{
"type": "URL",
"indicator": "https://whois.arin.net/rest/org/MSFT",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://whois.arin.net/rest/org/MSFT",
"type": "url",
"type_title": "URL",
"validation": [
{
"source": "akamai",
"message": "Akamai rank: #6937",
"name": "Akamai Popular Domain"
},
{
"source": "whitelist",
"message": "Whitelisted domain arin.net",
"name": "Whitelisted domain"
},
{
"source": "majestic",
"message": "Whitelisted domain arin.net",
"name": "Whitelisted domain"
}
],
"base_indicator": {
"id": 4281787950,
"indicator": "https://whois.arin.net/rest/org/MSFT",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 8,
"pulses": [
{
"id": "69a82c54067ca1d502b1eb6c",
"name": "TTB-Chained (Tehran-Transversal Belasco Chain)",
"description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion.\nThe conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. In Infra/Bank/Gov sectors, TTB executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos",
"modified": "2026-05-31T01:02:14",
"created": "2026-03-04T12:57:56.738000",
"tags": [
"malicious",
"Microsoft",
"intent: reckless",
"wiper",
"Transip",
"bankers document gone rogue",
"Tehran",
"pdfkit.net",
"United",
"broken Docusign seal",
"esign violation",
"us lawyers",
"Iran",
"IP Abuse US",
"Spreader",
"corruption that spread",
"52.123.250.180",
"Mass Data Loss and exfiltration",
"Docusign exploited by insecure workflows",
"Adobe exploited by insecure workflows",
"threat map",
"Infra / healthcare / more at risk from this negligence",
"remediation: long. expire the certs. block 53..",
"accountability, NOW.",
"Burned",
"Kitplay",
"iOS",
"Watering hole",
"Webkit",
"Religious Regime",
"MS Office",
"Compliance Hold Purgatory",
"WIN EXE.32",
"Firmware neutral",
"Trusted Insider",
"DKIM, SPF, DMARC Failures"
],
"references": [
"The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
"People who exploit this put the US at risk. Bottom line.",
"Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
"For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
"This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
"",
"IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
"This document might expose someone, more than another.",
"Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
"Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Telecommunications"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 70,
"hostname": 226,
"CVE": 6,
"URL": 366,
"domain": 112,
"FileHash-MD5": 5,
"FileHash-SHA1": 26,
"CIDR": 4,
"email": 20
},
"indicator_count": 835,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "21 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d967590f40c612c90ce84f",
"name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated",
"description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.",
"modified": "2026-05-31T01:02:14",
"created": "2026-04-10T21:10:49.749000",
"tags": [
"malicious",
"Microsoft",
"intent: reckless",
"wiper",
"Transip",
"bankers document gone rogue",
"Tehran",
"pdfkit.net",
"United",
"broken Docusign seal",
"esign violation",
"us lawyers",
"Iran",
"IP Abuse US",
"Spreader",
"corruption that spread",
"52.123.250.180",
"Mass Data Loss and exfiltration",
"Docusign exploited by insecure workflows",
"Adobe exploited by insecure workflows",
"threat map",
"Infra / healthcare / more at risk from this negligence",
"remediation: long. expire the certs. block 53..",
"accountability, NOW.",
"Burned",
"Kitplay",
"iOS",
"Watering hole",
"Webkit",
"Religious Regime",
"MS Office",
"Compliance Hold Purgatory",
"WIN EXE.32",
"Firmware neutral",
"Trusted Insider",
"DKIM, SPF, DMARC Failures",
"APKmirror",
"ILOVEYOUBABY",
"No Problems",
"Christmas Tree EXEC Code Red worm Computer virus Nimda",
"Wanna Cry",
"APK",
"DC RAT",
"Emotnet",
"Redline Swiper",
"Open Door",
"Bankers Document",
"Y2K",
"wsscript.exe, VBE",
"Compliance Lock Trap",
"Globalsign 2020 (potentially exploited)",
"Heuristic Smear",
"Gatsby Library Loader DLL",
"w31999",
"UofA"
],
"references": [
"The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
"People who exploit this put the US at risk. Bottom line.",
"Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
"For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
"This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
"",
"IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
"This document might expose someone, more than another.",
"Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
"Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.",
"Micro - Dates to look for specific: April/May/June 2025",
"Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off",
"Amazon- Check new cert subscribers on or around Sept 15 2025",
"Entrust to Sectigo- Review vendors",
"Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities",
"CA DMV- 2020 exploits, if even exist in your records, may be related.",
"Digi/Global Sign - audit 2020 digital intersect",
"Proton.me/Zenbox: Audit July 2025",
"Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025",
"APKMirror https://www.apkmirror.com",
"Google Docs 1.25.202.02 APK Download by Google LLC",
"The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.",
"Y2K",
"US, Philippines, Ukraine, Iran, China. Alberta.",
"France",
"Germany, Austria, and Switzerland GmbH",
"Gatsby Library Loader, DLL",
"Spellbinding! Indeed. SpellEditor.exe"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Telecommunications"
],
"TLP": "green",
"cloned_from": "69a82c54067ca1d502b1eb6c",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3921,
"hostname": 1668,
"CVE": 14,
"URL": 1984,
"domain": 1432,
"FileHash-MD5": 882,
"FileHash-SHA1": 946,
"CIDR": 10,
"email": 29,
"JA3": 2,
"IPv4": 11
},
"indicator_count": 10899,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "21 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d9675a25be662c17cd3a9c",
"name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated",
"description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.",
"modified": "2026-05-31T01:02:14",
"created": "2026-04-10T21:10:50.646000",
"tags": [
"malicious",
"Microsoft",
"intent: reckless",
"wiper",
"Transip",
"bankers document gone rogue",
"Tehran",
"pdfkit.net",
"United",
"broken Docusign seal",
"esign violation",
"us lawyers",
"Iran",
"IP Abuse US",
"Spreader",
"corruption that spread",
"52.123.250.180",
"Mass Data Loss and exfiltration",
"Docusign exploited by insecure workflows",
"Adobe exploited by insecure workflows",
"threat map",
"Infra / healthcare / more at risk from this negligence",
"remediation: long. expire the certs. block 53..",
"accountability, NOW.",
"Burned",
"Kitplay",
"iOS",
"Watering hole",
"Webkit",
"Religious Regime",
"MS Office",
"Compliance Hold Purgatory",
"WIN EXE.32",
"Firmware neutral",
"Trusted Insider",
"DKIM, SPF, DMARC Failures",
"No Problems"
],
"references": [
"The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
"People who exploit this put the US at risk. Bottom line.",
"Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
"For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
"This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
"",
"IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
"This document might expose someone, more than another.",
"Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
"Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Telecommunications"
],
"TLP": "green",
"cloned_from": "69a82c54067ca1d502b1eb6c",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 70,
"hostname": 232,
"CVE": 9,
"URL": 371,
"domain": 112,
"FileHash-MD5": 5,
"FileHash-SHA1": 26,
"CIDR": 4,
"email": 20,
"JA3": 1,
"IPv4": 3
},
"indicator_count": 853,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "21 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e4ce38b03b0bb283c78a42",
"name": "CAPE Sandbox- circa 1980",
"description": "I dont even have windows and its haunting me. The real treasure today was this though.. you were tricky with your 1980's work to find:\na74535b274b8bfa42e4d7dd33fd8703e\n2bcdb3bf34303a29106a3aefa21d611a170443ea\n4da1f382887248188f43e579f6a28163d4337cca2a7d8dc893b58dff35e9c745\n244aaea6a195a18bbd72a13a9a421e72",
"modified": "2026-05-19T13:22:41.504000",
"created": "2026-04-19T12:44:40.519000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 196,
"FileHash-SHA1": 174,
"FileHash-SHA256": 1546,
"URL": 157,
"hostname": 403,
"domain": 80,
"CIDR": 4,
"email": 10
},
"indicator_count": 2570,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "12 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69feb6b2fa376059b4216e8f",
"name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update",
"description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents",
"modified": "2026-05-09T10:45:57.198000",
"created": "2026-05-09T04:23:14.660000",
"tags": [
"server",
"date",
"domain status",
"registrar abuse",
"registrar",
"dnssec",
"domain name",
"registrant city",
"us registrant",
"email",
"code",
"contact",
"pe32",
"intel",
"ms windows",
"generic cil",
"executable",
"mono",
"win32 dynamic",
"link library",
"delphi generic",
"pe32 library",
"icons library",
"blob",
"strings",
"admin country",
"expiration date",
"registry domain",
"registrar iana",
"creation date",
"admin city"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1120",
"name": "Peripheral Device Discovery",
"display_name": "T1120 - Peripheral Device Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1375,
"hostname": 1101,
"URL": 1336,
"domain": 507,
"email": 89,
"FileHash-MD5": 1306,
"FileHash-SHA1": 406,
"IPv4": 268,
"IPv6": 6,
"CIDR": 35
},
"indicator_count": 6429,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "22 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d747314a8fc4fa30250fe9",
"name": "VirusTotal report\n for program.exe",
"description": " Report date relevance: May 18 2025.",
"modified": "2026-05-09T07:01:42.911000",
"created": "2026-04-09T06:29:05.116000",
"tags": [
"explorer",
"maxime thiebaut",
"files",
"imageendswith",
"windows sccm",
"pe file",
"drops pe",
"sample",
"drops",
"pe32",
"intel",
"ms windows",
"infects",
"found",
"mitre attack",
"persistence",
"info",
"next",
"windows sandbox",
"calls clear",
"users",
"nothing",
"registry keys",
"change",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"devicecng c",
"bit locker hijacked",
"illegal one drive cross tenant",
"Esign violation",
"non secure workflow",
"wiper",
"MDMenrollment misuse",
"broken seal",
"pdfkit.net DMV",
"vzwbiz",
"modified after creation non secure workflow",
"Docusign exploited by non secure workflow",
"Human Error/Spyware/Risk+",
"Abobe Exploited by non secure process",
"CaRoot Cert Abuse",
"cryptography unsound"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715909&Signature=gpI0cV%2Bz5SujLXqKc%2FMViiMPztLVAF6Rp00wpW3LF4PyrCqLg7GTlahQtBw0v4rtG0E8HaaDkNRYZ6xPc%2BaCuTHHzf0b8HN0%2BOiY%2B%2Bk4Q5eiI%2BJCJiWefs3vtk9u5bFyGQqM4nzF3u1uk2E8d3TKiy09A5K7YNLjbAsewBUu5mmJZsTeErl3nBhQcKu1stwt1ycd78SLCg8fUl3U7DDaqfd3hJbY98lWj8e6NwMu6VxskCRDdSQsdWj2",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715951&Signature=XmRkiqq6Fjiq21rddntr3oHg%2BIPR1SrVwk6v5ZZ%2FJ4PkIpl7sqX1DjtJMGHoYvndxGmCeSCYQ08LS9hYRAWXupAhPzRcTkFcmq6KY%2FyMoab3l0SDixcrT9tLxB4iEobBJOzX0Fb%2B8QDyAbyjsuoKSMNCQC0CrVZyT7X54GsN93BU0FXiJWIIluOisGnjwoqL3rdMF8%2BPEJgkcUJTOIuIRaX57nsrXAMIv7dbn9BGZFDXH0",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715964&Signature=A%2BPIQBCth46RBnI1rK4wnu%2B0XtyUhEdo1TORDahLnR6yM%2BbI8gLsWpjDTmV8aSDFIcFddcr%2BCs9TqMa65j3jNrLz9NcyZekNiDekQlkYCbMCIiYduRDT9nLy485HDee9RRJ3YSbeqJQSjzOXemRKeyL8rg3ml6WTeCly22CrQPLljCwWWUbsQLYOMqu0OADj%2BKEZv%2B5gVOmJsQIBQugE%2F0xSYw1lKowIs5nlYy9Z0hbFUycO"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "PathWiper",
"display_name": "PathWiper",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [
"Government",
"Telecommunications",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 81,
"URL": 421,
"hostname": 491,
"FileHash-MD5": 477,
"FileHash-SHA1": 298,
"FileHash-SHA256": 719,
"CVE": 5,
"email": 12,
"CIDR": 2
},
"indicator_count": 2506,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "22 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69fc35bbf5093f9bf3cd0a32",
"name": "CAPE Sandbox- LOTA- Living off the Admin",
"description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP 656 DNS 702 IP 1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]",
"modified": "2026-05-08T05:17:02.092000",
"created": "2026-05-07T06:48:27.828000",
"tags": [
"cloudflare",
"city",
"san francisco",
"rnocname",
"orgid",
"rtechhandle",
"net104",
"net1040000",
"rtechemail",
"rabusehandle"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 110,
"FileHash-MD5": 47,
"FileHash-SHA1": 85,
"FileHash-SHA256": 186,
"URL": 1467,
"domain": 274,
"hostname": 247,
"CIDR": 4,
"email": 14
},
"indicator_count": 2434,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69c40496b927d4374c5ce278",
"name": "Nissan Data",
"description": "Victims C2 car console repeated failure notices.",
"modified": "2026-04-24T15:06:33.739000",
"created": "2026-03-25T15:51:50.778000",
"tags": [
"cachecontrol",
"keepalive",
"connection",
"date thu",
"gmt xversion",
"etag",
"link",
"ip address",
"status code",
"control",
"date wed",
"get http",
"dns resolutions",
"ip traffic",
"number",
"cnmicrosoft ecc",
"update secure",
"server ca",
"cus subject",
"stwa lredmond",
"omicrosoft c",
"user",
"data",
"datacrashpad",
"edge"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 21,
"domain": 37,
"URL": 637,
"hostname": 236,
"FileHash-SHA256": 34,
"FileHash-SHA1": 9,
"CIDR": 3,
"email": 24
},
"indicator_count": 1001,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "37 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715951&Signature=XmRkiqq6Fjiq21rddntr3oHg%2BIPR1SrVwk6v5ZZ%2FJ4PkIpl7sqX1DjtJMGHoYvndxGmCeSCYQ08LS9hYRAWXupAhPzRcTkFcmq6KY%2FyMoab3l0SDixcrT9tLxB4iEobBJOzX0Fb%2B8QDyAbyjsuoKSMNCQC0CrVZyT7X54GsN93BU0FXiJWIIluOisGnjwoqL3rdMF8%2BPEJgkcUJTOIuIRaX57nsrXAMIv7dbn9BGZFDXH0",
"Micro - Dates to look for specific: April/May/June 2025",
"The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715964&Signature=A%2BPIQBCth46RBnI1rK4wnu%2B0XtyUhEdo1TORDahLnR6yM%2BbI8gLsWpjDTmV8aSDFIcFddcr%2BCs9TqMa65j3jNrLz9NcyZekNiDekQlkYCbMCIiYduRDT9nLy485HDee9RRJ3YSbeqJQSjzOXemRKeyL8rg3ml6WTeCly22CrQPLljCwWWUbsQLYOMqu0OADj%2BKEZv%2B5gVOmJsQIBQugE%2F0xSYw1lKowIs5nlYy9Z0hbFUycO",
"Germany, Austria, and Switzerland GmbH",
"Spellbinding! Indeed. SpellEditor.exe",
"IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
"People who exploit this put the US at risk. Bottom line.",
"Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities",
"Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025",
"APKMirror https://www.apkmirror.com",
"Proton.me/Zenbox: Audit July 2025",
"This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
"US, Philippines, Ukraine, Iran, China. Alberta.",
"The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.",
"France",
"Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.",
"CA DMV- 2020 exploits, if even exist in your records, may be related.",
"Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
"Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
"Digi/Global Sign - audit 2020 digital intersect",
"Google Docs 1.25.202.02 APK Download by Google LLC",
"Entrust to Sectigo- Review vendors",
"Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off",
"Gatsby Library Loader, DLL",
"Amazon- Check new cert subscribers on or around Sept 15 2025",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715909&Signature=gpI0cV%2Bz5SujLXqKc%2FMViiMPztLVAF6Rp00wpW3LF4PyrCqLg7GTlahQtBw0v4rtG0E8HaaDkNRYZ6xPc%2BaCuTHHzf0b8HN0%2BOiY%2B%2Bk4Q5eiI%2BJCJiWefs3vtk9u5bFyGQqM4nzF3u1uk2E8d3TKiy09A5K7YNLjbAsewBUu5mmJZsTeErl3nBhQcKu1stwt1ycd78SLCg8fUl3U7DDaqfd3hJbY98lWj8e6NwMu6VxskCRDdSQsdWj2",
"Y2K",
"For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
"This document might expose someone, more than another."
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Pathwiper"
],
"industries": [
"Telecommunications",
"Technology",
"Government"
],
"unique_indicators": 12767
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/arin.net",
"whois": "http://whois.domaintools.com/arin.net",
"domain": "arin.net",
"hostname": "whois.arin.net"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 8,
"pulses": [
{
"id": "69a82c54067ca1d502b1eb6c",
"name": "TTB-Chained (Tehran-Transversal Belasco Chain)",
"description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion.\nThe conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. In Infra/Bank/Gov sectors, TTB executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos",
"modified": "2026-05-31T01:02:14",
"created": "2026-03-04T12:57:56.738000",
"tags": [
"malicious",
"Microsoft",
"intent: reckless",
"wiper",
"Transip",
"bankers document gone rogue",
"Tehran",
"pdfkit.net",
"United",
"broken Docusign seal",
"esign violation",
"us lawyers",
"Iran",
"IP Abuse US",
"Spreader",
"corruption that spread",
"52.123.250.180",
"Mass Data Loss and exfiltration",
"Docusign exploited by insecure workflows",
"Adobe exploited by insecure workflows",
"threat map",
"Infra / healthcare / more at risk from this negligence",
"remediation: long. expire the certs. block 53..",
"accountability, NOW.",
"Burned",
"Kitplay",
"iOS",
"Watering hole",
"Webkit",
"Religious Regime",
"MS Office",
"Compliance Hold Purgatory",
"WIN EXE.32",
"Firmware neutral",
"Trusted Insider",
"DKIM, SPF, DMARC Failures"
],
"references": [
"The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
"People who exploit this put the US at risk. Bottom line.",
"Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
"For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
"This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
"",
"IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
"This document might expose someone, more than another.",
"Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
"Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Telecommunications"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 70,
"hostname": 226,
"CVE": 6,
"URL": 366,
"domain": 112,
"FileHash-MD5": 5,
"FileHash-SHA1": 26,
"CIDR": 4,
"email": 20
},
"indicator_count": 835,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "21 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d967590f40c612c90ce84f",
"name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated",
"description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.",
"modified": "2026-05-31T01:02:14",
"created": "2026-04-10T21:10:49.749000",
"tags": [
"malicious",
"Microsoft",
"intent: reckless",
"wiper",
"Transip",
"bankers document gone rogue",
"Tehran",
"pdfkit.net",
"United",
"broken Docusign seal",
"esign violation",
"us lawyers",
"Iran",
"IP Abuse US",
"Spreader",
"corruption that spread",
"52.123.250.180",
"Mass Data Loss and exfiltration",
"Docusign exploited by insecure workflows",
"Adobe exploited by insecure workflows",
"threat map",
"Infra / healthcare / more at risk from this negligence",
"remediation: long. expire the certs. block 53..",
"accountability, NOW.",
"Burned",
"Kitplay",
"iOS",
"Watering hole",
"Webkit",
"Religious Regime",
"MS Office",
"Compliance Hold Purgatory",
"WIN EXE.32",
"Firmware neutral",
"Trusted Insider",
"DKIM, SPF, DMARC Failures",
"APKmirror",
"ILOVEYOUBABY",
"No Problems",
"Christmas Tree EXEC Code Red worm Computer virus Nimda",
"Wanna Cry",
"APK",
"DC RAT",
"Emotnet",
"Redline Swiper",
"Open Door",
"Bankers Document",
"Y2K",
"wsscript.exe, VBE",
"Compliance Lock Trap",
"Globalsign 2020 (potentially exploited)",
"Heuristic Smear",
"Gatsby Library Loader DLL",
"w31999",
"UofA"
],
"references": [
"The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
"People who exploit this put the US at risk. Bottom line.",
"Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
"For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
"This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
"",
"IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
"This document might expose someone, more than another.",
"Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
"Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.",
"Micro - Dates to look for specific: April/May/June 2025",
"Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off",
"Amazon- Check new cert subscribers on or around Sept 15 2025",
"Entrust to Sectigo- Review vendors",
"Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities",
"CA DMV- 2020 exploits, if even exist in your records, may be related.",
"Digi/Global Sign - audit 2020 digital intersect",
"Proton.me/Zenbox: Audit July 2025",
"Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025",
"APKMirror https://www.apkmirror.com",
"Google Docs 1.25.202.02 APK Download by Google LLC",
"The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.",
"Y2K",
"US, Philippines, Ukraine, Iran, China. Alberta.",
"France",
"Germany, Austria, and Switzerland GmbH",
"Gatsby Library Loader, DLL",
"Spellbinding! Indeed. SpellEditor.exe"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Telecommunications"
],
"TLP": "green",
"cloned_from": "69a82c54067ca1d502b1eb6c",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3921,
"hostname": 1668,
"CVE": 14,
"URL": 1984,
"domain": 1432,
"FileHash-MD5": 882,
"FileHash-SHA1": 946,
"CIDR": 10,
"email": 29,
"JA3": 2,
"IPv4": 11
},
"indicator_count": 10899,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "21 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d9675a25be662c17cd3a9c",
"name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated",
"description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.",
"modified": "2026-05-31T01:02:14",
"created": "2026-04-10T21:10:50.646000",
"tags": [
"malicious",
"Microsoft",
"intent: reckless",
"wiper",
"Transip",
"bankers document gone rogue",
"Tehran",
"pdfkit.net",
"United",
"broken Docusign seal",
"esign violation",
"us lawyers",
"Iran",
"IP Abuse US",
"Spreader",
"corruption that spread",
"52.123.250.180",
"Mass Data Loss and exfiltration",
"Docusign exploited by insecure workflows",
"Adobe exploited by insecure workflows",
"threat map",
"Infra / healthcare / more at risk from this negligence",
"remediation: long. expire the certs. block 53..",
"accountability, NOW.",
"Burned",
"Kitplay",
"iOS",
"Watering hole",
"Webkit",
"Religious Regime",
"MS Office",
"Compliance Hold Purgatory",
"WIN EXE.32",
"Firmware neutral",
"Trusted Insider",
"DKIM, SPF, DMARC Failures",
"No Problems"
],
"references": [
"The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
"People who exploit this put the US at risk. Bottom line.",
"Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
"For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
"This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
"",
"IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
"This document might expose someone, more than another.",
"Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
"Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Telecommunications"
],
"TLP": "green",
"cloned_from": "69a82c54067ca1d502b1eb6c",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 70,
"hostname": 232,
"CVE": 9,
"URL": 371,
"domain": 112,
"FileHash-MD5": 5,
"FileHash-SHA1": 26,
"CIDR": 4,
"email": 20,
"JA3": 1,
"IPv4": 3
},
"indicator_count": 853,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "21 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e4ce38b03b0bb283c78a42",
"name": "CAPE Sandbox- circa 1980",
"description": "I dont even have windows and its haunting me. The real treasure today was this though.. you were tricky with your 1980's work to find:\na74535b274b8bfa42e4d7dd33fd8703e\n2bcdb3bf34303a29106a3aefa21d611a170443ea\n4da1f382887248188f43e579f6a28163d4337cca2a7d8dc893b58dff35e9c745\n244aaea6a195a18bbd72a13a9a421e72",
"modified": "2026-05-19T13:22:41.504000",
"created": "2026-04-19T12:44:40.519000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 196,
"FileHash-SHA1": 174,
"FileHash-SHA256": 1546,
"URL": 157,
"hostname": 403,
"domain": 80,
"CIDR": 4,
"email": 10
},
"indicator_count": 2570,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "12 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69feb6b2fa376059b4216e8f",
"name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update",
"description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents",
"modified": "2026-05-09T10:45:57.198000",
"created": "2026-05-09T04:23:14.660000",
"tags": [
"server",
"date",
"domain status",
"registrar abuse",
"registrar",
"dnssec",
"domain name",
"registrant city",
"us registrant",
"email",
"code",
"contact",
"pe32",
"intel",
"ms windows",
"generic cil",
"executable",
"mono",
"win32 dynamic",
"link library",
"delphi generic",
"pe32 library",
"icons library",
"blob",
"strings",
"admin country",
"expiration date",
"registry domain",
"registrar iana",
"creation date",
"admin city"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1120",
"name": "Peripheral Device Discovery",
"display_name": "T1120 - Peripheral Device Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1375,
"hostname": 1101,
"URL": 1336,
"domain": 507,
"email": 89,
"FileHash-MD5": 1306,
"FileHash-SHA1": 406,
"IPv4": 268,
"IPv6": 6,
"CIDR": 35
},
"indicator_count": 6429,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "22 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d747314a8fc4fa30250fe9",
"name": "VirusTotal report\n for program.exe",
"description": " Report date relevance: May 18 2025.",
"modified": "2026-05-09T07:01:42.911000",
"created": "2026-04-09T06:29:05.116000",
"tags": [
"explorer",
"maxime thiebaut",
"files",
"imageendswith",
"windows sccm",
"pe file",
"drops pe",
"sample",
"drops",
"pe32",
"intel",
"ms windows",
"infects",
"found",
"mitre attack",
"persistence",
"info",
"next",
"windows sandbox",
"calls clear",
"users",
"nothing",
"registry keys",
"change",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"devicecng c",
"bit locker hijacked",
"illegal one drive cross tenant",
"Esign violation",
"non secure workflow",
"wiper",
"MDMenrollment misuse",
"broken seal",
"pdfkit.net DMV",
"vzwbiz",
"modified after creation non secure workflow",
"Docusign exploited by non secure workflow",
"Human Error/Spyware/Risk+",
"Abobe Exploited by non secure process",
"CaRoot Cert Abuse",
"cryptography unsound"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715909&Signature=gpI0cV%2Bz5SujLXqKc%2FMViiMPztLVAF6Rp00wpW3LF4PyrCqLg7GTlahQtBw0v4rtG0E8HaaDkNRYZ6xPc%2BaCuTHHzf0b8HN0%2BOiY%2B%2Bk4Q5eiI%2BJCJiWefs3vtk9u5bFyGQqM4nzF3u1uk2E8d3TKiy09A5K7YNLjbAsewBUu5mmJZsTeErl3nBhQcKu1stwt1ycd78SLCg8fUl3U7DDaqfd3hJbY98lWj8e6NwMu6VxskCRDdSQsdWj2",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715951&Signature=XmRkiqq6Fjiq21rddntr3oHg%2BIPR1SrVwk6v5ZZ%2FJ4PkIpl7sqX1DjtJMGHoYvndxGmCeSCYQ08LS9hYRAWXupAhPzRcTkFcmq6KY%2FyMoab3l0SDixcrT9tLxB4iEobBJOzX0Fb%2B8QDyAbyjsuoKSMNCQC0CrVZyT7X54GsN93BU0FXiJWIIluOisGnjwoqL3rdMF8%2BPEJgkcUJTOIuIRaX57nsrXAMIv7dbn9BGZFDXH0",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715964&Signature=A%2BPIQBCth46RBnI1rK4wnu%2B0XtyUhEdo1TORDahLnR6yM%2BbI8gLsWpjDTmV8aSDFIcFddcr%2BCs9TqMa65j3jNrLz9NcyZekNiDekQlkYCbMCIiYduRDT9nLy485HDee9RRJ3YSbeqJQSjzOXemRKeyL8rg3ml6WTeCly22CrQPLljCwWWUbsQLYOMqu0OADj%2BKEZv%2B5gVOmJsQIBQugE%2F0xSYw1lKowIs5nlYy9Z0hbFUycO"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "PathWiper",
"display_name": "PathWiper",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [
"Government",
"Telecommunications",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 81,
"URL": 421,
"hostname": 491,
"FileHash-MD5": 477,
"FileHash-SHA1": 298,
"FileHash-SHA256": 719,
"CVE": 5,
"email": 12,
"CIDR": 2
},
"indicator_count": 2506,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "22 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69fc35bbf5093f9bf3cd0a32",
"name": "CAPE Sandbox- LOTA- Living off the Admin",
"description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP 656 DNS 702 IP 1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]",
"modified": "2026-05-08T05:17:02.092000",
"created": "2026-05-07T06:48:27.828000",
"tags": [
"cloudflare",
"city",
"san francisco",
"rnocname",
"orgid",
"rtechhandle",
"net104",
"net1040000",
"rtechemail",
"rabusehandle"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 110,
"FileHash-MD5": 47,
"FileHash-SHA1": 85,
"FileHash-SHA256": 186,
"URL": 1467,
"domain": 274,
"hostname": 247,
"CIDR": 4,
"email": 14
},
"indicator_count": 2434,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69c40496b927d4374c5ce278",
"name": "Nissan Data",
"description": "Victims C2 car console repeated failure notices.",
"modified": "2026-04-24T15:06:33.739000",
"created": "2026-03-25T15:51:50.778000",
"tags": [
"cachecontrol",
"keepalive",
"connection",
"date thu",
"gmt xversion",
"etag",
"link",
"ip address",
"status code",
"control",
"date wed",
"get http",
"dns resolutions",
"ip traffic",
"number",
"cnmicrosoft ecc",
"update secure",
"server ca",
"cus subject",
"stwa lredmond",
"omicrosoft c",
"user",
"data",
"datacrashpad",
"edge"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 21,
"domain": 37,
"URL": 637,
"hostname": 236,
"FileHash-SHA256": 34,
"FileHash-SHA1": 9,
"CIDR": 3,
"email": 24
},
"indicator_count": 1001,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "37 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://whois.arin.net/rest/org/MSFT",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://whois.arin.net/rest/org/MSFT",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780267992.3186457
}