{ "type": "URL", "indicator": "https://workfree30-td.xorg.pl/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://workfree30-td.xorg.pl/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4102699613, "indicator": "https://workfree30-td.xorg.pl/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "68efedf37890e1b32d60eb55", "name": "Assurant Insurance \u2022 Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant , T-Mobile & me", "description": "Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant and T-Mobile and me. There is truth to the tip I received. This is the 3rd time all of my networks went down , even my phone disconnected and phone number changed temporarily. \n\nJosh T found again. Online profile possibly staged. Stated he is a gamer , self trained in Lua, , CS major in Canada. He is a malicious hacker and streamer and probably an entity. Eric _E iCloud related. Found DoD & Mil hackers related. I haven\u2019t taken the time to authenticate.. Very malicious and talented hackers attacking. I can\u2019t ignore the .mil and DoD items that populated in previous pulses. \n \n[OTX Auto Populated-Trojan-gen-Glupteba, Danabot, Prorat, and other names have been identified as the names of those affected by the latest cyber-attack on the internet.]", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T18:54:43.205000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "200 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68efee5ba882db423d3bad8f", "name": "Assurant & T-Mobile BLYP Checkin ET MALWARE TROJAN \u2022 Kryptic", "description": "", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T18:56:27.950000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": "68efedf37890e1b32d60eb55", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "200 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68eff0848071708f9ee0c0bd", "name": "Gamarue \u2022 G3nasom\u2022 Simda\u2022 Ganelp affecting Assurant and T-Mobile Part 3", "description": "", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T19:05:40.466000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": "68efee5ba882db423d3bad8f", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "200 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688f2a4444334746890f3b39", "name": "Bank of America Scam", "description": "Bank of America scams that being carried out for at least 8 years. Group able to steal your credentials, investments, insurance policies, skimming, small to large false charges, account theft. 9/2024 BoFa was investigated by me. They had experienced a major , sophisticated compromise. At least one branch is run by unfriendly investigators or authorities. All regular staff was moved to different branches. I witnessed personnel accessing a customer\u2019s account without customer presenting ID or giving name. Customer was concerned, staffer just stated he remembered their business name. Another customer was being harassed to close business account for an hour and another staffer took a consumers debit card and denied it prompting an internal investigation. Finally a \u2018manager\u2019 said they experienced a major hack. Research shows customers weren\u2019t informed. . Further research is necessary.\nAnybody? \n#theft #skimming #cancellations #false_charges #debitcardfraud #botnetcallcenter", "modified": "2025-09-02T08:02:34.108000", "created": "2025-08-03T09:22:12.846000", "tags": [ "united", "link", "ip address", "creation date", "search", "record value", "showing", "unknown ns", "present mar", "a domains", "date", "meta", "starfield", "entries", "show", "windows", "msie", "http", "medium", "post http", "delete", "ids detections", "malware", "copy", "drweb", "write", "win32", "global", "present jul", "error", "lowfi", "trojanspy", "checkin", "passive dns", "trojan", "next associated", "cryp", "present aug", "urls", "address", "hostname", "pulse submit", "url analysis", "files", "domain", "pulse", "less whois", "registrar", "adylkuzz cnc", "beacon", "get http", "exe payload", "read", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 171, "URL": 873, "domain": 180, "hostname": 332, "email": 3, "FileHash-SHA256": 698, "FileHash-SHA1": 167 }, "indicator_count": 2424, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688d9f7c357111d3ad843c16", "name": "Follower Factory - Virus:Win32/Shodi.I | Trojan Agent", "description": "Follower factories sell followers , shout outs & retweets to celebrities, businesses, anyone. Buying followers is not encouraged by the those \u2018target\u2019 worked with. On several occasions Brashears had to have Bank refund her $1000\u2019s in unauthorized Facebook advertising charges finally, 2 of her banks accounts , l Brashears had to delete a photo of herself that gained a suspicious 12,000+ in Filipino likes & comments.. Target deleted 3000 sudden faceless twitter bots shortly before her Twitter accounts was stolen. Bad actors marketed her music on malicious websites. Hacking Tsara began in 2013 after assault, Followers began after Brian Sabey contacted Tsara Brashears @ Song Culture email. Site became filled with trackers at one time and advertised her commutes on Yandex..1st contact Sabey , initially asked what the company did via email.", "modified": "2025-09-01T02:00:30.266000", "created": "2025-08-02T05:17:48.231000", "tags": [ "destination", "port", "united", "show", "search", "get http", "host sinkhole", "cookie value", "et trojan", "unknown", "possible", "write", "win32", "nivdort", "artemis", "malware", "zeus gameover", "copy", "next", "date", "no expiration", "ipv4", "expiration", "url http", "domain", "iocs", "drop or", "browse to", "select file", "or drop", "united kingdom", "entries", "next associated", "unknown a", "showing", "urls show", "date checked", "url hostname", "server response", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "md5 add", "passive dns", "great britain", "present jul", "urls", "files", "reverse dns", "data upload", "extraction", "failed", "virus", "file score", "medium risk", "related pulses", "none related" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 351, "FileHash-SHA1": 344, "FileHash-SHA256": 1546, "URL": 3435, "domain": 796, "hostname": 801 }, "indicator_count": 7273, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688343b9e60e8693f50e515f", "name": "Cycbot & worse - Palantir Monitoring Target/s", "description": "Palantir \u2022 Gotham \u2022 Foundry Top tier sells tools used to monitor, harass, smear , invoke fear, even \u2018kill\u2019. Used by military., too many partners to name (includes the entire government., heavy military, NSA use) of course Twitter, Apple Facebook, Pegasus related, possibly Paragon if what I\u2019ve read and researched is true. *There are 188 Palantir Foundry links in this pulse. ||\nMonitored target || Apparently ,\u2018tool\u2019 is weaponized against civilians for unknown and unwarranted purposes. || Lofty and unclear how or why a manner of death of target was predicted and posted online 12 years ago. || More research is needed.\n\nMalware named was found in research. \n\n #targeted #rip #palantir #foundry #gotham #twitter #techbromafia #silencing #overreach #quasi_gov #ongoing #active #moved #dangerous", "modified": "2025-08-24T06:01:34.920000", "created": "2025-07-25T08:43:37.734000", "tags": [ "status", "united", "unknown ns", "passive dns", "urls", "creation date", "search", "emails", "date", "expiration date", "tcp include", "top source", "top destination", "show", "source source", "data upload", "extraction", "showing", "moved", "certificate", "ip address", "domain", "body", "present jul", "present jun", "present aug", "present sep", "trojan", "name servers", "twitter", "vtflooder", "foundry", "virustotal", "gotham", "palantir", "tools", "destination", "port", "msie", "windows nt", "unknown", "read c", "etpro trojan", "malware", "copy", "write", "infostealer", "possible", "virustotal", "copyleft", "present jan", "entries", "next associated", "ipv4 add", "pulse submit", "url analysis", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "discovery att", "hostname add", "files", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "ascii text", "mitre att", "pattern match", "show technique", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "look", "verify", "restart", "se extri", "referen", "etpro tr", "virtool", "referencec", "failed", "se extra", "eanioae", "include review", "exclude sugges", "includec review", "exclude", "suggest data", "open ports", "reverse dns", "location united", "america flag", "boardman", "t1045", "ck ids", "packing", "t1060", "run keys", "startup", "folder", "t1057", "discovery", "t1071", "value emails", "name domain", "org microsoft", "microsoft way", "city redmond", "country us", "dnssec", "t1012", "t1047", "instrumentation", "t1053", "taskjob", "spyware", "source", "signing defense", "size", "meta", "onload", "dynamicloader", "unicode text", "crlf line", "utf8", "medium", "write c", "default", "delphi", "win32", "code", "stream", "next", "akamai rank", "show process", "prefetch2", "dns server", "network traffic", "virus", "monitored target", "tofsee", "generic http", "exe upload", "inbound", "outbound", "delete", "yara detections", "markus", "flowid22101", "pixelevtid11771", "dvid", "urls show", "date checked", "188 palantir results", "adversaries", "development att", "ssl certificate", "flag", "stop", "facebook", "4328", "5943", "stealer", "unknown aaaa", "present may", "domain add", "hyundaitx", "twitter", "monitored tsara", "brashears", "apple", "ios", "remote", "cycbot", "maudio fw", "heur", "productversion", "fileversion", "maudio firewire" ], "references": [ "palantirfoundry.com \u2022 https://edenglobalpartners.palantirfoundry.com/", "247seekscenter.com \u2022 ns-1986.awsdns-56.co.uk: | 365-notifcation.com", "ETPRO TROJAN Win32/Oderoor Checkin \u2022 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain", "Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)", "ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection", "platform.twitter.co \u2022 rm.twitter.co \u2022 upload.twitter.co \u2022 http://2fsyndication.twitter.co/", "http://legal.twitter.co \u2022 http://mobile.twitter.co/", "ec2-44-228-94-74.us-west-2.compute.amazonaws.com \u2022 defender.palantirfoundry.com", "https://embaxter.palantirfoundry.com \u2022 https://amgistudios.palantirfoundry.com", "https://ametrine-containers.palantirfoundry.com \u2022 https://amfp.palantirfoundry.com", "https://ameteklms.palantirfoundry.com \u2022 https://ametrine-compute.palantirfoundry.com", "https://amiable-constellation.palantirfoundry.com \u2022 https://amplifi.palantirfoundry.com", "https://oscar.palantirfoundry.com/ \u2022 https://replica.palantirfoundry.com/", "https://statemed.palantirgov.com/workspace/settings/notifications \u2022 https://cchbc.palantirfoundry.com", "https://test-1.washington.palantircloud.com \u2022 https://tarn.palantirgov.com \u2022 https://stateplatform.palantirgov.com", "https://imperium-dev-1.palantircloud.com \u2022 https://hii.palantirgov.com \u2022 https://genoa.washington.palantircloud.com", "tsystems.palantirfoundry.com \u2022 https://statemed.palantirgov.com \u2022 https://statecms.palantirgov.com", "https://replica.palantirfoundry.com/ \u2022 https://spacejam.palantirfoundry.com/ \u2022", "https://pl.pornhub.mrst.one/ \u2022 hotamateurpornsite.xxx \u2022 squirting.porn \u2022 https://de-pornhub.mrst.one/", "Hostname: hcl-dna-sandbox.palantirfoundry.com", "https://www.hyundaitx.com/", "ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check", "https://remote.downloadnow-1.com/", "Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp", "Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection", "Monitored Target - Spawned process \"iexplore.exe\" w/commandline \"SCODEF:5860 CREDAT:275457 /prefetch:2\" (Show Process) source", "Monitored Target: Queries DNS server details \"www.hyundaitx.com\" source Network Traffic T1071.004", "Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |", "ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Vtflooder-9783271-0", "display_name": "Win.Malware.Vtflooder-9783271-0", "target": null }, { "id": "Trojan.Kazy-237", "display_name": "Trojan.Kazy-237", "target": null }, { "id": "Trojan.Vundo-5335", "display_name": "Trojan.Vundo-5335", "target": null }, { "id": "Generic31.BKFG", "display_name": "Generic31.BKFG", "target": null }, { "id": "Win.Packed.Krucky-6941986-0", "display_name": "Win.Packed.Krucky-6941986-0", "target": null }, { "id": "ALF:HSTR:KrunchyMalPacker!MTB", "display_name": "ALF:HSTR:KrunchyMalPacker!MTB", "target": null }, { "id": "Win.Trojan.Agent-920890", "display_name": "Win.Trojan.Agent-920890", "target": null }, { "id": "Win.Trojan.Jorik-10365", "display_name": "Win.Trojan.Jorik-10365", "target": null }, { "id": "Trojan.Adload-2492", "display_name": "Trojan.Adload-2492", "target": null }, { "id": "Trojan.Spy-59563", "display_name": "Trojan.Spy-59563", "target": null }, { "id": "Ransom:Win32/Cryptor", "display_name": "Ransom:Win32/Cryptor", "target": "/malware/Ransom:Win32/Cryptor" }, { "id": "Win32/Blacked", "display_name": "Win32/Blacked", "target": null }, { "id": "Win.Trojan.Cycbot-764", "display_name": "Win.Trojan.Cycbot-764", "target": null }, { "id": "Trojan.VB-47534", "display_name": "Trojan.VB-47534", "target": null }, { "id": "Backdoor:Win32/Drixed.J ,", "display_name": "Backdoor:Win32/Drixed.J ,", "target": "/malware/Backdoor:Win32/Drixed.J ," }, { "id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "Malware Tool", "display_name": "Malware Tool", "target": null }, { "id": "Palantir Spyware", "display_name": "Palantir Spyware", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4203, "domain": 1218, "email": 9, "hostname": 2006, "FileHash-SHA256": 2740, "FileHash-MD5": 424, "FileHash-SHA1": 419, "SSLCertFingerprint": 12 }, "indicator_count": 11031, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "282 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6882b365b45b9c6ee0eb7abc", "name": "Mold and Water Damage | Botnet - every search will remit false results", "description": "Mold and Water Damage | Botnet - every search will remit false results. In this instance it was a lawfirm. https://www.wshblaw.com/\n#malware #packed #botnetresults #likely #botnettester", "modified": "2025-08-23T20:02:25.025000", "created": "2025-07-24T22:27:49.105000", "tags": [ "redacted for", "name servers", "united", "date", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "unknown", "etpro trojan", "possible virut", "dga nxdomain", "responses", "entries", "search", "read c", "show", "read", "win32", "copy", "write", "malware", "next", "files ip", "address", "date hash", "domain related", "showing", "ip address", "ip related", "pulses none", "related tags", "none indicator", "facts domain", "poland unknown", "aaaa", "present apr", "domain add", "pulse pulses", "windows", "windows nt", "medium", "high", "cnc beacon", "trojan", "present may", "present jun", "present sep", "present nov", "present feb", "present aug", "present oct", "backdoor", "msil", "united kingdom", "great britain", "susp", "win64", "content type", "trojandropper", "worm", "ransom", "expiration", "no expiration", "hostname", "url http", "embeddedwb", "shellexecuteexw", "whitelisted", "msie", "service", "cloud", "hostname add", "extraction", "data upload", "enter soukue", "url uk", "teukau", "drup uk", "drows type", "extre", "include review", "exclude sugges", "find", "a domains", "gmt content", "ipv4 add", "canada unknown", "meta", "cloudflare", "status", "span", "reverse dns", "asn as13335", "dns resolutions", "domains top", "body", "apache", "delete", "ukraine", "registrar", "creation date", "servers", "present jul", "self", "date tue", "gmt server", "expires wed", "apache vary", "server google", "tag manager", "gmt etag", "acceptranges", "contentlength", "pragma", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "itre att", "unicode text", "utf8 text", "crlf", "lf line", "copy md5", "sha1", "copy sha1", "sha256", "copy sha256", "size", "truetype", "ascii text", "pattern match", "mitre att", "format", "general", "local", "path", "encrypt", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1326, "URL": 3745, "domain": 778, "email": 2, "FileHash-SHA256": 2360, "FileHash-MD5": 355, "FileHash-SHA1": 347, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8917, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "283 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "you.are.poor.i.got.trap.money?", "Hostname: hcl-dna-sandbox.palantirfoundry.com", "Monitored Target: Queries DNS server details \"www.hyundaitx.com\" source Network Traffic T1071.004", "https://test-1.washington.palantircloud.com \u2022 https://tarn.palantirgov.com \u2022 https://stateplatform.palantirgov.com", "Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection", "ETPRO TROJAN Win32/Oderoor Checkin \u2022 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "https://remote.downloadnow-1.com/", "platform.twitter.co \u2022 rm.twitter.co \u2022 upload.twitter.co \u2022 http://2fsyndication.twitter.co/", "https://amiable-constellation.palantirfoundry.com \u2022 https://amplifi.palantirfoundry.com", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "ec2-44-228-94-74.us-west-2.compute.amazonaws.com \u2022 defender.palantirfoundry.com", "Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |", "https://ametrine-containers.palantirfoundry.com \u2022 https://amfp.palantirfoundry.com", "palantirfoundry.com \u2022 https://edenglobalpartners.palantirfoundry.com/", "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection", "tsystems.palantirfoundry.com \u2022 https://statemed.palantirgov.com \u2022 https://statecms.palantirgov.com", "https://oscar.palantirfoundry.com/ \u2022 https://replica.palantirfoundry.com/", "Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)", "https://www.hyundaitx.com/", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp", "https://pl.pornhub.mrst.one/ \u2022 hotamateurpornsite.xxx \u2022 squirting.porn \u2022 https://de-pornhub.mrst.one/", "ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check", "247seekscenter.com \u2022 ns-1986.awsdns-56.co.uk: | 365-notifcation.com", "Monitored Target - Spawned process \"iexplore.exe\" w/commandline \"SCODEF:5860 CREDAT:275457 /prefetch:2\" (Show Process) source", "https://ameteklms.palantirfoundry.com \u2022 https://ametrine-compute.palantirfoundry.com", "https://replica.palantirfoundry.com/ \u2022 https://spacejam.palantirfoundry.com/ \u2022", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996", "http://legal.twitter.co \u2022 http://mobile.twitter.co/", "https://statemed.palantirgov.com/workspace/settings/notifications \u2022 https://cchbc.palantirfoundry.com", "https://embaxter.palantirfoundry.com \u2022 https://amgistudios.palantirfoundry.com", "https://imperium-dev-1.palantircloud.com \u2022 https://hii.palantirgov.com \u2022 https://genoa.washington.palantircloud.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Bc.win.packer.troll-11", "Crypt3.bxmj", "Crypt5.bbyh", "Alf:hstr:krunchymalpacker!mtb", "Malware tool", "Crypt3.boqd", "Et", "Trojan.vundo-5335", "Palantir spyware", "Atros3.ahfb", "Win.malware.vtflooder-9783271-0", "Win.trojan.agent-920890", "Trojan:win32/glupteba.ov!mtb", "Ransom:win32/cryptor", "Prorat", "Trojan.kazy-237", "Trojan.spy-59563", "Win32:trojan", "Backdoor:win32/prorat.l", "Crypt3.boje", "Crypt3.ckto", "Trojan.adload-2492", "Alf:heraklezeval:pws:win32/ldpinch!rfn", "Crypt3.boiu", "Inject2.bhbw", "Inject2.bive", "Crypt3.blxp", "Crypt3.bxgr", "Win.trojan.cycbot-764", "Win32:malware-gen", "Win.packed.krucky-6941986-0", "Generic31.bkfg", "Win.trojan.jorik-10365", "Crypt3.bxvc", "Danabot", "Trojan.vb-47534", "Tofsee", "Backdoor:win32/drixed.j ,", "Crypt3.coiz", "Crypt4.ahsw", "Win32/blacked", "Crypt3.cmtm" ], "industries": [ "Insurance", "Telecommunications" ], "unique_indicators": 46876 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/xorg.pl", "whois": "http://whois.domaintools.com/xorg.pl", "domain": "xorg.pl", "hostname": "workfree30-td.xorg.pl" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "68efedf37890e1b32d60eb55", "name": "Assurant Insurance \u2022 Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant , T-Mobile & me", "description": "Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant and T-Mobile and me. There is truth to the tip I received. This is the 3rd time all of my networks went down , even my phone disconnected and phone number changed temporarily. \n\nJosh T found again. Online profile possibly staged. Stated he is a gamer , self trained in Lua, , CS major in Canada. He is a malicious hacker and streamer and probably an entity. Eric _E iCloud related. Found DoD & Mil hackers related. I haven\u2019t taken the time to authenticate.. Very malicious and talented hackers attacking. I can\u2019t ignore the .mil and DoD items that populated in previous pulses. \n \n[OTX Auto Populated-Trojan-gen-Glupteba, Danabot, Prorat, and other names have been identified as the names of those affected by the latest cyber-attack on the internet.]", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T18:54:43.205000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "200 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68efee5ba882db423d3bad8f", "name": "Assurant & T-Mobile BLYP Checkin ET MALWARE TROJAN \u2022 Kryptic", "description": "", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T18:56:27.950000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": "68efedf37890e1b32d60eb55", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "200 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68eff0848071708f9ee0c0bd", "name": "Gamarue \u2022 G3nasom\u2022 Simda\u2022 Ganelp affecting Assurant and T-Mobile Part 3", "description": "", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T19:05:40.466000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": "68efee5ba882db423d3bad8f", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "200 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688f2a4444334746890f3b39", "name": "Bank of America Scam", "description": "Bank of America scams that being carried out for at least 8 years. Group able to steal your credentials, investments, insurance policies, skimming, small to large false charges, account theft. 9/2024 BoFa was investigated by me. They had experienced a major , sophisticated compromise. At least one branch is run by unfriendly investigators or authorities. All regular staff was moved to different branches. I witnessed personnel accessing a customer\u2019s account without customer presenting ID or giving name. Customer was concerned, staffer just stated he remembered their business name. Another customer was being harassed to close business account for an hour and another staffer took a consumers debit card and denied it prompting an internal investigation. Finally a \u2018manager\u2019 said they experienced a major hack. Research shows customers weren\u2019t informed. . Further research is necessary.\nAnybody? \n#theft #skimming #cancellations #false_charges #debitcardfraud #botnetcallcenter", "modified": "2025-09-02T08:02:34.108000", "created": "2025-08-03T09:22:12.846000", "tags": [ "united", "link", "ip address", "creation date", "search", "record value", "showing", "unknown ns", "present mar", "a domains", "date", "meta", "starfield", "entries", "show", "windows", "msie", "http", "medium", "post http", "delete", "ids detections", "malware", "copy", "drweb", "write", "win32", "global", "present jul", "error", "lowfi", "trojanspy", "checkin", "passive dns", "trojan", "next associated", "cryp", "present aug", "urls", "address", "hostname", "pulse submit", "url analysis", "files", "domain", "pulse", "less whois", "registrar", "adylkuzz cnc", "beacon", "get http", "exe payload", "read", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 171, "URL": 873, "domain": 180, "hostname": 332, "email": 3, "FileHash-SHA256": 698, "FileHash-SHA1": 167 }, "indicator_count": 2424, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688d9f7c357111d3ad843c16", "name": "Follower Factory - Virus:Win32/Shodi.I | Trojan Agent", "description": "Follower factories sell followers , shout outs & retweets to celebrities, businesses, anyone. Buying followers is not encouraged by the those \u2018target\u2019 worked with. On several occasions Brashears had to have Bank refund her $1000\u2019s in unauthorized Facebook advertising charges finally, 2 of her banks accounts , l Brashears had to delete a photo of herself that gained a suspicious 12,000+ in Filipino likes & comments.. Target deleted 3000 sudden faceless twitter bots shortly before her Twitter accounts was stolen. Bad actors marketed her music on malicious websites. Hacking Tsara began in 2013 after assault, Followers began after Brian Sabey contacted Tsara Brashears @ Song Culture email. Site became filled with trackers at one time and advertised her commutes on Yandex..1st contact Sabey , initially asked what the company did via email.", "modified": "2025-09-01T02:00:30.266000", "created": "2025-08-02T05:17:48.231000", "tags": [ "destination", "port", "united", "show", "search", "get http", "host sinkhole", "cookie value", "et trojan", "unknown", "possible", "write", "win32", "nivdort", "artemis", "malware", "zeus gameover", "copy", "next", "date", "no expiration", "ipv4", "expiration", "url http", "domain", "iocs", "drop or", "browse to", "select file", "or drop", "united kingdom", "entries", "next associated", "unknown a", "showing", "urls show", "date checked", "url hostname", "server response", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "md5 add", "passive dns", "great britain", "present jul", "urls", "files", "reverse dns", "data upload", "extraction", "failed", "virus", "file score", "medium risk", "related pulses", "none related" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 351, "FileHash-SHA1": 344, "FileHash-SHA256": 1546, "URL": 3435, "domain": 796, "hostname": 801 }, "indicator_count": 7273, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688343b9e60e8693f50e515f", "name": "Cycbot & worse - Palantir Monitoring Target/s", "description": "Palantir \u2022 Gotham \u2022 Foundry Top tier sells tools used to monitor, harass, smear , invoke fear, even \u2018kill\u2019. Used by military., too many partners to name (includes the entire government., heavy military, NSA use) of course Twitter, Apple Facebook, Pegasus related, possibly Paragon if what I\u2019ve read and researched is true. *There are 188 Palantir Foundry links in this pulse. ||\nMonitored target || Apparently ,\u2018tool\u2019 is weaponized against civilians for unknown and unwarranted purposes. || Lofty and unclear how or why a manner of death of target was predicted and posted online 12 years ago. || More research is needed.\n\nMalware named was found in research. \n\n #targeted #rip #palantir #foundry #gotham #twitter #techbromafia #silencing #overreach #quasi_gov #ongoing #active #moved #dangerous", "modified": "2025-08-24T06:01:34.920000", "created": "2025-07-25T08:43:37.734000", "tags": [ "status", "united", "unknown ns", "passive dns", "urls", "creation date", "search", "emails", "date", "expiration date", "tcp include", "top source", "top destination", "show", "source source", "data upload", "extraction", "showing", "moved", "certificate", "ip address", "domain", "body", "present jul", "present jun", "present aug", "present sep", "trojan", "name servers", "twitter", "vtflooder", "foundry", "virustotal", "gotham", "palantir", "tools", "destination", "port", "msie", "windows nt", "unknown", "read c", "etpro trojan", "malware", "copy", "write", "infostealer", "possible", "virustotal", "copyleft", "present jan", "entries", "next associated", "ipv4 add", "pulse submit", "url analysis", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "discovery att", "hostname add", "files", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "ascii text", "mitre att", "pattern match", "show technique", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "look", "verify", "restart", "se extri", "referen", "etpro tr", "virtool", "referencec", "failed", "se extra", "eanioae", "include review", "exclude sugges", "includec review", "exclude", "suggest data", "open ports", "reverse dns", "location united", "america flag", "boardman", "t1045", "ck ids", "packing", "t1060", "run keys", "startup", "folder", "t1057", "discovery", "t1071", "value emails", "name domain", "org microsoft", "microsoft way", "city redmond", "country us", "dnssec", "t1012", "t1047", "instrumentation", "t1053", "taskjob", "spyware", "source", "signing defense", "size", "meta", "onload", "dynamicloader", "unicode text", "crlf line", "utf8", "medium", "write c", "default", "delphi", "win32", "code", "stream", "next", "akamai rank", "show process", "prefetch2", "dns server", "network traffic", "virus", "monitored target", "tofsee", "generic http", "exe upload", "inbound", "outbound", "delete", "yara detections", "markus", "flowid22101", "pixelevtid11771", "dvid", "urls show", "date checked", "188 palantir results", "adversaries", "development att", "ssl certificate", "flag", "stop", "facebook", "4328", "5943", "stealer", "unknown aaaa", "present may", "domain add", "hyundaitx", "twitter", "monitored tsara", "brashears", "apple", "ios", "remote", "cycbot", "maudio fw", "heur", "productversion", "fileversion", "maudio firewire" ], "references": [ "palantirfoundry.com \u2022 https://edenglobalpartners.palantirfoundry.com/", "247seekscenter.com \u2022 ns-1986.awsdns-56.co.uk: | 365-notifcation.com", "ETPRO TROJAN Win32/Oderoor Checkin \u2022 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain", "Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)", "ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection", "platform.twitter.co \u2022 rm.twitter.co \u2022 upload.twitter.co \u2022 http://2fsyndication.twitter.co/", "http://legal.twitter.co \u2022 http://mobile.twitter.co/", "ec2-44-228-94-74.us-west-2.compute.amazonaws.com \u2022 defender.palantirfoundry.com", "https://embaxter.palantirfoundry.com \u2022 https://amgistudios.palantirfoundry.com", "https://ametrine-containers.palantirfoundry.com \u2022 https://amfp.palantirfoundry.com", "https://ameteklms.palantirfoundry.com \u2022 https://ametrine-compute.palantirfoundry.com", "https://amiable-constellation.palantirfoundry.com \u2022 https://amplifi.palantirfoundry.com", "https://oscar.palantirfoundry.com/ \u2022 https://replica.palantirfoundry.com/", "https://statemed.palantirgov.com/workspace/settings/notifications \u2022 https://cchbc.palantirfoundry.com", "https://test-1.washington.palantircloud.com \u2022 https://tarn.palantirgov.com \u2022 https://stateplatform.palantirgov.com", "https://imperium-dev-1.palantircloud.com \u2022 https://hii.palantirgov.com \u2022 https://genoa.washington.palantircloud.com", "tsystems.palantirfoundry.com \u2022 https://statemed.palantirgov.com \u2022 https://statecms.palantirgov.com", "https://replica.palantirfoundry.com/ \u2022 https://spacejam.palantirfoundry.com/ \u2022", "https://pl.pornhub.mrst.one/ \u2022 hotamateurpornsite.xxx \u2022 squirting.porn \u2022 https://de-pornhub.mrst.one/", "Hostname: hcl-dna-sandbox.palantirfoundry.com", "https://www.hyundaitx.com/", "ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check", "https://remote.downloadnow-1.com/", "Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp", "Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection", "Monitored Target - Spawned process \"iexplore.exe\" w/commandline \"SCODEF:5860 CREDAT:275457 /prefetch:2\" (Show Process) source", "Monitored Target: Queries DNS server details \"www.hyundaitx.com\" source Network Traffic T1071.004", "Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |", "ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Vtflooder-9783271-0", "display_name": "Win.Malware.Vtflooder-9783271-0", "target": null }, { "id": "Trojan.Kazy-237", "display_name": "Trojan.Kazy-237", "target": null }, { "id": "Trojan.Vundo-5335", "display_name": "Trojan.Vundo-5335", "target": null }, { "id": "Generic31.BKFG", "display_name": "Generic31.BKFG", "target": null }, { "id": "Win.Packed.Krucky-6941986-0", "display_name": "Win.Packed.Krucky-6941986-0", "target": null }, { "id": "ALF:HSTR:KrunchyMalPacker!MTB", "display_name": "ALF:HSTR:KrunchyMalPacker!MTB", "target": null }, { "id": "Win.Trojan.Agent-920890", "display_name": "Win.Trojan.Agent-920890", "target": null }, { "id": "Win.Trojan.Jorik-10365", "display_name": "Win.Trojan.Jorik-10365", "target": null }, { "id": "Trojan.Adload-2492", "display_name": "Trojan.Adload-2492", "target": null }, { "id": "Trojan.Spy-59563", "display_name": "Trojan.Spy-59563", "target": null }, { "id": "Ransom:Win32/Cryptor", "display_name": "Ransom:Win32/Cryptor", "target": "/malware/Ransom:Win32/Cryptor" }, { "id": "Win32/Blacked", "display_name": "Win32/Blacked", "target": null }, { "id": "Win.Trojan.Cycbot-764", "display_name": "Win.Trojan.Cycbot-764", "target": null }, { "id": "Trojan.VB-47534", "display_name": "Trojan.VB-47534", "target": null }, { "id": "Backdoor:Win32/Drixed.J ,", "display_name": "Backdoor:Win32/Drixed.J ,", "target": "/malware/Backdoor:Win32/Drixed.J ," }, { "id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "Malware Tool", "display_name": "Malware Tool", "target": null }, { "id": "Palantir Spyware", "display_name": "Palantir Spyware", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4203, "domain": 1218, "email": 9, "hostname": 2006, "FileHash-SHA256": 2740, "FileHash-MD5": 424, "FileHash-SHA1": 419, "SSLCertFingerprint": 12 }, "indicator_count": 11031, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "282 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6882b365b45b9c6ee0eb7abc", "name": "Mold and Water Damage | Botnet - every search will remit false results", "description": "Mold and Water Damage | Botnet - every search will remit false results. In this instance it was a lawfirm. https://www.wshblaw.com/\n#malware #packed #botnetresults #likely #botnettester", "modified": "2025-08-23T20:02:25.025000", "created": "2025-07-24T22:27:49.105000", "tags": [ "redacted for", "name servers", "united", "date", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "unknown", "etpro trojan", "possible virut", "dga nxdomain", "responses", "entries", "search", "read c", "show", "read", "win32", "copy", "write", "malware", "next", "files ip", "address", "date hash", "domain related", "showing", "ip address", "ip related", "pulses none", "related tags", "none indicator", "facts domain", "poland unknown", "aaaa", "present apr", "domain add", "pulse pulses", "windows", "windows nt", "medium", "high", "cnc beacon", "trojan", "present may", "present jun", "present sep", "present nov", "present feb", "present aug", "present oct", "backdoor", "msil", "united kingdom", "great britain", "susp", "win64", "content type", "trojandropper", "worm", "ransom", "expiration", "no expiration", "hostname", "url http", "embeddedwb", "shellexecuteexw", "whitelisted", "msie", "service", "cloud", "hostname add", "extraction", "data upload", "enter soukue", "url uk", "teukau", "drup uk", "drows type", "extre", "include review", "exclude sugges", "find", "a domains", "gmt content", "ipv4 add", "canada unknown", "meta", "cloudflare", "status", "span", "reverse dns", "asn as13335", "dns resolutions", "domains top", "body", "apache", "delete", "ukraine", "registrar", "creation date", "servers", "present jul", "self", "date tue", "gmt server", "expires wed", "apache vary", "server google", "tag manager", "gmt etag", "acceptranges", "contentlength", "pragma", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "itre att", "unicode text", "utf8 text", "crlf", "lf line", "copy md5", "sha1", "copy sha1", "sha256", "copy sha256", "size", "truetype", "ascii text", "pattern match", "mitre att", "format", "general", "local", "path", "encrypt", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1326, "URL": 3745, "domain": 778, "email": 2, "FileHash-SHA256": 2360, "FileHash-MD5": 355, "FileHash-SHA1": 347, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8917, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "283 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://workfree30-td.xorg.pl/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://workfree30-td.xorg.pl/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780432369.8998787 }