{ "type": "URL", "indicator": "https://whois.arin.net/ui/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://whois.arin.net/ui/", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #6937", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain arin.net", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain arin.net", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4227989670, "indicator": "https://whois.arin.net/ui/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69f2e790b5ca86510c384c2c", "name": "14.5k win[exe] comm, 14 ref, 89hxTrojans with ARINOPS -199.", "description": "[The following has been published on the website of the International Organization for the Prevention of Electronic Illness (IOC), which is based in the United States, and is subject to a security rev]\nCertificate before 8/20 expired. Client lost access to phone Aug 22-Sept 15 no reason given. Clients ADT alarm went of wehn sectigo cert expired Sept 8. Client went into Apple man in suit \"unlocked phone\" Sept 15. Was this a jailbreak?", "modified": "2026-05-30T05:18:49.034000", "created": "2026-04-30T05:24:32.866000", "tags": [ "win32", "trojan", "united", "as393225", "mtb may", "mtb mar", "passive dns", "ip address", "backdoor", "mtb apr", "url analysis", "level", "title", "mirai", "orgtechhandle", "arin operations", "orgnochandle", "kassim", "oneill", "michael j", "nethandle", "net199", "net1990000", "arinops", "address range", "cidr", "network name", "allocation type", "whois server", "entity arinops", "handle", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 215, "FileHash-SHA1": 178, "FileHash-SHA256": 594, "domain": 12, "CIDR": 60, "URL": 122, "hostname": 72, "email": 7, "CVE": 1 }, "indicator_count": 1261, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f2e7933eca244995760f32", "name": "14.5k win[exe] comm, 14 ref, 89hxTrojans with ARINOPS -199.", "description": "[The following has been published on the website of the International Organization for the Prevention of Electronic Illness (IOC), which is based in the United States, and is subject to a security rev]\nCertificate before 8/20 expired. Client lost access to phone Aug 22-Sept 15 no reason given. Clients ADT alarm went of wehn sectigo cert expired Sept 8. Client went into Apple man in suit \"unlocked phone\" Sept 15. Was this a jailbreak?", "modified": "2026-05-30T05:18:49.034000", "created": "2026-04-30T05:24:35.619000", "tags": [ "win32", "trojan", "united", "as393225", "mtb may", "mtb mar", "passive dns", "ip address", "backdoor", "mtb apr", "url analysis", "level", "title", "mirai", "orgtechhandle", "arin operations", "orgnochandle", "kassim", "oneill", "michael j", "nethandle", "net199", "net1990000", "arinops", "address range", "cidr", "network name", "allocation type", "whois server", "entity arinops", "handle", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 152, "FileHash-SHA1": 153, "FileHash-SHA256": 495, "domain": 2, "CIDR": 1, "URL": 70, "hostname": 7, "email": 5 }, "indicator_count": 885, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd9888ba1e4ac37aaefe2d", "name": "Dear John.", "description": "[ most common type of information on social media is that there is no such thing as an easy-to- find, but that is not the case for a certain type. and it can be difficult to find- this \"Poland\" Ip comes straight back to the US. Ripe to Arin.", "modified": "2026-05-08T09:03:50.553000", "created": "2026-05-08T08:02:16.991000", "tags": [ "url http", "url https", "ipv4", "cidr", "search", "type indicator", "role title", "added active", "related pulses" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "CIDR": 3, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 25, "URL": 22, "hostname": 10, "domain": 1, "CVE": 1 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd9888374d9c0890bdba0f", "name": "Dear John.", "description": "[ most common type of information on social media is that there is no such thing as an easy-to- find, but that is not the case for a certain type. and it can be difficult to find- this \"Poland\" Ip comes straight back to the US. Ripe to Arin.", "modified": "2026-05-08T09:03:49.306000", "created": "2026-05-08T08:02:16.343000", "tags": [ "url http", "url https", "ipv4", "cidr", "search", "type indicator", "role title", "added active", "related pulses" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "CIDR": 3, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 25, "URL": 22, "hostname": 10, "domain": 1, "CVE": 1 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd9887f6b182d39b9605fe", "name": "Dear John.", "description": "[ most common type of information on social media is that there is no such thing as an easy-to- find, but that is not the case for a certain type. and it can be difficult to find- this \"Poland\" Ip comes straight back to the US. Ripe to Arin.", "modified": "2026-05-08T08:02:15.797000", "created": "2026-05-08T08:02:15.797000", "tags": [ "url http", "url https", "ipv4", "cidr", "search", "type indicator", "role title", "added active", "related pulses" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "CIDR": 3, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 25, "URL": 22, "hostname": 10, "domain": 1 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd8fcf280068179ca6d174", "name": "Over 1 Million Comm. Files. 158 referring malic tagged.", "description": "0befb3ee094b270c981816a69da00a000572f38d71772578cd7e2001d, as part of a series of events.\nacroipm2.adobe.[com]\nadobe.[com]", "modified": "2026-05-08T07:59:04.198000", "created": "2026-05-08T07:25:03.312000", "tags": [ "win32 dll", "win32 exe", "com laude", "readermessages", "microsoft", "ltd dba", "nomiq", "network capture", "text", "gzip", "first", "thumbprint", "code", "email", "san jose", "server", "registrar abuse", "admin country", "expiration date", "registry domain", "registrar iana", "date", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "cname", "aaaa", "ttl value", "key identifier", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g3", "tls ecc", "sha384", "ca1 validity", "info", "domain", "expiry date", "united", "update date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 159, "FileHash-SHA256": 546, "IPv4": 314, "URL": 164, "domain": 52, "hostname": 210, "email": 6, "IPv6": 2, "CIDR": 6 }, "indicator_count": 1604, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "699da4b51b83807ed9e7442e", "name": "GKG.NET + Verizon Infrastructure- Potential Domain Compromise & Financial Fraud Campaign", "description": "Verizon Domain Resolves Here. Financial Concern: CCV checker v1.0 by kid1232.exe (14/72) is a specialized tool for validating stolen credit cards. Its presence is an interesting finding.\nInfrastructure Targeting: The files Master Domain Database (2).xlsx and Accredited-Registrars-202602220056.csv suggest the actor is collecting data on registrars to facilitate Supply Chain Attacks or large-scale domain thefts.\nActive Compromise: The PDF metrosanantonioliving.com DNS Zones and the FireShot screenshot of GKG's DNS configuration page are direct evidence of a \"live\" account takeover or unauthorized configuration of a victim's domain.\nThe Heavy Hitter: The Win32 EXE ending in ...13547c3 with 45/70 detections is likely the primary Infostealer or RAT used to harvest the credentials for these GKG accounts.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-24T13:16:37.558000", "tags": [ "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cbe oglobalsign", "r6 alphassl", "validity", "subject public", "key info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 356, "FileHash-SHA1": 126, "FileHash-SHA256": 615, "URL": 266, "hostname": 187, "FileHash-MD5": 108, "email": 14, "CIDR": 2, "CVE": 15 }, "indicator_count": 1689, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "61 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a2de24c6eab1fb7ab42f6f", "name": "ARPA LB Pulses", "description": "A full list of key words and phrases: \"Dulcetoj\", \"dumsticks\", 'cheapperfume' and \"hyfnrsx1\", as compiled by BBC News", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-28T12:23:00.023000", "tags": [ "type indicator", "role title", "added active", "related pulses" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 324, "hostname": 63, "URL": 189, "email": 10, "FileHash-SHA1": 8, "FileHash-SHA256": 4, "CIDR": 3, "FileHash-MD5": 4, "CVE": 1 }, "indicator_count": 606, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "61 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Mirai" ], "industries": [], "unique_indicators": 3537 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/arin.net", "whois": "http://whois.domaintools.com/arin.net", "domain": "arin.net", "hostname": "whois.arin.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69f2e790b5ca86510c384c2c", "name": "14.5k win[exe] comm, 14 ref, 89hxTrojans with ARINOPS -199.", "description": "[The following has been published on the website of the International Organization for the Prevention of Electronic Illness (IOC), which is based in the United States, and is subject to a security rev]\nCertificate before 8/20 expired. Client lost access to phone Aug 22-Sept 15 no reason given. Clients ADT alarm went of wehn sectigo cert expired Sept 8. Client went into Apple man in suit \"unlocked phone\" Sept 15. Was this a jailbreak?", "modified": "2026-05-30T05:18:49.034000", "created": "2026-04-30T05:24:32.866000", "tags": [ "win32", "trojan", "united", "as393225", "mtb may", "mtb mar", "passive dns", "ip address", "backdoor", "mtb apr", "url analysis", "level", "title", "mirai", "orgtechhandle", "arin operations", "orgnochandle", "kassim", "oneill", "michael j", "nethandle", "net199", "net1990000", "arinops", "address range", "cidr", "network name", "allocation type", "whois server", "entity arinops", "handle", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 215, "FileHash-SHA1": 178, "FileHash-SHA256": 594, "domain": 12, "CIDR": 60, "URL": 122, "hostname": 72, "email": 7, "CVE": 1 }, "indicator_count": 1261, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f2e7933eca244995760f32", "name": "14.5k win[exe] comm, 14 ref, 89hxTrojans with ARINOPS -199.", "description": "[The following has been published on the website of the International Organization for the Prevention of Electronic Illness (IOC), which is based in the United States, and is subject to a security rev]\nCertificate before 8/20 expired. Client lost access to phone Aug 22-Sept 15 no reason given. Clients ADT alarm went of wehn sectigo cert expired Sept 8. Client went into Apple man in suit \"unlocked phone\" Sept 15. Was this a jailbreak?", "modified": "2026-05-30T05:18:49.034000", "created": "2026-04-30T05:24:35.619000", "tags": [ "win32", "trojan", "united", "as393225", "mtb may", "mtb mar", "passive dns", "ip address", "backdoor", "mtb apr", "url analysis", "level", "title", "mirai", "orgtechhandle", "arin operations", "orgnochandle", "kassim", "oneill", "michael j", "nethandle", "net199", "net1990000", "arinops", "address range", "cidr", "network name", "allocation type", "whois server", "entity arinops", "handle", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 152, "FileHash-SHA1": 153, "FileHash-SHA256": 495, "domain": 2, "CIDR": 1, "URL": 70, "hostname": 7, "email": 5 }, "indicator_count": 885, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd9888ba1e4ac37aaefe2d", "name": "Dear John.", "description": "[ most common type of information on social media is that there is no such thing as an easy-to- find, but that is not the case for a certain type. and it can be difficult to find- this \"Poland\" Ip comes straight back to the US. Ripe to Arin.", "modified": "2026-05-08T09:03:50.553000", "created": "2026-05-08T08:02:16.991000", "tags": [ "url http", "url https", "ipv4", "cidr", "search", "type indicator", "role title", "added active", "related pulses" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "CIDR": 3, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 25, "URL": 22, "hostname": 10, "domain": 1, "CVE": 1 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd9888374d9c0890bdba0f", "name": "Dear John.", "description": "[ most common type of information on social media is that there is no such thing as an easy-to- find, but that is not the case for a certain type. and it can be difficult to find- this \"Poland\" Ip comes straight back to the US. Ripe to Arin.", "modified": "2026-05-08T09:03:49.306000", "created": "2026-05-08T08:02:16.343000", "tags": [ "url http", "url https", "ipv4", "cidr", "search", "type indicator", "role title", "added active", "related pulses" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "CIDR": 3, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 25, "URL": 22, "hostname": 10, "domain": 1, "CVE": 1 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd9887f6b182d39b9605fe", "name": "Dear John.", "description": "[ most common type of information on social media is that there is no such thing as an easy-to- find, but that is not the case for a certain type. and it can be difficult to find- this \"Poland\" Ip comes straight back to the US. Ripe to Arin.", "modified": "2026-05-08T08:02:15.797000", "created": "2026-05-08T08:02:15.797000", "tags": [ "url http", "url https", "ipv4", "cidr", "search", "type indicator", "role title", "added active", "related pulses" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "CIDR": 3, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 25, "URL": 22, "hostname": 10, "domain": 1 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd8fcf280068179ca6d174", "name": "Over 1 Million Comm. Files. 158 referring malic tagged.", "description": "0befb3ee094b270c981816a69da00a000572f38d71772578cd7e2001d, as part of a series of events.\nacroipm2.adobe.[com]\nadobe.[com]", "modified": "2026-05-08T07:59:04.198000", "created": "2026-05-08T07:25:03.312000", "tags": [ "win32 dll", "win32 exe", "com laude", "readermessages", "microsoft", "ltd dba", "nomiq", "network capture", "text", "gzip", "first", "thumbprint", "code", "email", "san jose", "server", "registrar abuse", "admin country", "expiration date", "registry domain", "registrar iana", "date", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "cname", "aaaa", "ttl value", "key identifier", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g3", "tls ecc", "sha384", "ca1 validity", "info", "domain", "expiry date", "united", "update date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 159, "FileHash-SHA256": 546, "IPv4": 314, "URL": 164, "domain": 52, "hostname": 210, "email": 6, "IPv6": 2, "CIDR": 6 }, "indicator_count": 1604, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "699da4b51b83807ed9e7442e", "name": "GKG.NET + Verizon Infrastructure- Potential Domain Compromise & Financial Fraud Campaign", "description": "Verizon Domain Resolves Here. Financial Concern: CCV checker v1.0 by kid1232.exe (14/72) is a specialized tool for validating stolen credit cards. Its presence is an interesting finding.\nInfrastructure Targeting: The files Master Domain Database (2).xlsx and Accredited-Registrars-202602220056.csv suggest the actor is collecting data on registrars to facilitate Supply Chain Attacks or large-scale domain thefts.\nActive Compromise: The PDF metrosanantonioliving.com DNS Zones and the FireShot screenshot of GKG's DNS configuration page are direct evidence of a \"live\" account takeover or unauthorized configuration of a victim's domain.\nThe Heavy Hitter: The Win32 EXE ending in ...13547c3 with 45/70 detections is likely the primary Infostealer or RAT used to harvest the credentials for these GKG accounts.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-24T13:16:37.558000", "tags": [ "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cbe oglobalsign", "r6 alphassl", "validity", "subject public", "key info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 356, "FileHash-SHA1": 126, "FileHash-SHA256": 615, "URL": 266, "hostname": 187, "FileHash-MD5": 108, "email": 14, "CIDR": 2, "CVE": 15 }, "indicator_count": 1689, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "61 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a2de24c6eab1fb7ab42f6f", "name": "ARPA LB Pulses", "description": "A full list of key words and phrases: \"Dulcetoj\", \"dumsticks\", 'cheapperfume' and \"hyfnrsx1\", as compiled by BBC News", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-28T12:23:00.023000", "tags": [ "type indicator", "role title", "added active", "related pulses" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 324, "hostname": 63, "URL": 189, "email": 10, "FileHash-SHA1": 8, "FileHash-SHA256": 4, "CIDR": 3, "FileHash-MD5": 4, "CVE": 1 }, "indicator_count": 606, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "61 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://whois.arin.net/ui/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://whois.arin.net/ui/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780297034.8242123 }