "interesting", "created", "pegasus", "manipulation", "service", "capture", "et", "etpro", "host", "attack", "mtb description", "windows", "shellexecuteexw", "writeconsolew", "registry", "t1031", "modify existing", "dock", "type indicator", "added active", "related pulses", "arcflex", "filehashsha1", "types of", "learn more", "filehashsha256", "cellebrite", "white label", "search", "sha1", "france", "cmanual jan", "expiration date", "domain add", "pulse submit", "files", "ip address", "gmt cache", "sameorigin", "reverse dns", "unknown ns", "admin org", "zipcode", "gmt server", "pulse pulses", "entries", "hostname add", "verdict", "germany unknown", "status", "domain", "xpirat", "netherlands", "netherlands asn", "as35280 acorus", "dns resolutions", "error", "files ip", "copy", "telnet login", "suspicious path", "busybox", "login attempt", "gpl telnet", "high", "tcp syn", "telnet root", "path", "mirai", "emails", "domain name", "jlu11q", "tqbplo", "hours ago", "found", "yahoo", "gmail", "yandex", "https://cellebrite.com/en/federal-government/", "monitoring", "monitored target", "dangerous", "spyware", "80211", "colorado", "x amz", "government", "mirai login attempt", "emotet", "c2", ".ru", ".com", "denver", "indicator role", "title added", "active related", "pulses hostname", "dead connect", "hostile", "adversarial", "abuse", "criminal intent", "block messages", "botnet" ], "references": [ "fastwebnet.it | Cellebrite White Label Spyware Service", "putrhnwl.exe", "Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "IP\u2019s Contacted : 54.230.129.165", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "Domains Contacted: pitfall.divx.com www.google.com", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Yara: Detections Tofsee", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "ET TROJAN Suspicious double Server Header", "ET DNS DNS Query to a .tk domain - Likey", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "Needs to be sorted. Actively being exploited on US", "162.159.134.42 \u2022 https://cellebrite.com/", "https://cellebrite.com/en/federal-government/", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Germany", "Ireland", "Switzerland", "Poland", "Belgium", "Netherlands", "Sweden" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Aptdrop.RU", "display_name": "Trojan:Win32/Aptdrop.RU", "target": "/malware/Trojan:Win32/Aptdrop.RU" }, { "id": "Ransomware/Win.Stop.R4529", "display_name": "Ransomware/Win.Stop.R4529", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32/BackdoorX", "display_name": "Win32/BackdoorX", "target": null }, { "id": "Win.Trojan.Dialog-9873788-0", "display_name": "Win.Trojan.Dialog-9873788-0", "target": null }, { "id": "Tsunami-6981155-0", "display_name": "Tsunami-6981155-0", "target": null }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1196", "name": "Control Panel Items", "display_name": "T1196 - Control Panel Items" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1581", "name": "Geofencing", "display_name": "T1581 - Geofencing" }, { "id": "T1582", "name": "SMS Control", "display_name": "T1582 - SMS Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Journalists", "Government", "Civil Society" ], "TLP": "green", "cloned_from": "696f7d467763ed4d4e74d133", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4994, "domain": 2519, "hostname": 3281, "FileHash-SHA256": 4467, "FileHash-MD5": 1118, "FileHash-SHA1": 1056, "email": 12, "SSLCertFingerprint": 1 }, "indicator_count": 17448, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698966742c9fd9691396bb3a", "name": "CoinHive In-Browser Miner | ET EXPLOIT Linksys E-Series Device RCE Attempt via \u2018AI chat\u2019 Xfinity Commercial Fleet vehicle parked /AITM", "description": "Merits further research. Work no is consistent with a man advocate named Michael\nRoberts of Rexxfield and Miles2/ Mile2 / seen frequently in attacks against females | targeted individual apparently was using an AI browser search when a keyword triggered glitches.\nSearch of a URL\ntarget has never heard of or seen found in device search results. Targets device injected, Mirai botnet found, Other suspicious findings. TBConrinued..:.\n[OTX. Auto populated Significantly more details have been revealed about the GoDaddy.com domain, which has been listed as an unregistered domain by the Internet Service Authority (icann). and its users are not allowed to use it.] #man_jn_tve_midxle #drive_ by_compromise #injection.", "modified": "2026-03-11T04:02:50.189000", "created": "2026-02-09T04:45:40.250000", "tags": [ "united", "td tr", "a domains", "history group", "state", "b td", "present sep", "find", "alabama", "iowa", "apache", "content type", "passive dns", "meta http", "content", "gmt server", "pragma", "title", "linksys eseries", "device rce", "inbound", "et exploit", "attempt", "et webserver", "suspicious user", "user agent", "et worm", "policy python", "python", "agent", "generic", "malware", "nids", "dst_ip", "\"sid\": 2017515,", "2020/08/23", "dst_port\": 8080", "suricata", "network_icmp", "tcp_syn_scan", "unix", "mirai", "infection", "port 8080", "aitm", "mitm", "xfinity", "lumen backbone", "xfinity cf", "et info", "useragent", "webserver", "android", "linux", "statistically stripped", "local", "Jefferson County", "Colorado", "State", "is__elf", "is__war", "cyber warfare", "marking", "targeting", "stalking", "impersonating", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "mitre att", "ck matrix", "february", "hybrid", "general", "path", "encrypt", "click", "strings", "attack", "ssl certificate", "ascii text", "dynamicloader", "yara rule", "ff d5", "medium", "high", "eb d8", "f0 ff", "ff bb", "host", "unknown", "explorer", "virtool", "write", "next", "Douglas County", "Michael Roberts", "Brian Sabey", "Chris\u2019Buzz\u2019 Ahmann", "Mirai BotMaster", "file type", "pexe", "pe32", "intel", "ms windows", "date march", "am size", "imphash", "otx logo", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "moved", "urls", "expiration date", "all hostname", "files", "media", "present feb", "present jan", "present dec", "present nov", "ip address", "present", "codex", "sf.net", "next associated", "ipv4 add", "location united", "america flag", "spawns", "found", "t1480 execution", "pattern match", "present aug", "search", "name servers", "showing", "record value", "meta", "accept", "div div", "request blocked", "helvetica neue", "helvetica segoe", "ui arial", "denver", "yandex", "post", "entries", "post http", "show", "post liquor", "execution", "port", "destination", "icmp traffic", "dns query", "include", "top source" ], "references": [ "https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in", "genealogytrails.com", "It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT", "Has been present throughout a specific campaign", "Mirai", "IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt", "IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS", "IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests", "IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)", "IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden", "ET INFO User-Agent (python-requests) Inbound to Webserver", "Suspicious User Agent | ETPRO POLICY Python Requests", "src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105", "\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,", "TCP SYN packets were observed", "ET WORM TheMoon.linksys.router", "ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound", "\"ET WEB_SERVER WebShell Generic - wget http - POST", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX", "Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication", "Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc", "Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject", "File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:", "upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4", "192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net", "Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB", "IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz", "IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin", "Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process", "Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert", "Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options", "Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..", "IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193", "IPs Contacted: 149.56.240.31 172.66.136.209", "Domains Contacted: c.statcounter.com sstatic1.histats.com", "Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com", "Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com", "Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com", "Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com", "Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com", "Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com", "Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com", "Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Unix.Trojan.Mirai-7646352-0", "display_name": "Unix.Trojan.Mirai-7646352-0", "target": null }, { "id": "SpyFu", "display_name": "SpyFu", "target": null }, { "id": "Win.Trojan.VB-83922", "display_name": "Win.Trojan.VB-83922", "target": null }, { "id": "virtool:Win32/VBInject.gen!JB", "display_name": "virtool:Win32/VBInject.gen!JB", "target": "/malware/virtool:Win32/VBInject.gen!JB" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5779, "domain": 730, "FileHash-MD5": 185, "FileHash-SHA1": 147, "hostname": 1790, "email": 5, "FileHash-SHA256": 947, "CVE": 3, "SSLCertFingerprint": 8 }, "indicator_count": 9594, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696f7d467763ed4d4e74d133", "name": "Federal Government-Cellebrite Attack found actively targeting iOS and other devices | Mirai login attempts | TelNet Login", "description": "https://cellebrite.com/en/federal-government/ | Found on a crime victims devices. Targets abused by spyware in an unethical manner by andvesarial \u2018governmental\u2019 possibly \u2018contracted\u2019 entities. Waged against targets such as victims of crime , journalists , researchers , students. Target Users: Serves public safety, enterprise, and government sectors, aiding first responders, investigators, prosecutors, and analysts. How it's Used Law enforcement uses it to unlock devices and retrieve evidence like messages, location history, and app data for criminal investigations. It helps uncover critical information from digital devices, even recovering data that users thought was permanently deleted. Controversy & Privacy Concerns While marketed as a tool for lawful investigations, its powerful data extraction capabilities raise significant privacy concerns and ethical debates.", "modified": "2026-02-19T12:05:47.166000", "created": "2026-01-20T13:04:06.622000", "tags": [ "url https", "url http", "germany", "united", "ukraine", "japan", "extraction", "data upload", "urls", "url analysis", "enter sc", "extr", "iocs", "active", "france unknown", "present jan", "servers", "homair sweet", "grabber", "encrypt", "ipv4", "role title", "divx", "pitfall", "internet", "ip role", "america asn", "extraction data", "leveibielabs", "all se", "enter source", "url or", "texirag", "drop", "present nov", "united states", "america", "levdibidelabs", "failed", "idron anv", "include manualv", "review data", "iterng", "name servers", "passive dns", "incapsula", "meta name", "robots content", "x ua", "ieedge chrome1", "script head", "request", "cookie", "indicator", "msie", "chrome", "backdoor", "gmt content", "ipv4 add", "twitter", "title", "process32nextw", "ms windows", "intel", "pe32", "regopenkeyexa", "read c", "medium", "class", "write", "template", "present oct", "present jul", "aaaa", "present sep", "present aug", "url add", "http", "hostname", "related tags", "kx81xdbx0f", "x86xd3", "xa7xe28x06", "x82xd4", "delete c", "regsetvalueexa", "regbinary", "xa1xf1", "xe8xc2x14", "malware", "stream", "unknown", "win32", "persistence", "execution", "push", "present dec", "italy", "present jun", "embeddedwb", "whitelisted", "windows nt", "dns traffic", "russia", "cname", "accept", "destination", "port", "et smtp", "message", "et trojan", "components", "suspicious", "download", "hostile", "next", "logic", "gather victim", "et info", "etpro trojan", "trojan", "report spam", "interesting", "created", "pegasus", "manipulation", "service", "capture", "et", "etpro", "host", "attack", "mtb description", "windows", "shellexecuteexw", "writeconsolew", "registry", "t1031", "modify existing", "dock", "type indicator", "added active", "related pulses", "arcflex", "filehashsha1", "types of", "learn more", "filehashsha256", "cellebrite", "white label", "search", "sha1", "france", "cmanual jan", "expiration date", "domain add", "pulse submit", "files", "ip address", "gmt cache", "sameorigin", "reverse dns", "unknown ns", "admin org", "zipcode", "gmt server", "pulse pulses", "entries", "hostname add", "verdict", "germany unknown", "status", "domain", "xpirat", "netherlands", "netherlands asn", "as35280 acorus", "dns resolutions", "error", "files ip", "copy", "telnet login", "suspicious path", "busybox", "login attempt", "gpl telnet", "high", "tcp syn", "telnet root", "path", "mirai", "emails", "domain name", "jlu11q", "tqbplo", "hours ago", "found", "yahoo", "gmail", "yandex", "https://cellebrite.com/en/federal-government/", "monitoring", "monitored target", "dangerous", "spyware", "80211", "colorado", "x amz", "government", "mirai login attempt", "emotet", "c2", ".ru", ".com", "denver", "indicator role", "title added", "active related", "pulses hostname", "dead connect", "hostile", "adversarial", "abuse", "criminal intent", "block messages", "botnet" ], "references": [ "fastwebnet.it | Cellebrite White Label Spyware Service", "putrhnwl.exe", "Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "IP\u2019s Contacted : 54.230.129.165", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "Domains Contacted: pitfall.divx.com www.google.com", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Yara: Detections Tofsee", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "ET TROJAN Suspicious double Server Header", "ET DNS DNS Query to a .tk domain - Likey", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "Needs to be sorted. Actively being exploited on US", "162.159.134.42 \u2022 https://cellebrite.com/", "https://cellebrite.com/en/federal-government/", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Germany", "Ireland", "Switzerland", "Poland", "Belgium", "Netherlands", "Sweden" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Aptdrop.RU", "display_name": "Trojan:Win32/Aptdrop.RU", "target": "/malware/Trojan:Win32/Aptdrop.RU" }, { "id": "Ransomware/Win.Stop.R4529", "display_name": "Ransomware/Win.Stop.R4529", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32/BackdoorX", "display_name": "Win32/BackdoorX", "target": null }, { "id": "Win.Trojan.Dialog-9873788-0", "display_name": "Win.Trojan.Dialog-9873788-0", "target": null }, { "id": "Tsunami-6981155-0", "display_name": "Tsunami-6981155-0", "target": null }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1196", "name": "Control Panel Items", "display_name": "T1196 - Control Panel Items" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1581", "name": "Geofencing", "display_name": "T1581 - Geofencing" }, { "id": "T1582", "name": "SMS Control", "display_name": "T1582 - SMS Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Journalists", "Government", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4994, "domain": 2519, "hostname": 3281, "FileHash-SHA256": 4467, "FileHash-MD5": 1118, "FileHash-SHA1": 1056, "email": 12, "SSLCertFingerprint": 1 }, "indicator_count": 17448, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6963596c4cd594b77b4675ec", "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - PalantirFoundry | The State of Colorado | ", "description": "", "modified": "2026-02-10T06:05:39.764000", "created": "2026-01-11T08:03:56.534000", "tags": [ "colorado state", "freeman mathis", "history", "cyber risk", "aspen insureds", "gaig insureds", "landy insureds", "nip group", "purm insureds", "overview core", "united", "ip address", "present nov", "present may", "moved", "encrypt", "unknown", "backdoor", "passive dns", "ransom", "checkin", "trojandropper", "mtb nov", "twitter", "trojan", "data upload", "extraction", "failed", "united states", "server response", "google safe", "results may", "lowfi", "virtool", "mtb alf", "mh alf", "port", "windows nt", "destination", "msie", "khtml", "gecko", "unknown aaaa", "a domains", "meta", "for privacy", "cop supply", "urls", "as139646 hong", "hostname", "files", "hong kong", "domain add", "ip related", "hash avast", "avg clamav", "msdefender may", "ddos", "as13335", "ipv4", "certificate", "hostname add", "url analysis", "files ip", "name strings", "category", "united states", "pulse indicator", "address", "error", "null", "object", "string", "number", "google maps", "promise", "javascript api", "dataset", "bigint", "dark", "android", "infinity", "internal", "roboto", "trident", "void", "small", "lightrail", "false", "span", "close", "light", "hybrid", "embed", "iframe", "keygen", "this", "february", "bounce", "drop", "inside", "outside", "marker", "present dec", "pulses otx", "aaaa", "asnone country", "record value", "title", "pulse pulses", "pulses", "showing", "unknown cname", "unknown soa", "next associated", "ipv4 add", "cycbot", "extract indic", "sneaker bots", "proxies data", "script script", "adult content", "nextimage", "porn site", "div div", "platform make", "cloudfront x", "hio52 p3", "unknown ns", "pulse submit", "title error", "reverse dns", "status", "servers", "name servers", "vashti hostname", "scan endpoints", "url http", "http", "files domain", "files related", "pulses none", "dnssec", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "domain", "emails", "cookie", "url https", "show", "filehash", "urls show", "date checked", "url hostname", "results nov", "win32", "type", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "llc name", "server", "markmonitor", "name server", "windir", "openurl c", "prefetch2", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "sha1", "href", "show process", "file", "general", "local", "path", "germany unknown", "date", "registrar", "ip whois", "dynamicloader", "high", "medium", "search", "displayname", "tofsee", "win64", "write", "stream", "malware", "push", "entries", "tls handshake", "failure", "forbidden", "tlsv1", "april", "next", "write c", "intel", "ms windows", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "sha256 add", "present jun", "present mar", "medelln", "colombia asn", "dns resolutions", "address domain", "related tags", "none google", "safe browsing", "external", "present sep", "present aug", "as54113", "present jul", "as8068", "gmt content", "total", "read", "delete", "top source", "quasi", "murderers", "christopher ahmann", "buzz ahmann", "wow64", "slcc2", "media center", "labor", "employment", "cdle", "dowc", "colorado", "workers", "coloradoif", "independent", "state", "company", "entity type", "authorized line", "analysis", "tor analysis", "process details", "network traffic", "t1071", "potential ip", "click", "found", "t1480 execution", "bad traffic", "et info", "ck techniques", "evasion att", "t1057", "refresh", "body", "strings", "tools", "look", "verify", "restart", "cname", "form", "pulse", "script domains", "script urls", "administrator", "services llc", "dns admin", "domain admin", "global llc", "domain manager", "computer system", "ltd domain", "network", "alibaba", "facebook", "phishme", "sogou", "present jan", "present feb", "present oct" ], "references": [ "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "https://maps.googleapis.com/maps/api/js?sensor=false", "cell-0.af-south-1.prod.telemetry.console.api.aws", "howtoworkacrickoutofyourneck2.pages.dev", "firebase-auth-eich0v.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://khmerpornvideo.signup0.y.id/", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://clear.ml/infrastructure-control-plane", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Attacks are being carried out by The State of Colorado" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "France", "Ireland", "Spain", "Italy", "Aruba", "Australia", "Denmark", "United Kingdom of Great Britain and Northern Ireland", "Germany", "T\u00fcrkiye", "Indonesia" ], "malware_families": [ { "id": "Win.Trojan.GravityRAT-6511862-0", "display_name": "Win.Trojan.GravityRAT-6511862-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null }, { "id": "TrojanDropper:Win32/Systex.A", "display_name": "TrojanDropper:Win32/Systex.A", "target": "/malware/TrojanDropper:Win32/Systex.A" }, { "id": "Win.Trojan.Tepfer-61", "display_name": "Win.Trojan.Tepfer-61", "target": null }, { "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "#LOWFI:HSTR:Criakl.B1", "display_name": "#LOWFI:HSTR:Criakl.B1", "target": null }, { "id": "Backdoor:Win32/Arwobot.B", "display_name": "Backdoor:Win32/Arwobot.B", "target": "/malware/Backdoor:Win32/Arwobot.B" }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Win.Downloader.Small-4507", "display_name": "Win.Downloader.Small-4507", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Win.Malware.Mikey-9949492-0", "display_name": "Win.Malware.Mikey-9949492-0", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "DDOS:Linux/Gafgyt.YA!MTB", "display_name": "DDOS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-11882", "display_name": "CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" } ], "industries": [ "Insurance", "Construction" ], "TLP": "green", "cloned_from": "693cdc5b8ebc10664439c2fb", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54118, "domain": 11153, "hostname": 18578, "email": 21, "FileHash-SHA256": 4905, "FileHash-MD5": 548, "FileHash-SHA1": 534, "CVE": 7, "SSLCertFingerprint": 20, "CIDR": 1 }, "indicator_count": 89885, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://vdradmin.planetven.us/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://vdradmin.planetven.us/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776612850.2116203 }