{ "type": "URL", "indicator": "https://webmail.alo.ne", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://webmail.alo.ne", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4073081669, "indicator": "https://webmail.alo.ne", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "68aff672de7f1b65a97c00b1", "name": "WarzoneRAT impacts Social Media of users with compromised systems", "description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn", "modified": "2025-09-27T05:00:09.125000", "created": "2025-08-28T06:25:54.794000", "tags": [ "d10927", "mp41", "mp41 connection", "r connection", "ip address", "dynamicloader", "write c", "globalc", "medium", "high", "write", "dll read", "trojan", "delphi", "win32", "dialer", "tracking", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "t1590 gather", "mitre att", "ck matrix", "null", "click", "title", "span", "meta", "general", "local", "path", "strings", "refresh", "tools", "virgin islands", "united", "unknown ns", "a domains", "montserrat", "passive dns", "ipv4", "urls", "files", "hosting", "trojandropper", "location virgin", "msie", "windows nt", "wow64", "slcc2", "media center", "item", "has description", "unknown", "explorer", "error", "powershell", "yara rule", "windows", "t1055", "warzonerat", "avemaria", "virtool", "netwire", "malware", "hostile", "autoit", "defender", "date", "bq aug", "next associated", "ipv4 add", "resolved ips", "get http", "request", "win64", "khtml", "gecko", "resolutions", "number", "ja3s", "algorithm", "cnr12 cus", "cname", "accept", "port", "gmt ifnonematch", "screenshots no", "involved dns", "name response", "nxdomain", "tcp connections", "involved direct", "country name", "moved", "alone email", "body doctype", "gmt server", "content type", "service privacy", "cve" ], "references": [ "http://remote.edikamin.com/", "http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C", "http://deposito.hostance.net/dialer/", "Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT", "Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net", "DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net", "Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1", "simswap.in (possible Mirai or relationship to)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Virgin Islands, British" ], "malware_families": [ { "id": "Trojan:Win32/Diamin.F", "display_name": "Trojan:Win32/Diamin.F", "target": "/malware/Trojan:Win32/Diamin.F" }, { "id": "Dialer", "display_name": "Dialer", "target": null }, { "id": "Win32:CabMod\\ [Drp]", "display_name": "Win32:CabMod\\ [Drp]", "target": null }, { "id": "TrojanDropper:Win32/Hupigon.gen!A", "display_name": "TrojanDropper:Win32/Hupigon.gen!A", "target": "/malware/TrojanDropper:Win32/Hupigon.gen!A" }, { "id": "ALF:HeraklezEval:PUA:Win32/Keygen", "display_name": "ALF:HeraklezEval:PUA:Win32/Keygen", "target": null }, { "id": "Trojan:Win32/Startpage.AEA", "display_name": "Trojan:Win32/Startpage.AEA", "target": "/malware/Trojan:Win32/Startpage.AEA" }, { "id": "Banload", "display_name": "Banload", "target": null }, { "id": "TrojanDownloader:Win32/Banload.D", "display_name": "TrojanDownloader:Win32/Banload.D", "target": "/malware/TrojanDownloader:Win32/Banload.D" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "!#AddsCopy-ToStartup", "display_name": "!#AddsCopy-ToStartup", "target": null }, { "id": "VirTool:Win32/AutInject.CZ!bit", "display_name": "VirTool:Win32/AutInject.CZ!bit", "target": "/malware/VirTool:Win32/AutInject.CZ!bit" }, { "id": "Win.Trojan.Agent-316098", "display_name": "Win.Trojan.Agent-316098", "target": null }, { "id": "virtool:Win32/Injector.gen!BQ", "display_name": "virtool:Win32/Injector.gen!BQ", "target": "/malware/virtool:Win32/Injector.gen!BQ" }, { "id": "WarzoneRAT - S0670", "display_name": "WarzoneRAT - S0670", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4194, "hostname": 1563, "FileHash-SHA256": 2494, "domain": 624, "FileHash-MD5": 274, "FileHash-SHA1": 226, "email": 1, "CVE": 1 }, "indicator_count": 9377, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684139bff0febbf785692bae", "name": "lizardsquad malwares mozy mirai FROM CRM, RYAN AND KAYOS", "description": "spreading on discord, steam and various other. infecting his potential customer", "modified": "2025-07-05T06:00:25.828000", "created": "2025-06-05T06:31:26.380000", "tags": [], "references": [ "" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "lizardsqua", "id": "344032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 3, "FileHash-SHA256": 23, "URL": 57, "domain": 22, "hostname": 7, "CIDR": 1 }, "indicator_count": 125, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684016fd620242eaccbc4d1d", "name": "lizardsquad mirai /", "description": "A look at some of the key details about the shutdown of Microsoft's Windows update server, as well as the details of how the service was set up and how it looked up on the internet.", "modified": "2025-07-04T09:02:13.716000", "created": "2025-06-04T09:50:52.900000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "lizardsqua", "id": "344032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 52, "domain": 22, "hostname": 6 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684016fe5bacb316ffbb4bf0", "name": "lizardsquad mirai /", "description": "A look at some of the key details about the shutdown of Microsoft's Windows update server, as well as the details of how the service was set up and how it looked up on the internet.", "modified": "2025-07-04T09:02:13.716000", "created": "2025-06-04T09:50:53.747000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "lizardsqua", "id": "344032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 52, "domain": 22, "hostname": 6 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684016fed357f8d96bf1b304", "name": "lizardsquad mirai", "description": "A look at some of the key details about the shutdown of Microsoft's Windows update server, as well as the details of how the service was set up and how it looked up on the internet.", "modified": "2025-07-04T09:02:13.716000", "created": "2025-06-04T09:50:53.829000", "tags": [ "discord", "lizardsquad malware", "simswap", "" ], "references": [ "" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "lizardsqua", "id": "344032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 52, "domain": 22, "hostname": 6 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684016ff2b9a30173e2a450d", "name": "lizardsquad mirai /", "description": "A look at some of the key details about the shutdown of Microsoft's Windows update server, as well as the details of how the service was set up and how it looked up on the internet.", "modified": "2025-07-04T09:02:13.716000", "created": "2025-06-04T09:50:53.444000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "lizardsqua", "id": "344032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 52, "domain": 22, "hostname": 6 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net", "http://remote.edikamin.com/", "Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1", "simswap.in (possible Mirai or relationship to)", "http://deposito.hostance.net/dialer/", "DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net", "Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT", "http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.trojan.agent-316098", "Dialer", "Virtool:win32/autinject.cz!bit", "Trojandownloader:win32/banload.d", "Warzonerat - s0670", "Alf:heraklezeval:pua:win32/keygen", "!#addscopy-tostartup", "Virtool:win32/injector.gen!bq", "Cve-2023-22518", "Trojandropper:win32/hupigon.gen!a", "Win32:cabmod\\ [drp]", "Trojan:win32/startpage.aea", "Banload", "Win32:evo-gen", "Trojan:win32/diamin.f" ], "industries": [ "Telecommunications", "Media", "Technology" ], "unique_indicators": 9584 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/alo.ne", "whois": "http://whois.domaintools.com/alo.ne", "domain": "alo.ne", "hostname": "webmail.alo.ne" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "68aff672de7f1b65a97c00b1", "name": "WarzoneRAT impacts Social Media of users with compromised systems", "description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn", "modified": "2025-09-27T05:00:09.125000", "created": "2025-08-28T06:25:54.794000", "tags": [ "d10927", "mp41", "mp41 connection", "r connection", "ip address", "dynamicloader", "write c", "globalc", "medium", "high", "write", "dll read", "trojan", "delphi", "win32", "dialer", "tracking", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "t1590 gather", "mitre att", "ck matrix", "null", "click", "title", "span", "meta", "general", "local", "path", "strings", "refresh", "tools", "virgin islands", "united", "unknown ns", "a domains", "montserrat", "passive dns", "ipv4", "urls", "files", "hosting", "trojandropper", "location virgin", "msie", "windows nt", "wow64", "slcc2", "media center", "item", "has description", "unknown", "explorer", "error", "powershell", "yara rule", "windows", "t1055", "warzonerat", "avemaria", "virtool", "netwire", "malware", "hostile", "autoit", "defender", "date", "bq aug", "next associated", "ipv4 add", "resolved ips", "get http", "request", "win64", "khtml", "gecko", "resolutions", "number", "ja3s", "algorithm", "cnr12 cus", "cname", "accept", "port", "gmt ifnonematch", "screenshots no", "involved dns", "name response", "nxdomain", "tcp connections", "involved direct", "country name", "moved", "alone email", "body doctype", "gmt server", "content type", "service privacy", "cve" ], "references": [ "http://remote.edikamin.com/", "http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C", "http://deposito.hostance.net/dialer/", "Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT", "Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net", "DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net", "Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1", "simswap.in (possible Mirai or relationship to)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Virgin Islands, British" ], "malware_families": [ { "id": "Trojan:Win32/Diamin.F", "display_name": "Trojan:Win32/Diamin.F", "target": "/malware/Trojan:Win32/Diamin.F" }, { "id": "Dialer", "display_name": "Dialer", "target": null }, { "id": "Win32:CabMod\\ [Drp]", "display_name": "Win32:CabMod\\ [Drp]", "target": null }, { "id": "TrojanDropper:Win32/Hupigon.gen!A", "display_name": "TrojanDropper:Win32/Hupigon.gen!A", "target": "/malware/TrojanDropper:Win32/Hupigon.gen!A" }, { "id": "ALF:HeraklezEval:PUA:Win32/Keygen", "display_name": "ALF:HeraklezEval:PUA:Win32/Keygen", "target": null }, { "id": "Trojan:Win32/Startpage.AEA", "display_name": "Trojan:Win32/Startpage.AEA", "target": "/malware/Trojan:Win32/Startpage.AEA" }, { "id": "Banload", "display_name": "Banload", "target": null }, { "id": "TrojanDownloader:Win32/Banload.D", "display_name": "TrojanDownloader:Win32/Banload.D", "target": "/malware/TrojanDownloader:Win32/Banload.D" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "!#AddsCopy-ToStartup", "display_name": "!#AddsCopy-ToStartup", "target": null }, { "id": "VirTool:Win32/AutInject.CZ!bit", "display_name": "VirTool:Win32/AutInject.CZ!bit", "target": "/malware/VirTool:Win32/AutInject.CZ!bit" }, { "id": "Win.Trojan.Agent-316098", "display_name": "Win.Trojan.Agent-316098", "target": null }, { "id": "virtool:Win32/Injector.gen!BQ", "display_name": "virtool:Win32/Injector.gen!BQ", "target": "/malware/virtool:Win32/Injector.gen!BQ" }, { "id": "WarzoneRAT - S0670", "display_name": "WarzoneRAT - S0670", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4194, "hostname": 1563, "FileHash-SHA256": 2494, "domain": 624, "FileHash-MD5": 274, "FileHash-SHA1": 226, "email": 1, "CVE": 1 }, "indicator_count": 9377, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684139bff0febbf785692bae", "name": "lizardsquad malwares mozy mirai FROM CRM, RYAN AND KAYOS", "description": "spreading on discord, steam and various other. infecting his potential customer", "modified": "2025-07-05T06:00:25.828000", "created": "2025-06-05T06:31:26.380000", "tags": [], "references": [ "" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "lizardsqua", "id": "344032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 3, "FileHash-SHA256": 23, "URL": 57, "domain": 22, "hostname": 7, "CIDR": 1 }, "indicator_count": 125, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684016fd620242eaccbc4d1d", "name": "lizardsquad mirai /", "description": "A look at some of the key details about the shutdown of Microsoft's Windows update server, as well as the details of how the service was set up and how it looked up on the internet.", "modified": "2025-07-04T09:02:13.716000", "created": "2025-06-04T09:50:52.900000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "lizardsqua", "id": "344032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 52, "domain": 22, "hostname": 6 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684016fe5bacb316ffbb4bf0", "name": "lizardsquad mirai /", "description": "A look at some of the key details about the shutdown of Microsoft's Windows update server, as well as the details of how the service was set up and how it looked up on the internet.", "modified": "2025-07-04T09:02:13.716000", "created": "2025-06-04T09:50:53.747000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "lizardsqua", "id": "344032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 52, "domain": 22, "hostname": 6 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684016fed357f8d96bf1b304", "name": "lizardsquad mirai", "description": "A look at some of the key details about the shutdown of Microsoft's Windows update server, as well as the details of how the service was set up and how it looked up on the internet.", "modified": "2025-07-04T09:02:13.716000", "created": "2025-06-04T09:50:53.829000", "tags": [ "discord", "lizardsquad malware", "simswap", "" ], "references": [ "" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "lizardsqua", "id": "344032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 52, "domain": 22, "hostname": 6 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684016ff2b9a30173e2a450d", "name": "lizardsquad mirai /", "description": "A look at some of the key details about the shutdown of Microsoft's Windows update server, as well as the details of how the service was set up and how it looked up on the internet.", "modified": "2025-07-04T09:02:13.716000", "created": "2025-06-04T09:50:53.444000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "lizardsqua", "id": "344032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 52, "domain": 22, "hostname": 6 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://webmail.alo.ne", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://webmail.alo.ne", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780276657.2177196 }