{ "type": "URL", "indicator": "https://ww17.ww1.dummyurl.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ww17.ww1.dummyurl.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4278748012, "indicator": "https://ww17.ww1.dummyurl.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69c227fd2960e96cae88fb97", "name": "Dropbox Typo squatting campaign. CoolWebSearch, CycBot , Mirai and Ransomware | Many domains affected.", "description": "Dropbox Typo squatting campaign. Mirai and Ransomware | Many domains affected.\n\nHas been executed. Threat actor attacked bank/s and Dropbox via Drive by compromises and malicious redirects. Multiple Dropbox accounts added to customer accounts confuse bank and customers. All accounts kept until Bank experienced serious breach. Bank admits to breach. Unsure if made public. Customer suddenly loses all paid storage, business tools , registered domains , and investment accounts. Bank empathizes targeted attacks.\nOccurred post initial infection & Pegasus Attack by same threat actors.", "modified": "2026-04-23T04:01:31.987000", "created": "2026-03-24T05:58:21.777000", "tags": [ "domain", "ipv4", "ck t1045", "run keys", "startup", "web protocols", "tool transfer", "user execution", "dns", "accept", "active related", "adversaries", "alerts", "apache", "as133618", "ascii text", "australia asn", "av detections", "christopher p ahmann", "brian sabey", "ck id", "ck matrix", "delete", "data upload", "defense evasion", "data", "cycbot", "cowboy", "coolwebsearch", "content", "contacted", "command", "connection", "delphi", "detection", "drop", "location", "manu", "dynamicloader", "elite", "emails", "encrypt", "error", "external", "extraction", "exploit", "failed", "gmt", "format", "forbidden", "privacy", "files", "feat file", "score", "refresh", "!redirect", "ratio", "redacted", "cycbot", "mirai", "unix", "ransomware", "trojan", "ransom", "query", "proximity", "pragma", "pegasus relationship", "typo squatting", "over path", "texarac", "name tactics", "h6rryf", "meta", "mitre att", "redirect", "malware", "malicious", "gmt server", "http header", "local", "little endian", "javascript", "is elf", "learn", "ipv4", "lambda", "lamk", "installer", "hall render", "index", "http request", "high risk", "insert", "ids detections", "informative", "indicator", "facts", "script style", "win32danginex", "trojanclicker", "trojan spy", "spyware", "udp", "windows", "vtab", "virtool", "trojan", "script strings", "stop data", "upatre", "spawns", "united states", "trojanspy", "tam legal", "secchuaplatform", "secchua", "virtool", "ransom", "quasi" ], "references": [ "dropox.com", "Win.Trojan.Agent-31647 \u2022 IDS: Detections CoolWebSearch Spyware (Feat)", "IDS Detections: Query for .cc TLD 403 Forbidden", "103.224.212.215 \u2022 rigs.zu0x.com \u2022 Australia : AS133618 trellian pty. limited", "UDP Include internal to internal communication Top Source 192.168.122.131 Top Destination 8.8.8.8 x", "u47.cc \u2022 IP Address 13.248.169.48, 76.223.54.146 | United States ASN AS16509 amazon.com", "u47.cc \u2022 | Domain is sinkholed | Registrar: ENAME TECHNOLOGY CO., LTD., x", "The Lambda function associated with the CloudFront distribution was throttled.", "We can't connect to the server for this & x Lambda function", "Error https://otx.alienvault.com/indicator/hostname/lb-212-215.above.com", "https://hybrid-analysis.com/sample/6ac18dcdfd4164ed7beeffffc995c5349c52b01dfObe5000f25294d698faf3b9/69c1b" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win. Trojan.Agent-292909", "display_name": "Win. Trojan.Agent-292909", "target": null }, { "id": "Win.Trojan.Agent-336291", "display_name": "Win.Trojan.Agent-336291", "target": null }, { "id": "Trojan.Cycbot-2671", "display_name": "Trojan.Cycbot-2671", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Agent-36211", "display_name": "Win.Trojan.Agent-36211", "target": null }, { "id": "Win.Malware.Agent-6598770-0", "display_name": "Win.Malware.Agent-6598770-0", "target": null }, { "id": "Win.Downloader.14593-1", "display_name": "Win.Downloader.14593-1", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Trojan:Win32/Danginex", "display_name": "Trojan:Win32/Danginex", "target": "/malware/Trojan:Win32/Danginex" }, { "id": "Trojan.Redirector.JS", "display_name": "Trojan.Redirector.JS", "target": null }, { "id": "Win.Ransomware.Wanna-9769986-0", "display_name": "Win.Ransomware.Wanna-9769986-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "CoolWebSearch", "display_name": "CoolWebSearch", "target": null }, { "id": "CycBot", "display_name": "CycBot", "target": null }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan.Startpage-1612", "display_name": "Trojan.Startpage-1612", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 241, "FileHash-SHA1": 245, "FileHash-SHA256": 246, "URL": 548, "CVE": 1, "SSLCertFingerprint": 6, "domain": 198, "email": 6, "hostname": 337 }, "indicator_count": 1828, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c228009e33309be83b65b7", "name": "Dropbox Typo squatting campaign. CoolWebSearch, CycBot , Mirai and Ransomware | Many domains affected.", "description": "Dropbox Typo squatting campaign. Mirai and Ransomware | Many domains affected.\n\nHas been executed. Threat actor attacked bank/s and Dropbox via Drive by compromises and malicious redirects. Multiple Dropbox accounts added to customer accounts confuse bank and customers. All accounts kept until Bank experienced serious breach. Bank admits to breach. Unsure if made public. Customer suddenly loses all paid storage, business tools , registered domains , and investment accounts. Bank empathizes targeted attacks.\nOccurred post initial infection & Pegasus Attack by same threat actors.", "modified": "2026-04-23T04:01:31.987000", "created": "2026-03-24T05:58:24.002000", "tags": [ "domain", "ipv4", "ck t1045", "run keys", "startup", "web protocols", "tool transfer", "user execution", "dns", "accept", "active related", "adversaries", "alerts", "apache", "as133618", "ascii text", "australia asn", "av detections", "christopher p ahmann", "brian sabey", "ck id", "ck matrix", "delete", "data upload", "defense evasion", "data", "cycbot", "cowboy", "coolwebsearch", "content", "contacted", "command", "connection", "delphi", "detection", "drop", "location", "manu", "dynamicloader", "elite", "emails", "encrypt", "error", "external", "extraction", "exploit", "failed", "gmt", "format", "forbidden", "privacy", "files", "feat file", "score", "refresh", "!redirect", "ratio", "redacted", "cycbot", "mirai", "unix", "ransomware", "trojan", "ransom", "query", "proximity", "pragma", "pegasus relationship", "typo squatting", "over path", "texarac", "name tactics", "h6rryf", "meta", "mitre att", "redirect", "malware", "malicious", "gmt server", "http header", "local", "little endian", "javascript", "is elf", "learn", "ipv4", "lambda", "lamk", "installer", "hall render", "index", "http request", "high risk", "insert", "ids detections", "informative", "indicator", "facts", "script style", "win32danginex", "trojanclicker", "trojan spy", "spyware", "udp", "windows", "vtab", "virtool", "trojan", "script strings", "stop data", "upatre", "spawns", "united states", "trojanspy", "tam legal", "secchuaplatform", "secchua", "virtool", "ransom", "quasi" ], "references": [ "dropox.com", "Win.Trojan.Agent-31647 \u2022 IDS: Detections CoolWebSearch Spyware (Feat)", "IDS Detections: Query for .cc TLD 403 Forbidden", "103.224.212.215 \u2022 rigs.zu0x.com \u2022 Australia : AS133618 trellian pty. limited", "UDP Include internal to internal communication Top Source 192.168.122.131 Top Destination 8.8.8.8 x", "u47.cc \u2022 IP Address 13.248.169.48, 76.223.54.146 | United States ASN AS16509 amazon.com", "u47.cc \u2022 | Domain is sinkholed | Registrar: ENAME TECHNOLOGY CO., LTD., x", "The Lambda function associated with the CloudFront distribution was throttled.", "We can't connect to the server for this & x Lambda function", "Error https://otx.alienvault.com/indicator/hostname/lb-212-215.above.com", "https://hybrid-analysis.com/sample/6ac18dcdfd4164ed7beeffffc995c5349c52b01dfObe5000f25294d698faf3b9/69c1b" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win. Trojan.Agent-292909", "display_name": "Win. Trojan.Agent-292909", "target": null }, { "id": "Win.Trojan.Agent-336291", "display_name": "Win.Trojan.Agent-336291", "target": null }, { "id": "Trojan.Cycbot-2671", "display_name": "Trojan.Cycbot-2671", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Agent-36211", "display_name": "Win.Trojan.Agent-36211", "target": null }, { "id": "Win.Malware.Agent-6598770-0", "display_name": "Win.Malware.Agent-6598770-0", "target": null }, { "id": "Win.Downloader.14593-1", "display_name": "Win.Downloader.14593-1", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Trojan:Win32/Danginex", "display_name": "Trojan:Win32/Danginex", "target": "/malware/Trojan:Win32/Danginex" }, { "id": "Trojan.Redirector.JS", "display_name": "Trojan.Redirector.JS", "target": null }, { "id": "Win.Ransomware.Wanna-9769986-0", "display_name": "Win.Ransomware.Wanna-9769986-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "CoolWebSearch", "display_name": "CoolWebSearch", "target": null }, { "id": "CycBot", "display_name": "CycBot", "target": null }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan.Startpage-1612", "display_name": "Trojan.Startpage-1612", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 241, "FileHash-SHA1": 245, "FileHash-SHA256": 246, "URL": 548, "CVE": 1, "SSLCertFingerprint": 6, "domain": 198, "email": 6, "hostname": 337 }, "indicator_count": 1828, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c0a8b94cbf6df8655828d5", "name": "199.191.50.72 ASNONE", "description": "199.191.50.72\nAdd to Pulse\nPulses\n12\nPassive DNS\n500+\nURLs\n10\nFiles\n41K\nAnalysis Overview\nLocation\nVirgin Islands, British flag\nVirgin Islands, British\nASN\nAS40034 confluence networks inc\nDNS Resolutions\n500+ Domains\nTop Level Domains\n42 Unique TLDs\nRelated Pulses\nOTX User-Created Pulses (12)\nRelated Tags\n561 Related Tags\n707713\nransomware\nunited\nsearch\nasnone\nMore\nIndicator Facts\nHistorical OTX telemetry\nIP mentioned on Twitter\n34 domains resolved in last 7 days\n173 domains resolved in last 30 days\n500+ domains resolved in all time\n42 top-level domains\nAntivirus Detections\nALF:E5.SpikeAex.rhh_pid\nALF:HeraklezEval:PUA:Win32/KuaiZip\nALF:HeraklezEval:Trojan:Win32/Eggnog!rfn\nALF:HeraklezEval:Trojan:Win32/Maener!rf\nALF:HeraklezEval:TrojanDownloader:HTML/Adodb\nMore\nAV Detection Ratio\n739\n / 786", "modified": "2026-04-22T03:27:13.249000", "created": "2026-03-23T02:43:05.252000", "tags": [ "msudosos ipv4", "pulse pulses", "passive dns", "urls", "files", "location virgin", "islands", "virgin islands", "british asn", "dns resolutions", "twitter" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 414, "domain": 111, "hostname": 1103, "URL": 485, "FileHash-SHA1": 139, "FileHash-MD5": 138, "email": 2 }, "indicator_count": 2392, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "We can't connect to the server for this & x Lambda function", "103.224.212.215 \u2022 rigs.zu0x.com \u2022 Australia : AS133618 trellian pty. limited", "IDS Detections: Query for .cc TLD 403 Forbidden", "https://hybrid-analysis.com/sample/6ac18dcdfd4164ed7beeffffc995c5349c52b01dfObe5000f25294d698faf3b9/69c1b", "Error https://otx.alienvault.com/indicator/hostname/lb-212-215.above.com", "u47.cc \u2022 IP Address 13.248.169.48, 76.223.54.146 | United States ASN AS16509 amazon.com", "u47.cc \u2022 | Domain is sinkholed | Registrar: ENAME TECHNOLOGY CO., LTD., x", "The Lambda function associated with the CloudFront distribution was throttled.", "UDP Include internal to internal communication Top Source 192.168.122.131 Top Destination 8.8.8.8 x", "Win.Trojan.Agent-31647 \u2022 IDS: Detections CoolWebSearch Spyware (Feat)", "dropox.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan:win32/bulta!rfn", "Win.downloader.14593-1", "Win.dropper.darkkomet-9370806-0", "Trojan.redirector.js", "Cycbot", "Trojan.startpage-1612", "Ransom:win32/wannacrypt.h", "Win.trojan.agent-336291", "Unix.trojan.mirai-9441505-0", "Win. trojan.agent-292909", "Virtool:win32/obfuscator.jm", "Coolwebsearch", "Win.ransomware.wanna-9769986-0", "Mirai", "Win.trojan.agent-36211", "Win.malware.agent-6598770-0", "Trojan.cycbot-2671", "Trojan:win32/danginex" ], "industries": [], "unique_indicators": 2748 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/dummyurl.com", "whois": "http://whois.domaintools.com/dummyurl.com", "domain": "dummyurl.com", "hostname": "ww17.ww1.dummyurl.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69c227fd2960e96cae88fb97", "name": "Dropbox Typo squatting campaign. CoolWebSearch, CycBot , Mirai and Ransomware | Many domains affected.", "description": "Dropbox Typo squatting campaign. Mirai and Ransomware | Many domains affected.\n\nHas been executed. Threat actor attacked bank/s and Dropbox via Drive by compromises and malicious redirects. Multiple Dropbox accounts added to customer accounts confuse bank and customers. All accounts kept until Bank experienced serious breach. Bank admits to breach. Unsure if made public. Customer suddenly loses all paid storage, business tools , registered domains , and investment accounts. Bank empathizes targeted attacks.\nOccurred post initial infection & Pegasus Attack by same threat actors.", "modified": "2026-04-23T04:01:31.987000", "created": "2026-03-24T05:58:21.777000", "tags": [ "domain", "ipv4", "ck t1045", "run keys", "startup", "web protocols", "tool transfer", "user execution", "dns", "accept", "active related", "adversaries", "alerts", "apache", "as133618", "ascii text", "australia asn", "av detections", "christopher p ahmann", "brian sabey", "ck id", "ck matrix", "delete", "data upload", "defense evasion", "data", "cycbot", "cowboy", "coolwebsearch", "content", "contacted", "command", "connection", "delphi", "detection", "drop", "location", "manu", "dynamicloader", "elite", "emails", "encrypt", "error", "external", "extraction", "exploit", "failed", "gmt", "format", "forbidden", "privacy", "files", "feat file", "score", "refresh", "!redirect", "ratio", "redacted", "cycbot", "mirai", "unix", "ransomware", "trojan", "ransom", "query", "proximity", "pragma", "pegasus relationship", "typo squatting", "over path", "texarac", "name tactics", "h6rryf", "meta", "mitre att", "redirect", "malware", "malicious", "gmt server", "http header", "local", "little endian", "javascript", "is elf", "learn", "ipv4", "lambda", "lamk", "installer", "hall render", "index", "http request", "high risk", "insert", "ids detections", "informative", "indicator", "facts", "script style", "win32danginex", "trojanclicker", "trojan spy", "spyware", "udp", "windows", "vtab", "virtool", "trojan", "script strings", "stop data", "upatre", "spawns", "united states", "trojanspy", "tam legal", "secchuaplatform", "secchua", "virtool", "ransom", "quasi" ], "references": [ "dropox.com", "Win.Trojan.Agent-31647 \u2022 IDS: Detections CoolWebSearch Spyware (Feat)", "IDS Detections: Query for .cc TLD 403 Forbidden", "103.224.212.215 \u2022 rigs.zu0x.com \u2022 Australia : AS133618 trellian pty. limited", "UDP Include internal to internal communication Top Source 192.168.122.131 Top Destination 8.8.8.8 x", "u47.cc \u2022 IP Address 13.248.169.48, 76.223.54.146 | United States ASN AS16509 amazon.com", "u47.cc \u2022 | Domain is sinkholed | Registrar: ENAME TECHNOLOGY CO., LTD., x", "The Lambda function associated with the CloudFront distribution was throttled.", "We can't connect to the server for this & x Lambda function", "Error https://otx.alienvault.com/indicator/hostname/lb-212-215.above.com", "https://hybrid-analysis.com/sample/6ac18dcdfd4164ed7beeffffc995c5349c52b01dfObe5000f25294d698faf3b9/69c1b" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win. Trojan.Agent-292909", "display_name": "Win. Trojan.Agent-292909", "target": null }, { "id": "Win.Trojan.Agent-336291", "display_name": "Win.Trojan.Agent-336291", "target": null }, { "id": "Trojan.Cycbot-2671", "display_name": "Trojan.Cycbot-2671", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Agent-36211", "display_name": "Win.Trojan.Agent-36211", "target": null }, { "id": "Win.Malware.Agent-6598770-0", "display_name": "Win.Malware.Agent-6598770-0", "target": null }, { "id": "Win.Downloader.14593-1", "display_name": "Win.Downloader.14593-1", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Trojan:Win32/Danginex", "display_name": "Trojan:Win32/Danginex", "target": "/malware/Trojan:Win32/Danginex" }, { "id": "Trojan.Redirector.JS", "display_name": "Trojan.Redirector.JS", "target": null }, { "id": "Win.Ransomware.Wanna-9769986-0", "display_name": "Win.Ransomware.Wanna-9769986-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "CoolWebSearch", "display_name": "CoolWebSearch", "target": null }, { "id": "CycBot", "display_name": "CycBot", "target": null }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan.Startpage-1612", "display_name": "Trojan.Startpage-1612", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 241, "FileHash-SHA1": 245, "FileHash-SHA256": 246, "URL": 548, "CVE": 1, "SSLCertFingerprint": 6, "domain": 198, "email": 6, "hostname": 337 }, "indicator_count": 1828, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c228009e33309be83b65b7", "name": "Dropbox Typo squatting campaign. CoolWebSearch, CycBot , Mirai and Ransomware | Many domains affected.", "description": "Dropbox Typo squatting campaign. Mirai and Ransomware | Many domains affected.\n\nHas been executed. Threat actor attacked bank/s and Dropbox via Drive by compromises and malicious redirects. Multiple Dropbox accounts added to customer accounts confuse bank and customers. All accounts kept until Bank experienced serious breach. Bank admits to breach. Unsure if made public. Customer suddenly loses all paid storage, business tools , registered domains , and investment accounts. Bank empathizes targeted attacks.\nOccurred post initial infection & Pegasus Attack by same threat actors.", "modified": "2026-04-23T04:01:31.987000", "created": "2026-03-24T05:58:24.002000", "tags": [ "domain", "ipv4", "ck t1045", "run keys", "startup", "web protocols", "tool transfer", "user execution", "dns", "accept", "active related", "adversaries", "alerts", "apache", "as133618", "ascii text", "australia asn", "av detections", "christopher p ahmann", "brian sabey", "ck id", "ck matrix", "delete", "data upload", "defense evasion", "data", "cycbot", "cowboy", "coolwebsearch", "content", "contacted", "command", "connection", "delphi", "detection", "drop", "location", "manu", "dynamicloader", "elite", "emails", "encrypt", "error", "external", "extraction", "exploit", "failed", "gmt", "format", "forbidden", "privacy", "files", "feat file", "score", "refresh", "!redirect", "ratio", "redacted", "cycbot", "mirai", "unix", "ransomware", "trojan", "ransom", "query", "proximity", "pragma", "pegasus relationship", "typo squatting", "over path", "texarac", "name tactics", "h6rryf", "meta", "mitre att", "redirect", "malware", "malicious", "gmt server", "http header", "local", "little endian", "javascript", "is elf", "learn", "ipv4", "lambda", "lamk", "installer", "hall render", "index", "http request", "high risk", "insert", "ids detections", "informative", "indicator", "facts", "script style", "win32danginex", "trojanclicker", "trojan spy", "spyware", "udp", "windows", "vtab", "virtool", "trojan", "script strings", "stop data", "upatre", "spawns", "united states", "trojanspy", "tam legal", "secchuaplatform", "secchua", "virtool", "ransom", "quasi" ], "references": [ "dropox.com", "Win.Trojan.Agent-31647 \u2022 IDS: Detections CoolWebSearch Spyware (Feat)", "IDS Detections: Query for .cc TLD 403 Forbidden", "103.224.212.215 \u2022 rigs.zu0x.com \u2022 Australia : AS133618 trellian pty. limited", "UDP Include internal to internal communication Top Source 192.168.122.131 Top Destination 8.8.8.8 x", "u47.cc \u2022 IP Address 13.248.169.48, 76.223.54.146 | United States ASN AS16509 amazon.com", "u47.cc \u2022 | Domain is sinkholed | Registrar: ENAME TECHNOLOGY CO., LTD., x", "The Lambda function associated with the CloudFront distribution was throttled.", "We can't connect to the server for this & x Lambda function", "Error https://otx.alienvault.com/indicator/hostname/lb-212-215.above.com", "https://hybrid-analysis.com/sample/6ac18dcdfd4164ed7beeffffc995c5349c52b01dfObe5000f25294d698faf3b9/69c1b" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win. Trojan.Agent-292909", "display_name": "Win. Trojan.Agent-292909", "target": null }, { "id": "Win.Trojan.Agent-336291", "display_name": "Win.Trojan.Agent-336291", "target": null }, { "id": "Trojan.Cycbot-2671", "display_name": "Trojan.Cycbot-2671", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Agent-36211", "display_name": "Win.Trojan.Agent-36211", "target": null }, { "id": "Win.Malware.Agent-6598770-0", "display_name": "Win.Malware.Agent-6598770-0", "target": null }, { "id": "Win.Downloader.14593-1", "display_name": "Win.Downloader.14593-1", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Trojan:Win32/Danginex", "display_name": "Trojan:Win32/Danginex", "target": "/malware/Trojan:Win32/Danginex" }, { "id": "Trojan.Redirector.JS", "display_name": "Trojan.Redirector.JS", "target": null }, { "id": "Win.Ransomware.Wanna-9769986-0", "display_name": "Win.Ransomware.Wanna-9769986-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "CoolWebSearch", "display_name": "CoolWebSearch", "target": null }, { "id": "CycBot", "display_name": "CycBot", "target": null }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan.Startpage-1612", "display_name": "Trojan.Startpage-1612", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 241, "FileHash-SHA1": 245, "FileHash-SHA256": 246, "URL": 548, "CVE": 1, "SSLCertFingerprint": 6, "domain": 198, "email": 6, "hostname": 337 }, "indicator_count": 1828, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c0a8b94cbf6df8655828d5", "name": "199.191.50.72 ASNONE", "description": "199.191.50.72\nAdd to Pulse\nPulses\n12\nPassive DNS\n500+\nURLs\n10\nFiles\n41K\nAnalysis Overview\nLocation\nVirgin Islands, British flag\nVirgin Islands, British\nASN\nAS40034 confluence networks inc\nDNS Resolutions\n500+ Domains\nTop Level Domains\n42 Unique TLDs\nRelated Pulses\nOTX User-Created Pulses (12)\nRelated Tags\n561 Related Tags\n707713\nransomware\nunited\nsearch\nasnone\nMore\nIndicator Facts\nHistorical OTX telemetry\nIP mentioned on Twitter\n34 domains resolved in last 7 days\n173 domains resolved in last 30 days\n500+ domains resolved in all time\n42 top-level domains\nAntivirus Detections\nALF:E5.SpikeAex.rhh_pid\nALF:HeraklezEval:PUA:Win32/KuaiZip\nALF:HeraklezEval:Trojan:Win32/Eggnog!rfn\nALF:HeraklezEval:Trojan:Win32/Maener!rf\nALF:HeraklezEval:TrojanDownloader:HTML/Adodb\nMore\nAV Detection Ratio\n739\n / 786", "modified": "2026-04-22T03:27:13.249000", "created": "2026-03-23T02:43:05.252000", "tags": [ "msudosos ipv4", "pulse pulses", "passive dns", "urls", "files", "location virgin", "islands", "virgin islands", "british asn", "dns resolutions", "twitter" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 414, "domain": 111, "hostname": 1103, "URL": 485, "FileHash-SHA1": 139, "FileHash-MD5": 138, "email": 2 }, "indicator_count": 2392, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ww17.ww1.dummyurl.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ww17.ww1.dummyurl.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780275279.406103 }