{ "type": "URL", "indicator": "https://wordpress.org/plugins/mailchimp-for-wp/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://wordpress.org/plugins/mailchimp-for-wp/", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #272", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #6760", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain wordpress.org", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain wordpress.org", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3850586765, "indicator": "https://wordpress.org/plugins/mailchimp-for-wp/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69cf54dc2c334d92d90ad45b", "name": "University of Alberta - Active Exploits in the Wild", "description": "These are active exploits currently being used in the wild by multiple TAs.\nReport was presented to dosdean & CISO ( \"No Problems\" ).\nReport presented to AlbertaNDP Nenshi (similar infrastructure) of Gov. Alberta", "modified": "2026-04-03T06:02:28.790000", "created": "2026-04-03T05:49:13.607000", "tags": [ "http security", "source", "detection", "informational", "vulnerable url", "checks", "http missing", "ssltls", "n description", "ssl certificate", "score", "impact", "apache", "speed", "test", "form", "find", "coldfusion", "unknown", "malware", "false", "encrypt", "critical", "bypass", "generator", "project" ], "references": [ "https://app.threat.zone/submission/15cdf13c-df91-427a-bef3-e58bc78e5d06/overview", "https://pastebin.com/fqfVmTSv", "https://pastes.io/3XO0mF9Q", "https://www.virustotal.com/gui/file/a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d/detection", "https://www.filescan.io/uploads/69cf553c2346b9da57bab574/reports/94ee293e-60a9-4d72-9f74-ec3157c5c26b/ioc", "https://traceix.com/search?sha256=a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d&wait=1&tab=capa", "https://polyswarm.network/scan/results/file/a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d", "https://metadefender.com/results/file/bzI2MDQwMzJNaU1Wd1k1RVJYcUpBeW5NMWpl", "https://opentip.kaspersky.com/A3E43F4F6F2597A450677BCD6833E4EF0015CEB7C9110D9BACC73AC12D8E4D0D/results?tab=upload" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2510, "CVE": 31, "FileHash-MD5": 1, "domain": 29, "email": 1, "hostname": 541 }, "indicator_count": 3113, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cf54e17e5745f45ea8a996", "name": "University of Alberta - Active Exploits in the Wild", "description": "These are active exploits currently being used in the wild by multiple TAs.\nReport was presented to dosdean & CISO ( \"No Problems\" ).\nReport presented to AlbertaNDP Nenshi (similar infrastructure) of Gov. Alberta", "modified": "2026-04-03T05:49:17.778000", "created": "2026-04-03T05:49:17.778000", "tags": [ "http security", "source", "detection", "informational", "vulnerable url", "checks", "http missing", "ssltls", "n description", "ssl certificate", "score", "impact", "apache", "speed", "test", "form", "find", "coldfusion", "unknown", "malware", "false", "encrypt", "critical", "bypass", "generator", "project" ], "references": [ "https://app.threat.zone/submission/15cdf13c-df91-427a-bef3-e58bc78e5d06/overview", "https://pastebin.com/fqfVmTSv", "https://pastes.io/3XO0mF9Q" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2510, "CVE": 31, "FileHash-MD5": 1, "domain": 29, "email": 1, "hostname": 541 }, "indicator_count": 3113, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e77c7c488546842f94848c", "name": "Injection \u2022 FormBook", "description": "Insane", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:11:40.389000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e7832f3d5621ae81a5c4c2", "name": "Injection \u2022 FormBook ", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:40:15.678000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea63bd597387fdaccd36bd", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T01:02:53.039000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eba0786d5bbd4f31a60c17", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T23:34:16.648000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "nr-data.net [Apple Private Data Collection]", "https://www.mccormick-designs.com", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "www.jamesbgriffinlaw.com (toolbox)", "https://www.virustotal.com/gui/file/a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d/detection", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "https://traceix.com/search?sha256=a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d&wait=1&tab=capa", "https://www.filescan.io/uploads/69cf553c2346b9da57bab574/reports/94ee293e-60a9-4d72-9f74-ec3157c5c26b/ioc", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://opentip.kaspersky.com/A3E43F4F6F2597A450677BCD6833E4EF0015CEB7C9110D9BACC73AC12D8E4D0D/results?tab=upload", "http://www.sheraises.com/wcur/ [phishing]", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "thecomments.app", "applephonenw.com [governmentattic]", "https://polyswarm.network/scan/results/file/a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d", "https://pastes.io/3XO0mF9Q", "https://pastebin.com/fqfVmTSv", "https://app.threat.zone/submission/15cdf13c-df91-427a-bef3-e58bc78e5d06/overview", "https://metadefender.com/results/file/bzI2MDQwMzJNaU1Wd1k1RVJYcUpBeW5NMWpl", "http://mcbut.live (Not present? Absent today - unexcused)", "72.167.124.187 [phishing]", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Artro", "Virtool:win32/injector.gen!bq", "Win.trojan.nsis-41", "Win.trojan.zbot-64721", "Win.dropper.remcos-9970861-0", "Alf:jasyp:trojandownloader:win32/startpage!atmn", "Win32:malware-gen", "Trojandownloader:win32/upatre", "Trojanspy:win32/nivdort", "Ransom:win32/teerac.a", "Win.trojan", "Trojan:win32/neconyd.a", "#lowfi:hstr:win32/airinstaller.b", "Trojandownloader:win32/upatre.o", "Win.trojan.airinstall-1", "Alf:heraklezeval:pua:win32/imali" ], "industries": [ "Government", "Education" ], "unique_indicators": 14632 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/wordpress.org", "whois": "http://whois.domaintools.com/wordpress.org", "domain": "wordpress.org", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69cf54dc2c334d92d90ad45b", "name": "University of Alberta - Active Exploits in the Wild", "description": "These are active exploits currently being used in the wild by multiple TAs.\nReport was presented to dosdean & CISO ( \"No Problems\" ).\nReport presented to AlbertaNDP Nenshi (similar infrastructure) of Gov. Alberta", "modified": "2026-04-03T06:02:28.790000", "created": "2026-04-03T05:49:13.607000", "tags": [ "http security", "source", "detection", "informational", "vulnerable url", "checks", "http missing", "ssltls", "n description", "ssl certificate", "score", "impact", "apache", "speed", "test", "form", "find", "coldfusion", "unknown", "malware", "false", "encrypt", "critical", "bypass", "generator", "project" ], "references": [ "https://app.threat.zone/submission/15cdf13c-df91-427a-bef3-e58bc78e5d06/overview", "https://pastebin.com/fqfVmTSv", "https://pastes.io/3XO0mF9Q", "https://www.virustotal.com/gui/file/a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d/detection", "https://www.filescan.io/uploads/69cf553c2346b9da57bab574/reports/94ee293e-60a9-4d72-9f74-ec3157c5c26b/ioc", "https://traceix.com/search?sha256=a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d&wait=1&tab=capa", "https://polyswarm.network/scan/results/file/a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d", "https://metadefender.com/results/file/bzI2MDQwMzJNaU1Wd1k1RVJYcUpBeW5NMWpl", "https://opentip.kaspersky.com/A3E43F4F6F2597A450677BCD6833E4EF0015CEB7C9110D9BACC73AC12D8E4D0D/results?tab=upload" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2510, "CVE": 31, "FileHash-MD5": 1, "domain": 29, "email": 1, "hostname": 541 }, "indicator_count": 3113, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cf54e17e5745f45ea8a996", "name": "University of Alberta - Active Exploits in the Wild", "description": "These are active exploits currently being used in the wild by multiple TAs.\nReport was presented to dosdean & CISO ( \"No Problems\" ).\nReport presented to AlbertaNDP Nenshi (similar infrastructure) of Gov. Alberta", "modified": "2026-04-03T05:49:17.778000", "created": "2026-04-03T05:49:17.778000", "tags": [ "http security", "source", "detection", "informational", "vulnerable url", "checks", "http missing", "ssltls", "n description", "ssl certificate", "score", "impact", "apache", "speed", "test", "form", "find", "coldfusion", "unknown", "malware", "false", "encrypt", "critical", "bypass", "generator", "project" ], "references": [ "https://app.threat.zone/submission/15cdf13c-df91-427a-bef3-e58bc78e5d06/overview", "https://pastebin.com/fqfVmTSv", "https://pastes.io/3XO0mF9Q" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2510, "CVE": 31, "FileHash-MD5": 1, "domain": 29, "email": 1, "hostname": 541 }, "indicator_count": 3113, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e77c7c488546842f94848c", "name": "Injection \u2022 FormBook", "description": "Insane", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:11:40.389000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e7832f3d5621ae81a5c4c2", "name": "Injection \u2022 FormBook ", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:40:15.678000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea63bd597387fdaccd36bd", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T01:02:53.039000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eba0786d5bbd4f31a60c17", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T23:34:16.648000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://wordpress.org/plugins/mailchimp-for-wp/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://wordpress.org/plugins/mailchimp-for-wp/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776615653.3820417 }