{ "type": "URL", "indicator": "https://ww1.goatd.net", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ww1.goatd.net", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3741602919, "indicator": "https://ww1.goatd.net", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 27, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ef0516013ca78448bf4e5", "name": "Foundry \u2022 Reflected Networks Pornhub Malvertising Subsidiary", "description": "Foundry ? Pornhub\nsanfoundry.com\ncompliance.fifoundry.net- Pornhub subsidiary. Targets networks, devices, routers, used for promoting pornography and her music. Producer revealed her hooks were used for Justin Bieber & Tori Kelly songs that. A producer stated her songs had been grifted. Both Tsara Brashears & a studio were in Pegasus & attacked by \u2018Lazarus\u2019 Group. She was told in detail how her songs can be used by music insiders if they choose. Target trolled by mocking hackers re: the JB and Kelly song.. Trojan:Win32/DisableUAC.A!bit\n, MSIL:Suspicious:ScreenCapture.S01\nIDS Detections\nLokiBot Checkin\nLokiBot User-Agent (Charon/Inferno)\nLokiBot Application/Credential Data Exfiltration Detected M1\nLokiBot Request for C2 Commands Detected M1\nLokiBot Application/Credential Data Exfiltration Detected M2\nLokiBot Request for C2 Commands Detected M2\nTrojan Generic - POST To gate.php with no referer\nSSL excessive fatal alerts (possible POODLE attack against server)\nI will revisit this. Gloryhole Foundation?", "modified": "2025-09-02T04:01:31.218000", "created": "2025-08-03T05:14:57.402000", "tags": [ "united", "moved", "entries", "passive dns", "detected m1", "next associated", "mtb apr", "mtb aug", "server", "gmt content", "trojandropper", "trojan", "body", "lokibot request", "c2 commands", "detected m2", "otx telemetry", "historical otx", "twitter running", "open ports", "cves", "time", "dynamicloader", "port", "search", "show", "destination", "alerts", "copy", "dynamic", "medium", "write", "creation date", "hostmaster", "urls", "domain", "showing", "hostname add", "pulse pulses", "date", "flag", "falcon sandbox", "name server", "markmonitor", "analysis", "mitre att", "anonymous", "upgrade", "hybrid", "contact", "usa windows", "december", "input threat", "level analysis", "summary", "february", "hwp support", "january", "october", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "calls", "command", "javascript", "object model", "model", "windir", "json data", "localappdata", "ascii text", "temp", "getprocaddress", "script", "license", "runtime process", "copy md5", "facebook", "roboto", "error", "win64", "path", "blink", "meta", "factory", "general", "comspec", "click", "strings", "damage", "mini", "stop", "core", "expl", "win32", "gmt server", "ecacc saa83dd", "ipv4 add", "twitter", "cobalt strike", "mozilla" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 263, "FileHash-SHA1": 256, "FileHash-SHA256": 837, "hostname": 4415, "URL": 1918, "domain": 1884, "email": 2, "SSLCertFingerprint": 2 }, "indicator_count": 9577, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6879093e8658df9f35683846", "name": "Worm:Win32/Benjamin continues to impact network", "description": "Worm:Win32/Benjamin continues to impact network operations of a little known, limited national cybers space organization. P2P-Worm.\n*IDS Detections: \n\u2022 Win32.Worm.Benjamin.A CnC Checkin Alerts\n\u2022 nids_malware_alert\n\u2022 network_icmp\n\u2022 network_irc\n\u2022 persistence_autorun\n| Multiple network issues from outages, stolen password keychains, credentials dumping, impressive espionage attacks. Likely goes unnoticed to many. Widely regarded/reported as an outage that is really an unpatched, ongoing cyber attack.", "modified": "2025-08-16T14:00:26.166000", "created": "2025-07-17T14:31:26.824000", "tags": [ "include review", "data upload", "extraction", "read c", "search", "medium", "show", "msie", "windows nt", "wow64", "slcc2", "media center", "entries", "dock", "write", "execution", "capture", "next", "copy", "date", "aaaa", "present may", "present nov", "passive dns", "ip address", "domain", "status", "next associated", "delete", "iocs", "failed", "sc data", "type", "extr data", "included", "review iocs", "memcommit", "user execution", "module load", "t1129", "icmp traffic", "high", "collection", "cmd c", "t1055", "enter", "extract", "enter sc", "drop or", "browse t", "oprop", "extraction data", "enter source", "url or", "texorag", "browse", "urls", "dnssec", "hostname add", "pulse pulses", "files", "files ip", "domainadmin", "showing", "ttl value", "thumbprint", "onlv", "find", "extri data", "dran anu", "extr", "manually add", "review exclude", "sugges", "find s", "typ hos", "se data", "include data", "review locs", "exclude", "suggested es", "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "worm", "win32", "benjamin", "june", "delphi", "malware", "nids", "icmp delphi", "yara detections", "malware traffic", "checkin", "code", "name servers", "servers", "pulses", "expiration date", "united", "body", "cookie", "related tags", "file type", "pe packer", "pm size", "sha1 sha256", "imphash pehash", "virustotal api", "screenshots", "comments" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 536, "FileHash-SHA1": 465, "FileHash-SHA256": 1836, "domain": 766, "hostname": 960, "URL": 2879, "CVE": 1, "email": 4 }, "indicator_count": 7447, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6888a85aa32aab22f638d0e6", "name": "Autodesk issue in CrowdStrike prior to outage | [by scoreblue]", "description": "", "modified": "2025-07-29T10:54:18.501000", "created": "2025-07-29T10:54:18.501000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "66d89c45ddc0c7db084b75b7", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "264 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684c792c7a89d98470ecef31", "name": "aws.dev - Emotet - Hub for malicious activity", "description": "\u2022 Domain Name: aws.dev |\n\u2022 (DGA) https://www.google.com/search?client=ms-google-coop&q=%22deploy-delete-app-eu-west-1-0.deploy-delete-test-eu-west-1-oigwi9v.us-east-1.forgeapps.ec2.aws.dev%22&cx=003414466004237966221:dgg7iftvryo | \n\u2022 34.226.76.55 |\n\u2022\u2019domains.amazon | \n\u2022 devilspen.com |\n\u2022 aisux.aws.dev |\t\t\n\u2022 alex.aws.dev |\t\n\u2022 askjarvis.aws.dev |\n\u2022 atrium.aws.dev |\n\u2022 automated-runbooks.aws.dev |\nFalse 404 codes and Error pages - very active malicious behavior", "modified": "2025-07-13T18:02:18.648000", "created": "2025-06-13T19:17:00.818000", "tags": [ "united", "creation date", "search", "entries", "passive dns", "urls", "showing", "pulse pulses", "files", "domain", "dnssec", "expiration date", "unknown cname", "hostname add", "date", "redacted for", "email", "code", "organization", "privacy billing", "privacy tech", "postal code", "privacy admin", "com laude", "ltd dba", "nomiq", "limited dba", "admin city", "country", "stateprovince", "city", "mtb oct", "win32", "next associated", "mtb mar", "ipv4 add", "trojan", "apanas", "ransom", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1111, "hostname": 1014, "URL": 2554, "FileHash-SHA256": 1461, "FileHash-MD5": 64, "email": 6, "FileHash-SHA1": 63 }, "indicator_count": 6273, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "279 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d89c45ddc0c7db084b75b7", "name": "Autodesk weakens CS | Unauthorized AlienVault API | Stolen pulsed", "description": "Critical issues within AlienVault , VT & my devices. Plugins auto installed after I opened message from AV user. Sudden redirects to 0/ http/s. Heavy modifications, removal of IoC's on AV & VT & Virus Total. Autodesk.com was under CrowdStrike until last night. Links where vulnerabilities were originating from completely disappeared from graph I kindly kept private. Continuous mods for months to Crowdstrike and other pulses. [https://otx.alienvault.com/api appears in search] A page opens with Tag: \"esta caliente\" | All linked pulses Gone. Only person who frequently contacted me appears where they didn't before & These dishonest billion $ companies cover up though they are at fault for allowing ALL threat actor to be protected with non adversarial businesses. Besides other compromises, surprisingly Brashears porn found in Crowdstrike/Autodesk others. Disappointing.", "modified": "2024-10-04T17:02:07.067000", "created": "2024-09-04T17:43:33.123000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "561 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a20ff8db3854e863dca324", "name": "Shared Modules | Hijacker | Masquerading", "description": "", "modified": "2024-02-12T04:01:56.040000", "created": "2024-01-13T04:22:16.961000", "tags": [ "filehashmd5", "no expiration", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "hostname", "expiration", "domain", "url https", "url http", "source", "stix", "email", "email abuse", "goreasonlimited", "cc no", "tompc", "sum35", "domain xn", "searchbox0", "domainname0", "view", "apple", "apple id", "hijacking", "masquerading", "exploit", "cams", "monitoring", "loki bot", "dns", "open ports", "malvertizing", "malware hosting", "apple script", "js user", "dga", "dga domains", "malware", "multiple_versions", "wagersta", "decode", "system information discovery", "decrypt", "evasion", "defense evasion", "emotet", "android", "ios", "wannacry", "trojan", "worm", "cyber threat", "benjamin", "whois record", "ssl certificate", "contacted", "historical ssl", "referrer", "contacted urls", "execution", "whois whois", "whois sslcert", "and china", "drop", "uchealth", "university of cincinnati health" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 2296, "FileHash-SHA256": 3362, "URL": 6191, "domain": 2033, "hostname": 3097, "email": 37, "CVE": 2 }, "indicator_count": 19719, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655dafbe9ac9ac786fde45ad", "name": "http://malwaredomainlist.com/ \u2022 CNC \u2022 Spyware \u2022 Tracking", "description": "Network capture, dga domain, ecc domain, data collection, voicemail access, mail spammer, registrar abuse\n\n[Auto populated. I can't cannot confirm or deny the accuracy of the following information: A summary of key facts and information about a malicious web domain, hosted by the US government, has been released by Google.com and its parent company, Alphabet, for use on its website.]", "modified": "2023-12-22T06:03:01.993000", "created": "2023-11-22T07:37:34.595000", "tags": [ "united", "as22612", "as2637", "creation date", "search", "moved", "expiration date", "date", "showing", "as397240", "next", "entries", "scan endpoints", "all octoseek", "dns replication", "win32 exe", "network capture", "android", "android adaway", "html", "files", "detections type", "name", "office open", "xml document", "namecheap", "namecheap inc", "whois lookups", "win32 dll", "text", "wextract", "text htaccess", "powershell", "detection list", "blacklist", "first", "ssl certificate", "whois record", "contacted", "december", "whois whois", "threat roundup", "historical ssl", "problems", "referrer", "pe resource", "startpage", "cyber threat", "redline stealer", "mail spammer", "hostname", "phishing site", "malicious site", "installcore", "http spammer", "malware site", "malware", "generic malware", "heur", "generic", "alexa top", "million", "site", "cisco umbrella", "alexa", "ip address", "algorithm", "data", "v3 serial", "number", "cat cnzerossl", "ecc domain", "secure site", "ca ozerossl", "validity", "subject public", "server", "email", "code", "registrar abuse", "country", "privacy service", "withheld", "privacy", "domain name", "pattern match", "ascii text", "appdata", "file", "windows nt", "svg scalable", "vector graphics", "indicator", "gif image", "accept", "hybrid", "general", "local", "pixel", "click", "twitter", "strings", "class", "generator", "critical", "command_and_control", "spyware", "tracking", "voicemail access", "dga", "apple" ], "references": [ "https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e", "\u2193Interesting\u2193", "IPv4 198.54.117.211 command_and_control", "IPv4 198.54.117.210 command_and_control", "IPv4 198.54.117.212 command_and_control", "IPv4 198.54.117.215 command_and_control", "IPv4 198.54.117.217 command_and_control", "IPv4 198.54.117.218 command_and_control", "apple-securityiphone-icloud.com", "tx-p2p-pull.video-voip.com.dorm.com", "http://updates.voicemailaccess.net/b0f6a00b15311023", "tvapp-server.de", "zeustracker.abuse.ch", "ransomwaretracker.abuse.ch", "http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid", "louisianarooflawyers.com [phishing]", "hasownproperty.call" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 105, "FileHash-SHA1": 100, "FileHash-SHA256": 3072, "domain": 1188, "email": 5, "URL": 7940, "hostname": 1925, "CVE": 1 }, "indicator_count": 14336, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a6b7ff4216fe9cd82625", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:52:05.939000", "created": "2023-12-06T16:52:05.939000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1181, "CVE": 1, "FileHash-SHA256": 1556, "URL": 2748, "domain": 419, "FileHash-MD5": 646, "FileHash-SHA1": 348, "email": 3, "CIDR": 1 }, "indicator_count": 6903, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a53f5c404226f3d77347", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:45:51.053000", "created": "2023-12-06T16:45:51.053000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 347, "FileHash-SHA256": 225, "domain": 242, "URL": 1522, "email": 1, "CIDR": 1, "FileHash-MD5": 2 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a53b9421d107b6ade1c1", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:45:47.109000", "created": "2023-12-06T16:45:47.109000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 347, "FileHash-SHA256": 225, "domain": 242, "URL": 1522, "email": 1, "CIDR": 1, "FileHash-MD5": 2 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a0421567e0f495b14cd0", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:24:34.371000", "created": "2023-12-06T16:24:34.371000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 347, "FileHash-SHA256": 225, "domain": 242, "URL": 1522, "email": 1, "CIDR": 1, "FileHash-MD5": 2 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a03f87b83a2b197bf33b", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:24:31.813000", "created": "2023-12-06T16:24:31.813000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 347, "FileHash-SHA256": 225, "domain": 242, "URL": 1522, "email": 1, "CIDR": 1, "FileHash-MD5": 2 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a032d1f648020fa5206b", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:24:18.733000", "created": "2023-12-06T16:24:18.733000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 347, "FileHash-SHA256": 225, "domain": 242, "URL": 1522, "email": 1, "CIDR": 1, "FileHash-MD5": 2 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a02fad7881a4d09c1ad7", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:24:15.255000", "created": "2023-12-06T16:24:15.255000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 347, "FileHash-SHA256": 225, "domain": 242, "URL": 1522, "email": 1, "CIDR": 1, "FileHash-MD5": 2 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a029f7654ae30157d89f", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:24:07.472000", "created": "2023-12-06T16:24:07.472000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1181, "CVE": 1, "FileHash-SHA256": 1556, "URL": 2748, "domain": 419, "FileHash-MD5": 646, "FileHash-SHA1": 348, "email": 3, "CIDR": 1 }, "indicator_count": 6903, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f123278ba7a9e62fdc4cb", "name": "DGA Domain", "description": "", "modified": "2023-10-30T02:17:22.194000", "created": "2023-10-30T02:17:22.194000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65134ae8fc70cf6ef83d7d74", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 950, "email": 7, "CIDR": 2, "FileHash-MD5": 650, "FileHash-SHA256": 2081, "URL": 3334, "hostname": 1804, "CVE": 1, "FileHash-SHA1": 353 }, "indicator_count": 9182, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65134ae8fc70cf6ef83d7d74", "name": "DGA Domain", "description": "", "modified": "2023-09-26T21:19:36.331000", "created": "2023-09-26T21:19:36.331000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64df7031dfbe14bb4c3d7de0", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 950, "email": 7, "CIDR": 2, "FileHash-MD5": 650, "FileHash-SHA256": 2081, "URL": 3334, "hostname": 1804, "CVE": 1, "FileHash-SHA1": 353 }, "indicator_count": 9182, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "935 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6507d5dc417a578a2e864610", "name": "DGA Domain", "description": "", "modified": "2023-09-18T04:45:16.384000", "created": "2023-09-18T04:45:16.384000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64df7038cc4e3463eb78ff27", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 242, "email": 1, "CIDR": 1, "FileHash-MD5": 2, "FileHash-SHA256": 225, "URL": 1522, "hostname": 347 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "944 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6507d5d4f466641281acd78e", "name": "DGA Domain", "description": "", "modified": "2023-09-18T04:45:08.298000", "created": "2023-09-18T04:45:08.298000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64df7038cc4e3463eb78ff27", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 242, "email": 1, "CIDR": 1, "FileHash-MD5": 2, "FileHash-SHA256": 225, "URL": 1522, "hostname": 347 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "944 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64df7031dfbe14bb4c3d7de0", "name": "DGA Domain", "description": "nsis\ncontains-pe\ndownloads-pdf\nupx\nDGA domain. Host at least 2 malicious files.\nA domain generation algorithm (DGA) is a program that generates a large list of domain names. DGAs provide malware with new domains in order to evade security countermeasures. DGA can provide hundreds of new, random domains. This enables hackers to keep their servers up and running without being blocklisted or taken down by the victim. Malware switch between domains faster than security software can take them down.\nUsed by Adversarial businesses, authentication and especially law firms to silence victims of crime.", "modified": "2023-09-17T18:04:52.183000", "created": "2023-08-18T13:20:49.696000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 950, "email": 7, "CIDR": 2, "FileHash-MD5": 650, "FileHash-SHA256": 2081, "URL": 3334, "hostname": 1804, "CVE": 1, "FileHash-SHA1": 353 }, "indicator_count": 9182, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "944 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64df703a4f3fa01a8973efba", "name": "DGA Domain", "description": "nsis\ncontains-pe\ndownloads-pdf\nupx\nDGA domain. Host at least 2 malicious files.\nA domain generation algorithm (DGA) is a program that generates a large list of domain names. DGAs provide malware with new domains in order to evade security countermeasures. DGA can provide hundreds of new, random domains. This enables hackers to keep their servers up and running without being blocklisted or taken down by the victim. Malware switch between domains faster than security software can take them down.\nUsed by Adversarial businesses, authentication and especially law firms to silence victims of crime.", "modified": "2023-09-17T12:01:26.028000", "created": "2023-08-18T13:20:58.051000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 242, "email": 1, "CIDR": 1, "FileHash-MD5": 2, "FileHash-SHA256": 225, "URL": 1522, "hostname": 347 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "945 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64df70390b3584b7291eea68", "name": "DGA Domain", "description": "nsis\ncontains-pe\ndownloads-pdf\nupx\nDGA domain. Host at least 2 malicious files.\nA domain generation algorithm (DGA) is a program that generates a large list of domain names. DGAs provide malware with new domains in order to evade security countermeasures. DGA can provide hundreds of new, random domains. This enables hackers to keep their servers up and running without being blocklisted or taken down by the victim. Malware switch between domains faster than security software can take them down.\nUsed by Adversarial businesses, authentication and especially law firms to silence victims of crime.", "modified": "2023-09-17T12:01:26.028000", "created": "2023-08-18T13:20:57.788000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 242, "email": 1, "CIDR": 1, "FileHash-MD5": 2, "FileHash-SHA256": 225, "URL": 1522, "hostname": 347 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "945 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64df7038cc4e3463eb78ff27", "name": "DGA Domain", "description": "nsis\ncontains-pe\ndownloads-pdf\nupx\nDGA domain. Host at least 2 malicious files.\nA domain generation algorithm (DGA) is a program that generates a large list of domain names. DGAs provide malware with new domains in order to evade security countermeasures. DGA can provide hundreds of new, random domains. This enables hackers to keep their servers up and running without being blocklisted or taken down by the victim. Malware switch between domains faster than security software can take them down.\nUsed by Adversarial businesses, authentication and especially law firms to silence victims of crime.", "modified": "2023-09-17T12:01:26.028000", "created": "2023-08-18T13:20:56.820000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 242, "email": 1, "CIDR": 1, "FileHash-MD5": 2, "FileHash-SHA256": 225, "URL": 1522, "hostname": 347 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "945 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64df70342977f4a2d34df76f", "name": "DGA Domain", "description": "nsis\ncontains-pe\ndownloads-pdf\nupx\nDGA domain. Host at least 2 malicious files.\nA domain generation algorithm (DGA) is a program that generates a large list of domain names. DGAs provide malware with new domains in order to evade security countermeasures. DGA can provide hundreds of new, random domains. This enables hackers to keep their servers up and running without being blocklisted or taken down by the victim. Malware switch between domains faster than security software can take them down.\nUsed by Adversarial businesses, authentication and especially law firms to silence victims of crime.", "modified": "2023-09-17T12:01:26.028000", "created": "2023-08-18T13:20:52.030000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 242, "email": 1, "CIDR": 1, "FileHash-MD5": 2, "FileHash-SHA256": 225, "URL": 1522, "hostname": 347 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "945 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "IPv4 198.54.117.218 command_and_control", "http://updates.voicemailaccess.net/b0f6a00b15311023", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "boot.net.anydesk.com removed from my Pulse below", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "IPv4 198.54.117.215 command_and_control", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "IPv4 198.54.117.210 command_and_control", "ransomwaretracker.abuse.ch", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "zeustracker.abuse.ch", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "Verification failure observed in automated verification handlers during sandbox replay.", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Above links in search results direct out with and arrow pointing out.", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid", "louisianarooflawyers.com [phishing]", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "\u2193Interesting\u2193", "IPv4 198.54.117.217 command_and_control", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "apple-securityiphone-icloud.com", "tvapp-server.de", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "hasownproperty.call", "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d", "IPv4 198.54.117.211 command_and_control", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "IPv4 198.54.117.212 command_and_control", "tx-p2p-pull.video-voip.com.dorm.com", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Ransom:win32/genasom", "#lowfienabledtcontinueafterunpacking", "Sakula", "Blacknet", "Installcore", "Win.trojan.xblocker-236", "Win32:mystic", "Trojanspy", "Win.trojan.poetrat-7669676-0", "Mivast", "Alf:jasyp:backdoor:win32/cycbot", "Generic", "Worm:win32/autorun", "Trojanspy:win32/usteal" ], "industries": [ "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in" ], "unique_indicators": 201130 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/goatd.net", "whois": "http://whois.domaintools.com/goatd.net", "domain": "goatd.net", "hostname": "ww1.goatd.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 27, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ef0516013ca78448bf4e5", "name": "Foundry \u2022 Reflected Networks Pornhub Malvertising Subsidiary", "description": "Foundry ? Pornhub\nsanfoundry.com\ncompliance.fifoundry.net- Pornhub subsidiary. Targets networks, devices, routers, used for promoting pornography and her music. Producer revealed her hooks were used for Justin Bieber & Tori Kelly songs that. A producer stated her songs had been grifted. Both Tsara Brashears & a studio were in Pegasus & attacked by \u2018Lazarus\u2019 Group. She was told in detail how her songs can be used by music insiders if they choose. Target trolled by mocking hackers re: the JB and Kelly song.. Trojan:Win32/DisableUAC.A!bit\n, MSIL:Suspicious:ScreenCapture.S01\nIDS Detections\nLokiBot Checkin\nLokiBot User-Agent (Charon/Inferno)\nLokiBot Application/Credential Data Exfiltration Detected M1\nLokiBot Request for C2 Commands Detected M1\nLokiBot Application/Credential Data Exfiltration Detected M2\nLokiBot Request for C2 Commands Detected M2\nTrojan Generic - POST To gate.php with no referer\nSSL excessive fatal alerts (possible POODLE attack against server)\nI will revisit this. Gloryhole Foundation?", "modified": "2025-09-02T04:01:31.218000", "created": "2025-08-03T05:14:57.402000", "tags": [ "united", "moved", "entries", "passive dns", "detected m1", "next associated", "mtb apr", "mtb aug", "server", "gmt content", "trojandropper", "trojan", "body", "lokibot request", "c2 commands", "detected m2", "otx telemetry", "historical otx", "twitter running", "open ports", "cves", "time", "dynamicloader", "port", "search", "show", "destination", "alerts", "copy", "dynamic", "medium", "write", "creation date", "hostmaster", "urls", "domain", "showing", "hostname add", "pulse pulses", "date", "flag", "falcon sandbox", "name server", "markmonitor", "analysis", "mitre att", "anonymous", "upgrade", "hybrid", "contact", "usa windows", "december", "input threat", "level analysis", "summary", "february", "hwp support", "january", "october", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "calls", "command", "javascript", "object model", "model", "windir", "json data", "localappdata", "ascii text", "temp", "getprocaddress", "script", "license", "runtime process", "copy md5", "facebook", "roboto", "error", "win64", "path", "blink", "meta", "factory", "general", "comspec", "click", "strings", "damage", "mini", "stop", "core", "expl", "win32", "gmt server", "ecacc saa83dd", "ipv4 add", "twitter", "cobalt strike", "mozilla" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 263, "FileHash-SHA1": 256, "FileHash-SHA256": 837, "hostname": 4415, "URL": 1918, "domain": 1884, "email": 2, "SSLCertFingerprint": 2 }, "indicator_count": 9577, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6879093e8658df9f35683846", "name": "Worm:Win32/Benjamin continues to impact network", "description": "Worm:Win32/Benjamin continues to impact network operations of a little known, limited national cybers space organization. P2P-Worm.\n*IDS Detections: \n\u2022 Win32.Worm.Benjamin.A CnC Checkin Alerts\n\u2022 nids_malware_alert\n\u2022 network_icmp\n\u2022 network_irc\n\u2022 persistence_autorun\n| Multiple network issues from outages, stolen password keychains, credentials dumping, impressive espionage attacks. Likely goes unnoticed to many. Widely regarded/reported as an outage that is really an unpatched, ongoing cyber attack.", "modified": "2025-08-16T14:00:26.166000", "created": "2025-07-17T14:31:26.824000", "tags": [ "include review", "data upload", "extraction", "read c", "search", "medium", "show", "msie", "windows nt", "wow64", "slcc2", "media center", "entries", "dock", "write", "execution", "capture", "next", "copy", "date", "aaaa", "present may", "present nov", "passive dns", "ip address", "domain", "status", "next associated", "delete", "iocs", "failed", "sc data", "type", "extr data", "included", "review iocs", "memcommit", "user execution", "module load", "t1129", "icmp traffic", "high", "collection", "cmd c", "t1055", "enter", "extract", "enter sc", "drop or", "browse t", "oprop", "extraction data", "enter source", "url or", "texorag", "browse", "urls", "dnssec", "hostname add", "pulse pulses", "files", "files ip", "domainadmin", "showing", "ttl value", "thumbprint", "onlv", "find", "extri data", "dran anu", "extr", "manually add", "review exclude", "sugges", "find s", "typ hos", "se data", "include data", "review locs", "exclude", "suggested es", "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "worm", "win32", "benjamin", "june", "delphi", "malware", "nids", "icmp delphi", "yara detections", "malware traffic", "checkin", "code", "name servers", "servers", "pulses", "expiration date", "united", "body", "cookie", "related tags", "file type", "pe packer", "pm size", "sha1 sha256", "imphash pehash", "virustotal api", "screenshots", "comments" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 536, "FileHash-SHA1": 465, "FileHash-SHA256": 1836, "domain": 766, "hostname": 960, "URL": 2879, "CVE": 1, "email": 4 }, "indicator_count": 7447, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6888a85aa32aab22f638d0e6", "name": "Autodesk issue in CrowdStrike prior to outage | [by scoreblue]", "description": "", "modified": "2025-07-29T10:54:18.501000", "created": "2025-07-29T10:54:18.501000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "66d89c45ddc0c7db084b75b7", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "264 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684c792c7a89d98470ecef31", "name": "aws.dev - Emotet - Hub for malicious activity", "description": "\u2022 Domain Name: aws.dev |\n\u2022 (DGA) https://www.google.com/search?client=ms-google-coop&q=%22deploy-delete-app-eu-west-1-0.deploy-delete-test-eu-west-1-oigwi9v.us-east-1.forgeapps.ec2.aws.dev%22&cx=003414466004237966221:dgg7iftvryo | \n\u2022 34.226.76.55 |\n\u2022\u2019domains.amazon | \n\u2022 devilspen.com |\n\u2022 aisux.aws.dev |\t\t\n\u2022 alex.aws.dev |\t\n\u2022 askjarvis.aws.dev |\n\u2022 atrium.aws.dev |\n\u2022 automated-runbooks.aws.dev |\nFalse 404 codes and Error pages - very active malicious behavior", "modified": "2025-07-13T18:02:18.648000", "created": "2025-06-13T19:17:00.818000", "tags": [ "united", "creation date", "search", "entries", "passive dns", "urls", "showing", "pulse pulses", "files", "domain", "dnssec", "expiration date", "unknown cname", "hostname add", "date", "redacted for", "email", "code", "organization", "privacy billing", "privacy tech", "postal code", "privacy admin", "com laude", "ltd dba", "nomiq", "limited dba", "admin city", "country", "stateprovince", "city", "mtb oct", "win32", "next associated", "mtb mar", "ipv4 add", "trojan", "apanas", "ransom", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1111, "hostname": 1014, "URL": 2554, "FileHash-SHA256": 1461, "FileHash-MD5": 64, "email": 6, "FileHash-SHA1": 63 }, "indicator_count": 6273, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "279 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d89c45ddc0c7db084b75b7", "name": "Autodesk weakens CS | Unauthorized AlienVault API | Stolen pulsed", "description": "Critical issues within AlienVault , VT & my devices. Plugins auto installed after I opened message from AV user. Sudden redirects to 0/ http/s. Heavy modifications, removal of IoC's on AV & VT & Virus Total. Autodesk.com was under CrowdStrike until last night. Links where vulnerabilities were originating from completely disappeared from graph I kindly kept private. Continuous mods for months to Crowdstrike and other pulses. [https://otx.alienvault.com/api appears in search] A page opens with Tag: \"esta caliente\" | All linked pulses Gone. Only person who frequently contacted me appears where they didn't before & These dishonest billion $ companies cover up though they are at fault for allowing ALL threat actor to be protected with non adversarial businesses. Besides other compromises, surprisingly Brashears porn found in Crowdstrike/Autodesk others. Disappointing.", "modified": "2024-10-04T17:02:07.067000", "created": "2024-09-04T17:43:33.123000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "561 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a20ff8db3854e863dca324", "name": "Shared Modules | Hijacker | Masquerading", "description": "", "modified": "2024-02-12T04:01:56.040000", "created": "2024-01-13T04:22:16.961000", "tags": [ "filehashmd5", "no expiration", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "hostname", "expiration", "domain", "url https", "url http", "source", "stix", "email", "email abuse", "goreasonlimited", "cc no", "tompc", "sum35", "domain xn", "searchbox0", "domainname0", "view", "apple", "apple id", "hijacking", "masquerading", "exploit", "cams", "monitoring", "loki bot", "dns", "open ports", "malvertizing", "malware hosting", "apple script", "js user", "dga", "dga domains", "malware", "multiple_versions", "wagersta", "decode", "system information discovery", "decrypt", "evasion", "defense evasion", "emotet", "android", "ios", "wannacry", "trojan", "worm", "cyber threat", "benjamin", "whois record", "ssl certificate", "contacted", "historical ssl", "referrer", "contacted urls", "execution", "whois whois", "whois sslcert", "and china", "drop", "uchealth", "university of cincinnati health" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 2296, "FileHash-SHA256": 3362, "URL": 6191, "domain": 2033, "hostname": 3097, "email": 37, "CVE": 2 }, "indicator_count": 19719, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655dafbe9ac9ac786fde45ad", "name": "http://malwaredomainlist.com/ \u2022 CNC \u2022 Spyware \u2022 Tracking", "description": "Network capture, dga domain, ecc domain, data collection, voicemail access, mail spammer, registrar abuse\n\n[Auto populated. I can't cannot confirm or deny the accuracy of the following information: A summary of key facts and information about a malicious web domain, hosted by the US government, has been released by Google.com and its parent company, Alphabet, for use on its website.]", "modified": "2023-12-22T06:03:01.993000", "created": "2023-11-22T07:37:34.595000", "tags": [ "united", "as22612", "as2637", "creation date", "search", "moved", "expiration date", "date", "showing", "as397240", "next", "entries", "scan endpoints", "all octoseek", "dns replication", "win32 exe", "network capture", "android", "android adaway", "html", "files", "detections type", "name", "office open", "xml document", "namecheap", "namecheap inc", "whois lookups", "win32 dll", "text", "wextract", "text htaccess", "powershell", "detection list", "blacklist", "first", "ssl certificate", "whois record", "contacted", "december", "whois whois", "threat roundup", "historical ssl", "problems", "referrer", "pe resource", "startpage", "cyber threat", "redline stealer", "mail spammer", "hostname", "phishing site", "malicious site", "installcore", "http spammer", "malware site", "malware", "generic malware", "heur", "generic", "alexa top", "million", "site", "cisco umbrella", "alexa", "ip address", "algorithm", "data", "v3 serial", "number", "cat cnzerossl", "ecc domain", "secure site", "ca ozerossl", "validity", "subject public", "server", "email", "code", "registrar abuse", "country", "privacy service", "withheld", "privacy", "domain name", "pattern match", "ascii text", "appdata", "file", "windows nt", "svg scalable", "vector graphics", "indicator", "gif image", "accept", "hybrid", "general", "local", "pixel", "click", "twitter", "strings", "class", "generator", "critical", "command_and_control", "spyware", "tracking", "voicemail access", "dga", "apple" ], "references": [ "https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e", "\u2193Interesting\u2193", "IPv4 198.54.117.211 command_and_control", "IPv4 198.54.117.210 command_and_control", "IPv4 198.54.117.212 command_and_control", "IPv4 198.54.117.215 command_and_control", "IPv4 198.54.117.217 command_and_control", "IPv4 198.54.117.218 command_and_control", "apple-securityiphone-icloud.com", "tx-p2p-pull.video-voip.com.dorm.com", "http://updates.voicemailaccess.net/b0f6a00b15311023", "tvapp-server.de", "zeustracker.abuse.ch", "ransomwaretracker.abuse.ch", "http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid", "louisianarooflawyers.com [phishing]", "hasownproperty.call" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 105, "FileHash-SHA1": 100, "FileHash-SHA256": 3072, "domain": 1188, "email": 5, "URL": 7940, "hostname": 1925, "CVE": 1 }, "indicator_count": 14336, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ww1.goatd.net", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ww1.goatd.net", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776616105.97738 }